About the site
FotoForensics is a free web site intended to provide budding researchers a sample of what can be done with digital photo forensics.
In August 2007, Dr. Neal Krawetz gave a presentation at the Black Hat Briefings computer security conference. The presentation, titled "A Picture's Worth", covered a handful of novel photo analysis algorithms. (A video of the presentation is available from iTunes, search for "Krawetz". The associated white paper and slides are available online.) Using these algorithms, researchers can determine if a picture is real or computer graphics, if it was modified, and even how it was modified. Dr. Krawetz gave variations of this presentation at different conferences between 2007 and 2010.
Following the disclosure of these algorithms, many people began recreating them. Error Level Analysis (ELA) is one of the simpler algorithms, and many people implemented their own variants. In 2010, Pete Ringwood created the "errorlevelanalysis.com" web site as a free service where people could submit photos and web pictures for analysis. The result was an instant hit.
In 2012, Mr. Ringwood decided to retire the site, which had introduced millions of people to the field of photo forensics. Hacker Factor has recreated the service as "fotoforensics.com", maintaining the basic principles that Pete Ringwood established: a free service that provides an introduction to photo forensics.
Hosting, administration, and site development are not free. This site is sponsored by Hacker Factor. If you would like to help support this site, please consider making a small donation. All donations will be used to offset the hosting costs for this service. Unfortunately, we cannot offer return links or other advertisement space in exchange for donations.Please make donations payable to "Hacker Factor":
Hacker FactorBe sure to include the message "FotoForensics Donation" with any donation.
P.O. Box 270033
Fort Collins, CO 80527-0033
This site collects pictures that are submitted, information about the pictures (where it came from, when it was submitted, how often it is accessed), and typical weblog information.
While the pictures are displayed upon request by your web browser, other information is used for site management and related research purposes. To reiterate: FotoForensics is a research site; uploaded content will be used for research purposes. We will not publicly disclose personal information, and we will not provide collected information to external third parties (such as advertisers and data aggregates). This web site does not collect email addresses. It also does not sell content.
By uploading a picture, you consent to having the picture viewed by FotoForensics, Hacker Factor, and research partners for analysis-related purposes. If the pictures contain illegal or potentially illegal content, then the site administrators may have an obligation to share the information with law enforcement.
Problems with this site, such as error messages, connectivity issues, maintenance, etc. should be submitted through the contact form or emailed to .
Do not send this email address any advertisements, promotional offers, "let's swap links!" requests, or anything from any mailing list. Also, do not send questions about analysis results or requests for technical details about how the algorithms work. This email address is strictly for problems or issues with the web site.
This free service is available to everyone. It is intended to give people an introduction to digital photo forensics and image analysis. This site does not draw conclusions or interpret results; it just shows raw data. As such, the algorithms on this free service are not intended for commercial or illegal uses. FotoForensics takes no responsibility for inaccurate, incorrect, or misleading analysis interpretations.
Some web developers have inquired about creating their own front-end systems to this online service. This is permitted as long as:
Basically, developers must not take credit for work performed by FotoForensics, developers must not charge for this free service, and developers must not claim or imply that FotoForensics endorses their software or services. Ads are not permitted because using these pictures to generate revenue from ads directly violates Copyright and the Fair Use clause. Developers who do not adhere to the API may find that their code no longer works if this site makes a code change. It is strongly recommended that developers contact FotoForensics prior to developing their systems.
FotoForensics works best with HTML5 and CSS3. This includes most up-to-date web browsers. Browsers older than Internet Explorer 9, Firefox version 10, or Chrome version 10 are unlikely to work well with this site.
Apple's Mobile Safari web browser is partially supported. Specifically, Mobile Safari (the default browser on iPhone, iPad, and iPod devices) is only supported for URL uploads and not file uploads. Unfortunately, Mobile Safari explicitly resaves all images prior to uploading. The resave impacts the results from algorithms such as Error Level Analysis and JPEG % -- these algorithms will identify the resave by Safari and not the original picture. Mobile Safari also strips out the original metadata and substitutes its own, so metadata analysis will be of little use.
