DIGITAL FORENSIC RESEARCH CONFERENCE

Using JPEG Quantization Tables to Identify Imagery Processed by Software

By

Jesse Kornblum

Presented At

The Digital Forensic Research Conference

DFRWS 2008 USA Baltimore, MD (Aug 11th - 13th)

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized

the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners

together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working

groups, annual conferences and challenges to help drive the direction of research and development.

http:/dfrws.org

DC3DC3

JPEG Quantization TablesJPEG Quantization Tables

Jesse KornblumJesse Kornblum

DC3DC3

OverviewOverview

!! MotivationMotivation

!! Everything You Always Wanted to Know aboutEverything You Always Wanted to Know about

JPEGs But Were Afraid to AskJPEGs But Were Afraid to Ask

!! Quantization TablesQuantization Tables

!! Types of TablesTypes of Tables

!! CalvinCalvin

!! Future WorkFuture Work

DC3DC3

MotivationMotivation

!! Ashcroft v. Free Speech CoalitionAshcroft v. Free Speech Coalition, 2002, 2002

!! Cases now have hundreds of thousands of imagesCases now have hundreds of thousands of images

!! Only a few needed to convictOnly a few needed to convict

–– Must be real picturesMust be real pictures

!! Need to find the real picturesNeed to find the real pictures

–– Not as easy as youNot as easy as you’’d thinkd think

DC3DC3

Real PictureReal Picture

WARNING:WARNING:

EXPLICIT IMAGERYEXPLICIT IMAGERY

LAW ENFORCEMENT SENSITIVE LAW ENFORCEMENT SENSITIVE –– DO NOT DUPLICATE DO NOT DUPLICATE

DC3DC3

Real PictureReal Picture

LAW ENFORCEMENT SENSITIVE LAW ENFORCEMENT SENSITIVE –– DO NOT DUPLICATE DO NOT DUPLICATE

DC3DC3

Real PictureReal Picture

Image ©

Copyright P

isan K

aew

ma 2

006

DC3DC3

Computer Generated ImageComputer Generated Image

DC3DC3

All About JPEGsAll About JPEGs

!! JPEG CompressionJPEG Compression

–– Lossy Lossy compressioncompression

!! Six step processSix step process

–– Color space transform RGB to Color space transform RGB to YCbCrYCbCr

–– DownsamplingDownsampling

–– Block SplittingBlock Splitting

–– Discrete Cosine TransformDiscrete Cosine Transform

–– Quantization (where the magic happens)Quantization (where the magic happens)

–– Encoding (lossless compression)Encoding (lossless compression)

DC3DC3

Quantization TablesQuantization Tables

!! Table used to control Table used to control lossy lossy compressioncompression

!! Up to four sets of tablesUp to four sets of tables

–– 64 values in each table64 values in each table

!! Value for each pixel is divided by a table valueValue for each pixel is divided by a table value

–– Decimals thrown awayDecimals thrown away

–– Decimal loss leads to image quality lossDecimal loss leads to image quality loss

!! 124 / 50 --> 2124 / 50 --> 2

!! When decompressed 2*50 = 100When decompressed 2*50 = 100

DC3DC3

Quantization TablesQuantization Tables

2 1 1 1 1 1 2 12 1 1 1 1 1 2 1

1 1 2 2 2 2 2 4 1 1 2 2 2 2 2 4

3 2 2 2 2 5 4 4 3 2 2 2 2 5 4 4

3 4 6 5 6 6 6 5 3 4 6 5 6 6 6 5

6 6 6 7 9 8 6 7 6 6 6 7 9 8 6 7

9 7 6 6 8 11 8 9 9 7 6 6 8 11 8 9

10 10 10 10 10 6 8 11 10 10 10 10 10 6 8 11

12 11 10 12 9 10 10 10 12 11 10 12 9 10 10 10

DC3DC3

Quantization TablesQuantization Tables

!! Higher numbers mean lower quality imageHigher numbers mean lower quality image

!! Lower numbers mean higher quality imageLower numbers mean higher quality image

