An open source image forensic toolset
Introduction
"Forensic Image Analysis is the application of image science and domain expertise to interpret the content of an image and/or the image itself in legal matters. Major subdisciplines of Forensic Image Analysis with law enforcement applications include: Photogrammetry, Photographic Comparison, Content Analysis, and Image Authentication." (Scientific Working Group on Imaging Technologies)
Sherloq is a personal research project about implementing a fully integrated environment for digital image forensics. It is not meant as an automatic tool that decide if an image is forged or not (that tool probably will never exist...), but as a companion in experimenting with various algorithms found in the latest research papers and workshops.
While many commercial solutions have high retail prices and often reserved to law enforcement and government agencies only, this toolset aims to be a both an extensible framework and a starting point for anyone interested in making experiments in this particular application of digital signal processing.
I strongly believe that security-by-obscurity is the wrong way to offer any kind of forensic service (i.e. "Using this proprietary software I guarantee you that this photo is pristine... and you have to trust me!"). Following the open-source philosophy, everyone should be able to try various techniques on their own, gain knowledge and share it to the community... even better if they contribute with code improvements! :)
History
The first version was written in 2015 using C++11 to build a command line utility with many options, but soon it turned to be too cumbersome and not much interactive. That version could be compiled with CMake after installing OpenCV, Boost and AlgLib libraries. This first proof of concept offered about 80% of planned features (see below for the full list).
While also including novel algorithms, the 2017 version mainly added a Qt-based multi-window GUI to provide a better user experience. Multiple analyses could be shown on screen and a fast zoom/scroll viewer was implemented for easier image navigation. That project could be compiled with Qt Creator with Qt 5 and OpenCV 3 and covered about 70% of planned features.
Fast forward to 2020 when I decided to port everything in Python (PySide2 + Matplotlib + OpenCV) for easier development and deployment. While this iteration is just begun and I have yet to port all the previous code on the new platform, I think this will be the final "form" of the project (as long as someone does not volunteer up to develop a nice web application!).
I'm happy to share my code and get in contact with anyone interested to improve or test it, but please keep in mind that this repository is not intended for distributing a final product, my aim is just to publicly track development of an unpretentious educational tool, so expect bugs, unpolished code and missing features! ;)
Features
This list contains the functions that the toolkit will (hopefully) provide once beta stage is reached (NOTE: functions displayed in italics inside the program are not yet implemented!).
Interface
- Modern Qt-based GUI with multiple tool window management
- Support for many formats (JPEG, PNG, TIFF, BMP, WebP, PGM, PFM, GIF)
- Highly responsive image viewer with real-time pan and zoom
- Many state-of-the-art algorithms to try out interactively
- Export both visual and textual results of the analysis
- Extensive online help with explanations and tutorials
Tools
General
- Original Image: display the unaltered reference image for visual inspection
- File Digest: retrieve physical file information, crypto and perceptual hashes
- Hex Editor: open an external hexadecimal editor to show and edit raw bytes
- Similar Search: browse online search services to find visually similar images
Metadata
- Header Structure: dump the file header structure and display an interactive view
- EXIF Full Dump: scan through file metadata and gather all available information
- Thumbnail Analysis: extract optional embedded thumbnail and compare with original
- Geolocation Data: retrieve optional geolocation data and show it on a world map
Inspection
- Enhancing Magnifier: magnifying glass with enhancements for better identifying forgeries
- Channel Histogram: display single color channels or RGB composite interactive histogram
- Global Adjustments: apply standard image adjustments (brightness, hue, saturation, ...)