Other browsers for Apple mobile devices, such as Chrome, Firefox, and Dolphin, are fully supported by FotoForensics.
For people who previously used Mobile Safari to upload files: We identified this problem on 3-Oct-2013. Apple's decision to strip metadata and resave the image appears to be an intentional feature of Safari, with no alternative beyond forcing users to switch web browsers. Because Mobile Safari will not permit this site to directly analyze the file that you selected, we have disabled file uploads from Mobile Safari browsers.
You can submit a picture from your computer or submit a URL of an online picture. The picture must be a JPEG or PNG. There is a 5 Meg file size limit. Pictures should also be at least 100x100 pixels and no larger than 10,000x10,000; thumbnail images will not work well and extremely large pictures take too long to process in real-time.
This web site is used by forensic researchers. Uploaded pictures may be viewed by the site administrators and research partners.
Please consider the content you are uploading. If you would not show it to your parents or children, then it probably does not belong here. People who upload pornography and sexually explicit content will be banned.
There are many different file types for storing pictures. However, this service only supports JPEG and PNG files. This is because other formats will not work well with the available algorithms or consume too many system resources. For example:
Other image file formats have these same limitations. They either consume too much disk space, take too long to process, or contain multiple pictures. This public site strictly processes JPEG and PNG files because they are compressed efficiently and work well with the algorithms available to this free service.
If your upload fails, it is probably because:
Occasionally the uploaded picture does not look like you expected. It may appear inverted, rotated, or even larger than you thought.
JPEG images can contain display information such as rotation or inversion. In effect, graphical applications render the JPEG and then apply a transform. For the types of photo forensics performed on this site, additional transformations may distort the image. As a result, post-rendering transformations are not applied. Images may appear rotated, flipped, or inverted depending on the post-rendering transformations.
In other cases, such as a URL upload, the picture retrieved by FotoForensics may not look like the picture you thought you uploaded because FotoForensics acquired a higher quality image. This can currently happen with pictures that come from Facebook and Imgur.
With Facebook, the URL may contain commands for scaling, cropping, and positioning the image. When FotoForensics detects this, it attempts to retrieve the full-size picture stored at Facebook, and not the cropped or scaled image. This is done because scaling, cropping, and other server-side transformations result in a resave and may obscure information about an image. The picture retrieved by FotoForensics can appear larger and wider than the image shown on Facebook's web page.
With Imgur, users occasionally submit the URL to the text web page and not the URL to the image. (Editor's note: Don't blame the user!) If this is detected, then FotoForensics will retrieve the primary image from the web page. If there are multiple images on the page, then it may not retrieve the one you wanted. Try submitting the URL to the image itself: right click on the image and select "View Image" (the actual menu item varies by browser), and submit that URL to FotoForensics.
In rare cases, pictures retrieved from a URL upload may appear broken. With JPEG images, they will usually render the top part of the image, but the bottom part will appear as a gray box. This happens when the server hosting the picture cannot provide it within a reasonable timeframe. Either the hosting server is slow, or there is a significant network delay that is causing the download to timeout.
This problem has been repeatedly seen with pictures hosted in China, such as pictures from Baidu.com. As far as we can tell, China is tarpitting the network connection -- intentionally making it slower and slower until the download fails.
The best solution to this problem is to download the picture to your local computer and use the File Upload option to submit the picture.
When you submit an image, you are provided with a direct link that you can share with other people (and they, in turn, may tweet or post to Facebook or send it to friends). The pictures may also be reviewed by the site administrators and research partners.
Pictures remain on the server for at least 3 months. After that, inactive pictures may be removed in order to reclaim disk space as needed.
This site permits nearly all types of pictures. Dancing kittens, airplane crashes, and everything in between is par for the course. Currently, this site only forbids pornography, nudity, and sexually explicit content.
This server is located in the United States of America. Although there are laws concerning obscenity, pornography and nudity in general is considered protected free speech. With one exception: it is a federal offense to knowingly possess or distribute child pornography (see 18 U.S.C. 2251, 2252, 2258, and 1466).