!! Best images have tables of all onesBest images have tables of all ones

–– No compressionNo compression

DC3DC3

Quantization CalculationsQuantization Calculations

!! Original value =Original value = 124124

!! Table value of 1 -->Table value of 1 --> 124 -->124 --> 124124

!! Table value of 10 -->Table value of 10 --> 12 -->12 --> 120120

!! Table value of 20 -->Table value of 20 --> 6 -->6 --> 120120

!! Table value of 50 -->Table value of 50 --> 2 --> 1002 --> 100

!! Table value of 75 --> 1 --> 75Table value of 75 --> 1 --> 75

DC3DC3

Making TablesMaking Tables

!! Independent JPEG Group (IJG) TablesIndependent JPEG Group (IJG) Tables

–– Last updated 1998Last updated 1998

!! Scaling method uses quality factor QScaling method uses quality factor Q

!! Q can be between 1 and 100Q can be between 1 and 100

!! S = (Q < 50) ? 5000/Q : 200 S = (Q < 50) ? 5000/Q : 200 –– 2Q 2Q

!! TTss[i] = (S * T[i] = (S * Tbb[i] + 50) / 100[i] + 50) / 100

!! Integer mathInteger math

–– No decimals, information lostNo decimals, information lost

!! Scaling with Q=50 means no changeScaling with Q=50 means no change

DC3DC3

IJG Standard TableIJG Standard Table

16 11 10 16 24 40 51 61 16 11 10 16 24 40 51 61

12 12 14 19 26 58 60 55 12 12 14 19 26 58 60 55

14 13 16 24 40 57 69 56 14 13 16 24 40 57 69 56

14 17 22 29 51 87 80 62 14 17 22 29 51 87 80 62

18 22 37 56 68 109 103 77 18 22 37 56 68 109 103 77

24 35 55 64 81 104 113 92 24 35 55 64 81 104 113 92

49 64 78 87 103 121 120 101 49 64 78 87 103 121 120 101

72 92 95 98 112 100 103 99 72 92 95 98 112 100 103 99

DC3DC3

IJG Standard Table, Q=80IJG Standard Table, Q=80

6 4 4 6 10 16 20 24 6 4 4 6 10 16 20 24

5 5 6 8 10 23 24 22 5 5 6 8 10 23 24 22

6 5 6 10 16 23 28 22 6 5 6 10 16 23 28 22

6 7 9 12 20 35 32 25 6 7 9 12 20 35 32 25

7 9 15 22 27 44 41 31 7 9 15 22 27 44 41 31

10 14 22 26 32 42 45 37 10 14 22 26 32 42 45 37

20 26 31 35 41 48 48 40 20 26 31 35 41 48 48 40

29 37 38 39 45 40 41 40 29 37 38 39 45 40 41 40

DC3DC3

IJG Standard TablesIJG Standard Tables

!! Most software uses IJG Standard TablesMost software uses IJG Standard Tables

!! libjpeg libjpeg is free and easy to useis free and easy to use

–– Programmers are lazyProgrammers are lazy

!! Allows user to specify quality setting QAllows user to specify quality setting Q

!! Examples:Examples:

–– The GimpThe Gimp

–– Microsoft PaintMicrosoft Paint

–– InfranviewInfranview

–– Some camera phonesSome camera phones

DC3DC3

Extended IJG TablesExtended IJG Tables

!! Three tables instead of twoThree tables instead of two

!! The third is a duplicate of theThe third is a duplicate of the secondsecond

A BA B

A B BA B B

DC3DC3

Adobe PhotoshopAdobe Photoshop

!! Adobe Photoshop uses its ownAdobe Photoshop uses its own

quantization tablesquantization tables

!! Users select one ofUsers select one of 12 quality settings12 quality settings

!! Table depends only on quality settingTable depends only on quality setting

–– Does not consider imageDoes not consider image

DC3DC3

CategorizingCategorizing

Quantization TablesQuantization Tables

!! AllAll onesones

–– No dataNo data

!! Standard TablesStandard Tables

!! Two IJGTwo IJG

!! Extended Standard TablesExtended Standard Tables

!! Three IJGThree IJG

!! Custom Fixed TablesCustom Fixed Tables

!! Adobe PhotoshopAdobe Photoshop

!! Custom Adaptive TablesCustom Adaptive Tables

DC3DC3

Custom Adaptive TablesCustom Adaptive Tables

!! Table is computedTable is computed

on the flyon the fly

!! Usually based onUsually based on

image beingimage being

processedprocessed

!! Most cameras do thisMost cameras do this

–– Most vendors haveMost vendors have

patents onpatents on

quantization tablequantization table

constructionconstruction

DC3DC3

Digital BallisticsDigital Ballistics

!! Match images back to the device that created themMatch images back to the device that created them

–– Match to Match to individualindividual device device

–– Match to Match to type of type of devicedevice

DC3DC3

Digital BallisticsDigital Ballistics

!! Match to individual devicesMatch to individual devices

–– Depends on smallDepends on small imperfections in lens, sensorimperfections in lens, sensor

–– RequiresRequires lotslots of images from each camera of images from each camera

–– Beyond the scope of this presentationBeyond the scope of this presentation

DC3DC3

Digital BallisticsDigital Ballistics

!! Match to type ofMatch to type of devicedevice

–– Possible to identify IJG tablesPossible to identify IJG tables

•• Except when adaptive makes these by accidentExcept when adaptive makes these by accident

