FotoForensics provides budding researchers and professional investigators access to cutting-edge tools for digital photo forensics.
In August 2007, Dr. Neal Krawetz gave a presentation at the Black Hat Briefings computer security conference.
The presentation, titled "A Picture's Worth", covered a handful of novel photo analysis algorithms.
(A video of the presentation is available from iTunes, search for "Krawetz". The associated white paper and slides are available online.)
Using these algorithms, researchers can determine if a picture is real or computer graphics, if it was modified, and even how it was modified.
Dr. Krawetz gave variations of this presentation at different conferences between 2007 and 2010.
Following the disclosure of these algorithms, many people began recreating them. Error Level Analysis (ELA) is one of the simpler algorithms, and many people implemented their own variants. In 2010, Pete Ringwood created the "errorlevelanalysis.com" web site as a free service where people could submit photos and web pictures for analysis. The result was an instant hit.
In 2012, Mr. Ringwood decided to retire the site, which had introduced millions of people to the field of photo forensics.
Hacker Factor has recreated the service as "fotoforensics.com", maintaining the basic principles that Pete Ringwood established: a free service that provides an introduction to photo forensics.
This site collects pictures that are submitted, information about the pictures (where it came from, when it was submitted, how often it is accessed), and typical weblog information.
While the pictures are displayed upon request by your web browser, other information is used for site management and related research purposes. To reiterate: FotoForensics is a research site; uploaded content will be used for research purposes. We will not publicly disclose personal information, and we will not provide collected information to external third parties (such as advertisers and data aggregates). This web site does not collect email addresses. It also does not sell content.
By uploading a picture, you consent to having the picture viewed by FotoForensics, Hacker Factor, and research partners for analysis-related purposes. If the pictures contain illegal or potentially illegal content, then the site administrators may have an obligation to share the information with law enforcement.
Problems with this site, such as error messages, connectivity issues, maintenance, etc. should be submitted through the contact form or emailed to .
Do not send this email address any advertisements, promotional offers, "let's swap links!" requests, or anything from any mailing list. Also, do not send questions about analysis results or requests for technical details about how the algorithms work. This email address is strictly for problems or issues with the web site.
This free service is available to everyone. It is intended to give people an introduction to digital photo forensics and image analysis. This site does not draw conclusions or interpret results; it just shows raw data. As such, the algorithms on this free service are not intended for commercial uses. FotoForensics takes no responsibility for inaccurate, incorrect, or misleading analysis interpretations.
FotoForensics works best with HTML5 and CSS3. This includes most up-to-date web browsers. Browsers older than Internet Explorer 9, Firefox version 10, or Chrome version 10 are unlikely to work well with this site.
While FotoForensics permits people to upload content, this site does not permit uploads from automated systems (bots). Automated bulk-file uploaders will be banned.
Apple's Mobile Safari web browser is partially supported. Specifically, Mobile Safari (the default browser on iPhone, iPad, and iPod devices) is only supported for URL uploads and not file uploads. This is because Mobile Safari explicitly alters all images prior to uploading.
During the file upload, Mobile Safari actively strips out all metadata and recompresses the picture at a low quality. This means that the analyzers on this site will provide virtually no useful information about your picture.
For example, Error Level Analysis and JPEG % will identify the resave by Safari and not the original picture. Mobile Safari also strips out the original metadata and substitutes its own, so metadata analysis will be of little use.
Any analysis would be relative to the stripped, recompressed, and modified picture that was generated by your Mobile Safari browser. Image analysis will identify your browser and platform, but not information about the selected photo.
If your picture is considered "evidence", then your Mobile Safari browser will tamper with the evidence.
Apple considers this in-browser image modification to be a "feature". However, it prevents web services from analyzing the picture. This problem is not limited to FotoForensics; it impacts every web site. If you use other web sites to evaluate this picture's content or metadata, then those other sites will also analyze the Safari-modified version and not the source image.
To reiterate: this is a browser issue and not a web site issue. Although you want to evaluate the picture, the Mobile Safari browser is preventing analysis.