This web site is used for photo research. It is very possible that an administrator or research partner may see the pictures that you upload. I do not want my administrators spending any time guessing whether a person in a picture is over or under the legal age of consent. As such, we have implemented a very simple rule: no pornography, no nudity, no sexually explicit content. I do not care if you think the person is clearly an adult, and it does not matter if you think nudity is artistic. Uploading prohibited content will result in a ban.
For some people, this site may appear broken. There is no upload window and every link to an analysis shows nothing. Every page says to visit this FAQ.
Fear not! This site is not broken! You have been banned due to uploading prohibited content. (This site is not for your personal porn archive.) The ban will lift automatically after 3 months. (That is, 3 months after you stop visiting this site, and the counter resets every time you visit.)
If you feel unfairly banned from this site, you can submit an unban request through the removal request form or by writing to . Be sure to explain why you believe that your actions (e.g., submitting pornography, nudity, or sexually explicit content) was appropriate behavior on a public web service. Be sure to identify who you are (name, email address, postal address, phone number -- in case we need to contact you), your network address (you are currently using 126.96.36.199), what content you submitted, and approximately when it was submitted -- otherwise we will not be able to identify which block is associated with you.
NOTE: People who only submit their network address with their removal request will not have the block removed. You must include an explanation, who you are, and a description of the type of content you were submitting. Requesting a removal does not guarantee a removal.
This web site is Copyright Hacker Factor, All Rights Reserved. However, we do not own the copyright to the submitted pictures.
Each picture's copyright is retained by the original copyright holder. For the derivative works (i.e., the analysis pictures), it depends on the picture and how much it looks like the original image. The derivative work is either the copyright work of Hacker Factor or of the original source's copyright holder. (It's best to consult an attorney, and I'm not an attorney.) It suffices to say that you do not own the copyright just because you submitted the picture.
Let me preface this with "I am not a lawyer and this is not legal advice," "You should consult an attorney," and "It is my understanding that..."
This site permits people to submit images to a digital image analysis system.
It is our belief that this complies with the Fair Use clause (Title 17, Chapter 1, Section 107).
We do occasionally solicit pictures specifically for testing and research. We do not solicit photos containing personal information and we do not request third-party pictures. Any exceptions will be identified during the solicitation. Submitting a photo in response to a research request does not transfer the copyright; the photographer still owns the copyright. Our research requests do require permission for FotoForensics and Hacker Factor to use the photos in ways related with the research.
Requests should be submitted to , or write to:
FotoForensicsYou may also fill out the removal request form. Removal requests must include all of the following information:
c/o: Hacker Factor
P.O. Box 270033
Fort Collins, CO
United States of America
Removals are a semi-manual process that requires more than simply deleting a picture. People who only ask for content to be removed, without providing the additional required information, will not have their content removed.
Offensive is a very subjective term. See "How can I request content removal?" Be sure to mention the nature of the offense and why you feel it is offensive. Some types of pictures are illegal in the United States; we will contact law enforcement immediately.
This site does not cater to people who want to use it for hosting photos intended to harass or harm other people. Harassment complaints will be expedited.
No. This site is like a microscope -- it will show you data, but it does not draw any conclusions. FotoForensics includes tutorials to help you understand what to look for in the analysis results.In some cases, the analysis may not provide the answer you wanted. For example, you may want to know if a picture was edited. However, if the picture is a low quality, then the results may not permit identification of anything beyond "low quality, multiple resaves." As a concrete example, consider analyzing a picture from Facebook. Facebook strips out all original metadata and replaces it with their own metadata. So the metadata analysis will not identify anything beyond "Facebook". Facebook also resaves the image at a low quality, so the JPEG quality (JPEG %) will report a low quality image. Error Level Analysis will typically return a dark result with large colored rectangles -- indicating a low quality image and multiple resaves (a solid description of what Facebook provides). Even if the picture is visually altered, the algorithmic results may not detect much more than an image resaved by Facebook. The tutorials on this site identify some common applications and online services that leave tell-tale artifacts that are usually identifiable.