–– Possible to identify PhotoshopPossible to identify Photoshop tablestables

•• But could, in theory, be adaptive tablesBut could, in theory, be adaptive tables

–– Possible to identify adaptive tablesPossible to identify adaptive tables

•• ButBut could be either hardware or softwarecould be either hardware or software

!! In all cases, may only be last device toIn all cases, may only be last device to processprocess

DC3DC3

Digital BallisticsDigital Ballistics

!! Set of known quantization tablesSet of known quantization tables

–– 99 Standard Tables99 Standard Tables

–– 99 Extended Standard Tables99 Extended Standard Tables

–– Tables from Adobe PhotoshopTables from Adobe Photoshop

!! Compare each unknown images to set of knownCompare each unknown images to set of known

–– Matches are Matches are most likely last processed bymost likely last processed by software software

DC3DC3

CalvinCalvin

!! Col. Calvin Goddard, 1891-1955Col. Calvin Goddard, 1891-1955

–– Founded firearms identificationFounded firearms identification

–– Identified weapons used by AlIdentified weapons used by Al

Capone in St. Valentine's DayCapone in St. Valentine's Day

MassacreMassacre

Picture courtesy FBI, http://www.fbi.gov/hq/lab/labdedication/labstory.htm

DC3DC3

CalvinCalvin

!! By default, displays filenames not matched (e.g.By default, displays filenames not matched (e.g.

possible photographs)possible photographs)

C:\> C:\> calvin calvin *.jpg*.jpg

C:\kitty-pr0n.jpgC:\kitty-pr0n.jpg

DC3DC3

CalvinCalvin

!! Can display results for all filesCan display results for all files

C:\> C:\> calvin calvin -vv *.jpg-vv *.jpg

C:\from-gimp.jpg: Standard Tables, Q=80C:\from-gimp.jpg: Standard Tables, Q=80

C:\kitty-pr0n.jpg: possible hardwareC:\kitty-pr0n.jpg: possible hardware

DC3DC3

CalvinCalvin

!! Can dump tables from an imageCan dump tables from an image

C:\> C:\> calvin calvin -g kitty-pr0n.jpg-g kitty-pr0n.jpg

C:\kitty-pr0n.jpgC:\kitty-pr0n.jpg

5,4,2,6,7,2,4,5,2,10,3,6,3,6,4,2,2,11,7,3,9,6,4,6,7,4,5,65,4,2,6,7,2,4,5,2,10,3,6,3,6,4,2,2,11,7,3,9,6,4,6,7,4,5,6

6,3,6,4,2,3,5,10,4,6,9,7,5,3,8,6,4,6,3,1,6,8,5,3,3,6,8,4,1,6,3,6,4,2,3,5,10,4,6,9,7,5,3,8,6,4,6,3,1,6,8,5,3,3,6,8,4,1,

0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,

0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,00,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0

DC3DC3

CalvinCalvin

!! Can use signatures on next runCan use signatures on next run

C:\> C:\> calvin calvin -g kitty-pr0n.jpg > -g kitty-pr0n.jpg > sigssigs.txt.txt

C:\> C:\> calvin calvin -a -a sigssigs.txt -vv d:\unknown\*.jpg.txt -vv d:\unknown\*.jpg

D:\unknown\also-kitty-pr0n.jpg: kitty-pr0n.jpgD:\unknown\also-kitty-pr0n.jpg: kitty-pr0n.jpg

DC3DC3

Digital BallisticsDigital Ballistics

!! This is just one step in the processThis is just one step in the process

!! Image from camera processed in PhotoshopImage from camera processed in Photoshop

–– According to Calvin, is from PhotoshopAccording to Calvin, is from Photoshop

–– But image contains EXIF and other metadataBut image contains EXIF and other metadata

–– Clues in the image itself (e.g. presence of skin tones)Clues in the image itself (e.g. presence of skin tones)

DC3DC3

Digital BallisticsDigital Ballistics

Processed with the Gimp

Standard Tables, Q=80

DC3DC3

Digital BallisticsDigital Ballistics

But contains skin tones, EXIF data

“Konica Minolta”

DC3DC3

Digital BallisticsDigital Ballistics

!! Best used as part of a larger systemBest used as part of a larger system

!! DC3 VISION systemDC3 VISION system

DC3DC3

AcknowledgementsAcknowledgements

!! Imagery provided by FBI, Imagery provided by FBI, Pisan KaewmaPisan Kaewma

!! libjpeglibjpeg: http://www.: http://www.ijgijg.org/.org/

!! No animals were harmed in the making of thisNo animals were harmed in the making of this

presentationpresentation

DC3DC3

Department of DefenseDepartment of Defense

Cyber Crime CenterCyber Crime Center

Jesse KornblumJesse Kornblum