Fortunately, there is a solution: use a different web browser. Chrome and Firefox for Apple devices do not have this tampering issue and will allow you to upload the actual picture for analysis.
Proxies are used to relay network requests through other computer systems. These are usually corporate proxies or small residential proxies that are used to share a network address between related computers. Proxies may also include translation systems, web virus scanners, and web speed improvement systems. For example, Google Translate and Chrome's "Data Saver" option both operate as proxies. However, proxies can also be used to intentionally obscure a user's true location (e.g., Tor).
Attributable proxies, including corporate, translation, and speed services, are permitted. However, FotoForensics has had a lot of problems with people using anonymous proxies to either upload prohibited content or attack the web server. For this reason, we do not permit anonymous proxies to upload content for analysis. Anonymous proxies can view existing content on the server, but they cannot upload new content for analysis.
We may treat your proxy system as a single user. If anyone using your proxy system uploads prohibited content, then it will likely result in the proxy system being banned.
Some pictures are available on alternate networks beyond the Internet. This includes 'Darknet' services.
Uploads to FotoForensics can only be accessed from the Internet. However, uploaded URLs for Tor (.onion) sites are permitted.
You can submit a picture from your computer or provide a URL to an online picture.
The picture must be a JPEG, PNG, or WebP.
Uploads are limited to 8 megabytes per file.
Pictures should be at least 100x100 pixels; thumbnail images are typically heavily postprocessed (cropped and resized) so modifications are rarely identifiable.
Pictures must not be no larger than 10,000x10,000; extremely large pictures cannot be processed in real-time.
This public web site is used by forensic researchers. Uploaded pictures will likely be viewed by the site administrators and research partners.
Please consider the content you are uploading. If you would not show it to your parents or children, then it probably does not belong here. People who upload pornography, nudity, or sexually explicit content will be banned.
There are many different file types for storing pictures. However, this service only supports JPEG, PNG, and WebP files. This is because other formats will not work well with the available algorithms or consume too many system resources. For example:
BMP. Windows Bitmaps are a lossless data format, comparable to PNG. But unlike PNG, BMP files are typically uncompressed. In the typical case, a PNG will be a fraction of the size of a BMP. And unlike PNG, a BMP file contains no metadata. In effect, a BMP will not generate useful metadata analysis and will consume much more disk space (system resources) than a PNG.
GIF. GIF files are limited to 256 colors. The restrictive color space effectively ensures that algorithms like ELA will generate useless results. Many GIFs uploaded to this site are animated, but this site has no algorithms for evaluating animated sequences.
TIFF. The Tagged Image File Format (TIFF) supports many different types of data encoding. Most of the encoding methods are not as efficient as PNG. (The exception is JPEG/DCT encoding, in which case you might as well submit the non-TIFF JPEG.) TIFF files may also contain multiple pages, but this site has no methods to represent multiple pages.
RAW. There are many different RAW formats. Canon uses CRW and CR2, Nikon has NEF, Pentax uses PEF, and Adobe introduced DNG. Most RAW formats are TIFF variants, and each of these are large formats that usually cannot be evaluated in the time requirements for this real-time web service.
Other image file formats have these same limitations. They either consume too much disk space, take too long to process, or contain multiple pictures. This public site strictly processes JPEG, PNG, and WebP files because they are compressed efficiently and work well with the algorithms available to this free service.
Occasionally the uploaded picture does not look like you expected. It may appear inverted, rotated, or even larger than you thought.
JPEG images can contain display information such as rotation or color profiles. In effect, graphical applications render the JPEG and then apply a transform. For the types of photo forensics performed on this site, additional transformations may distort the image. As a result, post-rendering transformations are not applied. Images may appear rotated, flipped, or inverted depending on the post-rendering transformations.
In other cases, such as a URL upload, the picture retrieved by FotoForensics may not look like the picture you thought you uploaded because FotoForensics acquired a higher quality image. This can currently happen with pictures that come from Facebook, Imgur, or Tumblr.