- Reference Comparison: open a synchronized double view for comparison with another picture
Detail
- Luminance Gradient: analyze horizontal/vertical brightness variations across the image
- Echo Edge Filter: use derivative filters to reveal artificial out-of-focus regions
- Wavelet Threshold: reconstruct image with different wavelet coefficient thresholds
- Frequency Split: split image luminance into high and low frequency components
Colors
- RGB/HSV Plots: display interactive 2D and 3D plots of RGB and HSV pixel values
- Space Conversion: convert RGB channels into HSV/YCbCr/Lab/Luv/CMYK/Gray spaces
- PCA Projection: use color PCA to project pixel onto most salient components
- Pixel Statistics: compute minimum/maximum/average RGB values for every pixel
Noise
- Noise Separation: estimate and extract different kind of image noise components
- Min/Max Deviation: highlight pixels deviating from block-based min/max statistics
- Bit Planes Values: show individual bit planes to find inconsistent noise patterns
- PRNU Identification: exploit sensor pattern noise introduced by different cameras
JPEG
- Quality Estimation: extract quantization tables and estimate last saved JPEG quality
- Error Level Analysis: show pixel-level difference against fixed compression levels
- Multiple Compression: use a machine learning model to detect multiple compression
- JPEG Ghost Maps: highlight traces of different compression levels in difference images
Tampering
- Contrast Enhancement: analyze color distribution to detect contrast enhancements
- Copy-Move Forgery: use invariant feature descriptors for cloned area detection
- Composite Splicing: exploit DCT statistics for automatic splicing zone detection
- Image Resampling: estimate 2D pixel interpolation for detecting resampling traces
Various
- Median Filtering: detect processing traces left by nonlinear median filtering
- Illuminant Map: estimate scene local light direction on estimated 3D surfaces
- Dead/Hot Pixels: detect and fix dead/hot pixels caused by sensor imperfections
- Stereogram Decoder: decode 3D images concealed in crossed-eye autostereograms
Screenshots
Here are some screenshots from the previous C++ Qt GUI (to be updated with the new version):
File Analysis: Metadata, Digest and EXIF
Color Analysis: Space Conversion, PCA Projection, Histograms and Statistics
Visual Inspection: Magnifier Loupe, Image Adjustments and Evidence Comparison
JPEG Analysis: Quantization Tables, Compression Ghosts and Error Level Analysis
Luminance and Noise: Light Gradient, Echo Edge, Min/Max Deviation and SNR Consistency
Installation
For more information about Python Virtual Environments, you can read here or here.
[1/2] Virtual environment
Linux
$ sudo apt install python3-distutils python3-dev python3-testresources subversion
$ wget https://bootstrap.pypa.io/get-pip.py
$ sudo python3 get-pip.py
$ sudo pip install virtualenv virtualenvwrapper
$ echo -e "\n# Python Virtual Environments" >> ~/.bashrc
$ echo "export WORKON_HOME=$HOME/.virtualenvs" >> ~/.bashrc
$ echo "export VIRTUALENVWRAPPER_PYTHON=/usr/bin/python3" >> ~/.bashrc
$ echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.bashrc
$ source ~/.bashrc
$ mkvirtualenv sq -p python3
MacOS
- Open Terminal and enter
python3 --versionto install the interpreter and other command line tools - Once installed, proceed similarly to Linux installation:
$ wget https://bootstrap.pypa.io/get-pip.py
$ sudo python3 get-pip.py
$ sudo pip install virtualenv virtualenvwrapper
$ echo -e "\n# Python Virtual Environments" >> ~/.bash_profile
$ echo "export WORKON_HOME=$HOME/.virtualenvs" >> ~/.bash_profile
$ echo "export VIRTUALENVWRAPPER_PYTHON=/usr/bin/python3" >> ~/.bash_profile
$ echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.bash_profile
$ source ~/.bash_profile
- Create a new Python 3 virtual environment:
$ mkvirtualenv sq -p python3
- Install
libmagicviabrew(thanks to @thmsl):
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
$ brew install libmagic
Windows
- Download latest Python setup package from official site
- Install ensuring that "Add Python to PATH" and "PIP installation" are enabled
- Open Command Prompt and enter the following commands:
> pip install virtualenv virtualenvwrapper-win
> mkvirtualenv sq
Conda
- Download and install Anaconda (one can also install miniconda, no GUI but is smaller)
- Install Xinerama library:
sudo apt-get install libxcb-xinerama0 - Open a console to create a Python environment (on Windows one must start a Conda Console or
sthfrom the Start menu):conda create --copy -n sherloq python[enter Yes when it prompts] - After install ends, type in the same console
conda activate sherloqto activate the environment
[2/2] Launch program
- Clone the repository content into a local folder
- Change current directory to the
guifolder insidesherloq - Execute
pip install -r requirements.txtto install required packages (usepip install -r requirements_win.txton Windows) - Launch the GUI with
python sherloq.py
Updates
When a new version is released, update the local working copy using Git, SVN or manually downloading from this repository and (if necessary) update the packages in the virtual environment following this guide.
Bibliography
- "A Picture's Worth: Digital Image Analysis and Forensics" (Neal Krawetz) [paper]
- "Noiseprint: a CNN-based camera model fingerprint" (Davide Cozzolino, Luisa Verdoliva) [website]
- "Exposing Digital Forgeries by Detecting Traces of Re-sampling" (Alin C. Popescu and Hany Farid) [paper]
- "Two Improved Forensic Methods of Detecting Contrast Enhancement in Digital Images" (Xufeng Lin, Xingjie Wei and Chang-Tsun Li) [paper]