Error Level Analysis (ELA) is an algorithm that evaluates the error level potential of a JPEG image. JPEG is a lossy image format; every resave degrades the picture. The amount of degradation varies based on the number of saves. The first save loses a lot, the second save loses a little more, and by the 20th save, it is probably as low quality as it will ever get.
When a picture is modified, the changed parts have a higher error level potential than the rest of the image. ELA works by saving the picture at a known quality level (like a JPEG at 95%), and then determines how much changed. Edits and splices appear as regions with more change. See the tutorial for more detail.
The Error Level Analysis algorithm was publicly disclosed by Dr. Neal Krawetz in a white paper and presentation at the Black Hat Briefings security conference. The revised white paper and slides are from the 2008 conference in Washington, DC.
Krawetz, N., "A Picture's Worth: Digital Image Analysis and Forensics." Black Hat Briefings DC. 2008. <http://blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf>
Chicago Manual of Style citation
Krawetz, N., "A Picture's Worth: Digital Image Analysis and Forensics." Black Hat Briefings DC. 2008. Available from http://blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf
ELA measures the amount of change during a JPEG resave. When a digital photo is edited, the modified portions will have a different error level potential compared to the rest of the picture. Splices, drawing, and significant edits are usually visible as a significantly different error level potential.
There is a difference between real and authentic. A real photo of a forged document or a staged situation will not appear unusual under ELA. This is because the picture is real, even if the subject of the photo is not authentic. ELA does not identify the authenticity or other attributes related to the picture's subject.
ELA also does not detect all forms of digital manipulation; it only identifies differences in the JPEG compression rate. Digital modifications that do not significantly alter the error level potential, such as a minor color adjustment over the entire picture, may not be detected by ELA.
A very low quality picture that has undergone multiple resaves will have no more error level potential. A black result is informative: this picture (1) is not a camera original, (2) is very low quality, and (3) has been repeatedly resaved.
When the Error Level Analysis algorithm was disclosed in 2007, we intentionally did not release source code. As a result, every implementation is a variant of the algorithm. They all implement the same basic approach and all can be used to reach the same conclusions. However, different settings can lead to differences in the appearance of the ELA image.
For a proper experiment, the results must be repeatable. This system uses libjpeg-6b with a resave quality of 75% and a post-process brightness factor of 20. Different JPEG libraries and different parameters will generate different ELA images.
The results from an analysis are directly dependent on the image quality. You may want to know if something was added, but if the picture is a copy of a copy of a copy, then it may only detect the resaves. Try to find the best quality version of the picture.
For example, many pictures are hosted at Flickr. Flickr provides small, medium, large, and original images. The small, medium, and large are derivative images (resaves) created by Flickr. The "original" is whatever the user sent to Flickr, so the original will be the best quality. Similarly, pictures on news sites are usually resaved. If they have a tagline like "Source: AP Images", then go to the source and use that picture instead. News sites typically recolor, resize, and crop images before saving them at a very low quality. Go for the original source (or get as close as you can to the original source) to improve the image's quality and the results.
If you do not know where to start, then try TinEye. Many pictures on the web are resaved as they pass from user to user. TinEye does not know every picture, but it knows many pictures. If the picture is being passed around, then TinEye can help find the source (or at least a better copy of the image). In general, the biggest image is usually the best quality. (But some sites do scale images larger...)
First remember: any single analysis algorithm can generate noise that may result in a false-positive interpretation. You should confirm your results with other analysis methods. ("Observation" is always a good one, so is "common sense".)
Second, identify how the picture was modified. For example, scaling a picture smaller for the web will remove high frequencies and modifies every pixel. Are you seeing artifacts related to how the picture was processed, or are you seeing intentional deception?
Finally, who you tell is up to you. If it is from the mass media, then find out where they got it -- usually they purchase pictures from Getty Images, Reuters, AFP, AP Images, or other professional organizations. Contact the right people. Be polite, and tell them what you found. (Do not demand that they fire the photographer; if you are right, that will happen automatically.)
One warning: there is a difference between accusing someone of photo manipulation and libel/slander. (Consider using alternate wording like "it is my belief that" and "based on the following tests it appears that".)