Facebook: The URL may contain commands for scaling, cropping, and positioning the image. When FotoForensics detects this, it attempts to retrieve the full-size picture stored at Facebook, and not the cropped or scaled image. FotoForensics attempts to retrieve an unaltered image because scaling, cropping, and other server-side transformations result in a resave and may obscure information about an image. The picture retrieved by FotoForensics can appear larger and wider than the image shown on Facebook's web page.
Imgur: Users occasionally submit the URL to the text web page and not the URL to the image. (Editor's note: Don't blame the user!) If this is detected, then FotoForensics will retrieve the primary image from the web page. If there are multiple images on the page, then it may not retrieve the one you wanted. Try submitting the URL to the image itself: right click on the image and select "View Image" (the actual menu item varies by browser), and submit that URL to FotoForensics.
Tumblr Avatars: Tumblr avatar images come in a variety of sizes. They may appear on pages as 16x16, 24x24, 40x40, or similarly small icon images. However, the maximum size is 512x512. FotoForensics will automatically retrieve the largest image (512x512) since this does not undergo additional scaling and it retains the most detail.
In rare cases, pictures retrieved from a URL upload may appear broken. With JPEG images, they will usually render the top part of the image, but the bottom part will appear as a gray box. This happens when the server hosting the picture cannot provide it within a reasonable timeframe. Either the hosting server is slow, or there is a significant network delay that is causing the download to timeout.
This problem has been repeatedly seen with pictures hosted in China, such as pictures from Baidu.com. As far as we can tell, China is tarpitting the network connection -- intentionally making it slower and slower until the download fails.
The best solution to this problem is to download the picture to your local computer and use the File Upload option to submit the picture.
When you submit an image, you are provided with a direct link that you can share with other people (and they, in turn, may tweet or post to Facebook or send it to friends). The pictures may also be reviewed by the site administrators and research partners. In limited cases that comply with Copyright Fair Use (e.g., teaching), select pictures may be used for analysis-related training purposes.
Pictures remain on the server for at least 3 months and potentially indefinitely. After the initial 3 months, inactive pictures may be removed in order to reclaim disk space as needed. (Currently, we have plenty of disk space so only prohibited content is removed.)
This site permits nearly all types of pictures. Dancing kittens, airplane crashes, and everything in between is par for the course. Currently, this site only forbids pornography, nudity, and sexually explicit content.
This server is located in the United States of America. Although there are laws concerning obscenity, pornography and nudity in general is considered protected free speech. With one exception: it is a federal offense to knowingly possess or distribute child pornography (see 18 U.S.C. 2251, 2252, 2258, 2258A, 2258B, 2258C, and 1466). Regarding uploaded pictures: we expect users to adhere to both the laws of the United States of America and their local jurisdictions.
This web site is used for photo research. It is possible and likely that an administrator or research partner will see the pictures that you upload. I do not want my administrators spending any time guessing whether a person in a picture is over or under the legal age of consent. As such, we have implemented a very simple rule: no pornography, no nudity, no sexually explicit content. I do not care if you think the person is clearly an adult, and it does not matter if you think nudity is artistic. Uploading prohibited content will result in a ban.
You are using a network connection that is regularly used by people who upload prohibited content. Most anonymous proxies have been banned because they were used to violate this site's terms of service.
You attempted to compromise this site's security.
You abused this service by using an automated bulk uploader or otherwise intentionally stressing the system. For example, uploading a hundred pictures in under an hour, or uploading every frame from a video, is an abuse of this public site. If you're doing that kind of bulk analysis, then please use lab.fotoforensics.com.
(There have only been a handful of abuse bans; more than 99% of the time, bans are due to pornography.)
The ban will lift automatically after 3 months. That is, 3 months after you stop visiting this site, and the counter resets every time you visit.
If you feel unfairly banned from this site, you can submit an unban request through the removal request form. Be sure to explain why you believe that your actions (e.g., submitting pornography, nudity, or sexually explicit content) was appropriate behavior on a public web service. Be sure to identify who you are (name, email address, postal address, phone number -- in case we need to contact you), what content you submitted, and approximately when it was submitted -- otherwise we will not be able to identify which block is associated with you.
NOTE: You must include an explanation, who you are, and a description of the type of content you were submitting. Requesting to be unbanned does not guarantee an unban.
This web site is Copyright Hacker Factor, All Rights Reserved. However, we do not own the copyright to the submitted pictures.
Each picture's copyright is retained by the original copyright holder. For the derivative works (i.e., the analysis pictures), it depends on the picture and how much it looks like the original image. The derivative work is either the copyright work of Hacker Factor or of the original source's copyright holder. (It's best to consult an attorney, and I'm not an attorney.) It suffices to say that you do not own the copyright just because you submitted the picture.
This site permits people to submit pictures to a digital image analysis system.
The system does not draw any conclusions about the picture.
The purpose is for education, research, and criticism.
This site does not host advertisements and is operated at a financial loss; it is not a profit-oriented service and does not gain financial profit from the submitted content.
Direct links to submitted content are only provided to the people who submit the content (or who already have the link).
In the case of pictures where the link or content is widely distributed and openly discussed, direct links may be disclosed publicly in order to further the discussion.
It is our belief that this complies with the Fair Use clause (Title 17, Chapter 1, Section 107).
On rare occasions, we do solicit pictures specifically for testing and research. We do not solicit photos containing personal information and we do not request third-party pictures. Any exceptions will be identified during the solicitation. Submitting a photo in response to a research request does not transfer the copyright; the photographer still owns the copyright. Our research requests require permission for FotoForensics and Hacker Factor to use the photos in ways related to the research.
FotoForensics provides two different options for requesting content removal:
Web form. Requests can be submitted using the removal request form. This is the simplest and fastest option, and it automates much of the lookup information, making it easier for administrators to identify the content to be removed.
Postal Service. Requests can be mailed to:
c/o: Hacker Factor
P.O. Box 270033
Fort Collins, CO
United States of America
Due to delays in postal mail delivery, mailing us a letter is the slowest method and could take over a week to be processed. (And that's assuming that you included everything needed to identify the content.)
Removal requests must include all of the following information:
The direct link to the content that you wish to have removed.
A statement about why the content should be removed. If this is a copyright complaint, then you must include why you believe that this site is not in compliance with Section 107 of US Copyright Law (Title 17). All other requests must still provide an explanation about why it should be removed.
Information that we can use to verify that you are the copyright holder, you represent the copyright holder, or you represent the subject of the picture.
Your name and contact information (email address, postal address, phone number) for any followup questions and replies.
Removals are a semi-manual process that requires more than simply deleting a picture. People who only ask for content to be removed, without providing the additional required information, will not have their content removed.
Offensive is a very subjective term. See "How can I request content removal?"
Be sure to mention the nature of the offense and why you feel it is offensive.
Some types of pictures are illegal in the United States; we will contact law enforcement immediately.
This site does not cater to people who want to use it for hosting photos intended to harass or harm other people. Harassment complaints will be expedited.
In some cases, the analysis may not provide the answer you wanted. For example, you may want to know if a picture was edited. However, if the picture is a low quality, then the results may not permit identification of anything beyond "low quality, multiple resaves."
As a concrete example, consider analyzing a picture from Facebook. Facebook strips out all original metadata and replaces it with their own metadata. So the metadata analysis will not identify anything beyond "Facebook". Facebook also resaves the image at a low quality, so the JPEG quality (JPEG %) will report a low quality image. Error Level Analysis will typically return a dark result with large colored rectangles -- indicating a low quality image and multiple resaves (a solid description of what Facebook provides). Even if the picture is visually altered, the algorithmic results may not detect much more than an image resaved by Facebook.
The tutorials on this site identify some common applications and online services that leave tell-tale artifacts that are usually identifiable.
What is Error Level Analysis?
Error Level Analysis (ELA) is an algorithm that evaluates the error level potential of a JPEG image. JPEG is a lossy image format; every resave degrades the picture. The amount of degradation varies based on the number of saves. The first save loses a lot, the second save loses a little more, and by the 20th save, it is probably as low quality as it will ever get.
When a picture is modified, the changed parts have a higher error level potential than the rest of the image. ELA works by saving the picture at a known quality level (like a JPEG at 95%), and then determines how much changed. Edits and splices appear as regions with more change. See the tutorial for more detail.
How do I cite ELA?
The Error Level Analysis algorithm was publicly disclosed by Dr. Neal Krawetz in a white paper and presentation at the Black Hat Briefings security conference. The revised white paper and slides are from the 2008 conference in Washington, DC.
Black Hat Briefings DC. (2008) A Picture's Worth: Digital Image Analysis and Forensics [White paper]. Washington, DC. Retrieved from http://blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf
Krawetz, N., "A Picture's Worth: Digital Image Analysis and Forensics." Black Hat Briefings DC. 2008. <http://blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf>
Chicago Manual of Style citation
Krawetz, N., "A Picture's Worth: Digital Image Analysis and Forensics." Black Hat Briefings DC. 2008. Available from http://blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf
What does ELA detect?
ELA measures the amount of change during a JPEG resave. When a digital photo is edited, the modified portions will have a different error level potential compared to the rest of the picture. Splices, drawing, and significant edits are usually visible as a significantly different error level potential.
There is a difference between real and authentic. A real photo of a forged document or a staged situation will not appear unusual under ELA. This is because the picture is real, even if the subject of the photo is not authentic. ELA does not identify the authenticity or other attributes related to the picture's subject.
ELA also does not detect all forms of digital manipulation; it only identifies differences in the JPEG compression rate. Digital modifications that do not significantly alter the error level potential, such as a minor color adjustment over the entire picture, may not be detected by ELA.
Why is the picture black?
A very low quality picture that has undergone multiple resaves will have no more error level potential. A black result is informative: this picture (1) is not a camera original, (2) is very low quality, and (3) has been repeatedly resaved.
Why does this ELA picture look different from other ELA systems?
When the Error Level Analysis algorithm was disclosed in 2007, we intentionally did not release source code. As a result, every implementation is a variant of the algorithm. They all implement the same basic approach and all can be used to reach the same conclusions. However, different settings can lead to differences in the appearance of the ELA image.
For a proper experiment, the results must be repeatable. This system uses libjpeg-6b with a resave quality of 75% and a post-process brightness factor of 20. Different JPEG libraries and different parameters will generate different ELA images.
How can I improve the results?
The results from an analysis are directly dependent on the image quality. You may want to know if something was added, but if the picture is a copy of a copy of a copy, then it may only detect the resaves. Try to find the best quality version of the picture.
For example, many pictures are hosted at Flickr. Flickr provides small, medium, large, and original images. The small, medium, and large are derivative images (resaves) created by Flickr. The "original" is whatever the user sent to Flickr, so the original will be the best quality. Similarly, pictures on news sites are usually resaved. If they have a tagline like "Source: AP Images", then go to the source and use that picture instead. News sites typically recolor, resize, and crop images before saving them at a very low quality. Go for the original source (or get as close as you can to the original source) to improve the image's quality and the results.
If you do not know where to start, then try TinEye. Many pictures on the web are resaved as they pass from user to user. TinEye does not know every picture, but it knows many pictures. If the picture is being passed around, then TinEye can help find the source (or at least a better copy of the image). In general, the biggest image is usually the best quality. (But some sites do scale images larger...)
OMG, this picture is totally fake, who do I tell?
First remember: any single analysis algorithm can generate noise that may result in a false-positive interpretation. You should confirm your results with other analysis methods. ("Observation" is always a good one, so is "common sense".)
Second, identify how the picture was modified. For example, scaling a picture smaller for the web will remove high frequencies and modifies every pixel. Are you seeing artifacts related to how the picture was processed, or are you seeing intentional deception?
Finally, who you tell is up to you. If it is from the mass media, then find out where they got it -- usually they purchase pictures from Getty Images, Reuters, AFP, AP Images, or other professional organizations. Contact the right people. Be polite, and tell them what you found. (Do not demand that they fire the photographer; if you are right, that will happen automatically.)
One warning: there is a difference between accusing someone of photo manipulation and libel/slander. (Consider using alternate wording like "it is my belief that" and "based on the following tests it appears that".)