DIGITAL FORENSIC RESEARCH CONFERENCE
Using JPEG Quantization Tables to Identify Imagery Processed by Software
By
Jesse Kornblum
Presented At
The Digital Forensic Research Conference
DFRWS 2008 USA Baltimore, MD (Aug 11th - 13th)
DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized
the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners
together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working
groups, annual conferences and challenges to help drive the direction of research and development.
http:/dfrws.org
DC3DC3
JPEG Quantization TablesJPEG Quantization Tables
Jesse KornblumJesse Kornblum
DC3DC3
OverviewOverview
!! MotivationMotivation
!! Everything You Always Wanted to Know aboutEverything You Always Wanted to Know about
JPEGs But Were Afraid to AskJPEGs But Were Afraid to Ask
!! Quantization TablesQuantization Tables
!! Types of TablesTypes of Tables
!! CalvinCalvin
!! Future WorkFuture Work
DC3DC3
MotivationMotivation
!! Ashcroft v. Free Speech CoalitionAshcroft v. Free Speech Coalition, 2002, 2002
!! Cases now have hundreds of thousands of imagesCases now have hundreds of thousands of images
!! Only a few needed to convictOnly a few needed to convict
–– Must be real picturesMust be real pictures
!! Need to find the real picturesNeed to find the real pictures
–– Not as easy as youNot as easy as you’’d thinkd think
DC3DC3
Real PictureReal Picture
WARNING:WARNING:
EXPLICIT IMAGERYEXPLICIT IMAGERY
LAW ENFORCEMENT SENSITIVE LAW ENFORCEMENT SENSITIVE –– DO NOT DUPLICATE DO NOT DUPLICATE
DC3DC3
Real PictureReal Picture
LAW ENFORCEMENT SENSITIVE LAW ENFORCEMENT SENSITIVE –– DO NOT DUPLICATE DO NOT DUPLICATE
DC3DC3
Real PictureReal Picture
Image ©
Copyright P
isan K
aew
ma 2
006
DC3DC3
Computer Generated ImageComputer Generated Image
DC3DC3
All About JPEGsAll About JPEGs
!! JPEG CompressionJPEG Compression
–– Lossy Lossy compressioncompression
!! Six step processSix step process
–– Color space transform RGB to Color space transform RGB to YCbCrYCbCr
–– DownsamplingDownsampling
–– Block SplittingBlock Splitting
–– Discrete Cosine TransformDiscrete Cosine Transform
–– Quantization (where the magic happens)Quantization (where the magic happens)
–– Encoding (lossless compression)Encoding (lossless compression)
DC3DC3
Quantization TablesQuantization Tables
!! Table used to control Table used to control lossy lossy compressioncompression
!! Up to four sets of tablesUp to four sets of tables
–– 64 values in each table64 values in each table
!! Value for each pixel is divided by a table valueValue for each pixel is divided by a table value
–– Decimals thrown awayDecimals thrown away
–– Decimal loss leads to image quality lossDecimal loss leads to image quality loss
!! 124 / 50 --> 2124 / 50 --> 2
!! When decompressed 2*50 = 100When decompressed 2*50 = 100
DC3DC3
Quantization TablesQuantization Tables
2 1 1 1 1 1 2 12 1 1 1 1 1 2 1
1 1 2 2 2 2 2 4 1 1 2 2 2 2 2 4
3 2 2 2 2 5 4 4 3 2 2 2 2 5 4 4
3 4 6 5 6 6 6 5 3 4 6 5 6 6 6 5
6 6 6 7 9 8 6 7 6 6 6 7 9 8 6 7
9 7 6 6 8 11 8 9 9 7 6 6 8 11 8 9
10 10 10 10 10 6 8 11 10 10 10 10 10 6 8 11
12 11 10 12 9 10 10 10 12 11 10 12 9 10 10 10
DC3DC3
Quantization TablesQuantization Tables
!! Higher numbers mean lower quality imageHigher numbers mean lower quality image
!! Lower numbers mean higher quality imageLower numbers mean higher quality image
!! Best images have tables of all onesBest images have tables of all ones
–– No compressionNo compression
DC3DC3
Quantization CalculationsQuantization Calculations
!! Original value =Original value = 124124
!! Table value of 1 -->Table value of 1 --> 124 -->124 --> 124124
!! Table value of 10 -->Table value of 10 --> 12 -->12 --> 120120
!! Table value of 20 -->Table value of 20 --> 6 -->6 --> 120120
!! Table value of 50 -->Table value of 50 --> 2 --> 1002 --> 100
!! Table value of 75 --> 1 --> 75Table value of 75 --> 1 --> 75
DC3DC3
Making TablesMaking Tables
!! Independent JPEG Group (IJG) TablesIndependent JPEG Group (IJG) Tables
–– Last updated 1998Last updated 1998
!! Scaling method uses quality factor QScaling method uses quality factor Q
!! Q can be between 1 and 100Q can be between 1 and 100
!! S = (Q < 50) ? 5000/Q : 200 S = (Q < 50) ? 5000/Q : 200 –– 2Q 2Q
!! TTss[i] = (S * T[i] = (S * Tbb[i] + 50) / 100[i] + 50) / 100
!! Integer mathInteger math
–– No decimals, information lostNo decimals, information lost
!! Scaling with Q=50 means no changeScaling with Q=50 means no change
DC3DC3
IJG Standard TableIJG Standard Table
16 11 10 16 24 40 51 61 16 11 10 16 24 40 51 61
12 12 14 19 26 58 60 55 12 12 14 19 26 58 60 55
14 13 16 24 40 57 69 56 14 13 16 24 40 57 69 56
14 17 22 29 51 87 80 62 14 17 22 29 51 87 80 62
18 22 37 56 68 109 103 77 18 22 37 56 68 109 103 77
24 35 55 64 81 104 113 92 24 35 55 64 81 104 113 92
49 64 78 87 103 121 120 101 49 64 78 87 103 121 120 101
72 92 95 98 112 100 103 99 72 92 95 98 112 100 103 99
DC3DC3
IJG Standard Table, Q=80IJG Standard Table, Q=80
6 4 4 6 10 16 20 24 6 4 4 6 10 16 20 24
5 5 6 8 10 23 24 22 5 5 6 8 10 23 24 22
6 5 6 10 16 23 28 22 6 5 6 10 16 23 28 22
6 7 9 12 20 35 32 25 6 7 9 12 20 35 32 25
7 9 15 22 27 44 41 31 7 9 15 22 27 44 41 31
10 14 22 26 32 42 45 37 10 14 22 26 32 42 45 37
20 26 31 35 41 48 48 40 20 26 31 35 41 48 48 40
29 37 38 39 45 40 41 40 29 37 38 39 45 40 41 40
DC3DC3
IJG Standard TablesIJG Standard Tables
!! Most software uses IJG Standard TablesMost software uses IJG Standard Tables
!! libjpeg libjpeg is free and easy to useis free and easy to use
–– Programmers are lazyProgrammers are lazy
!! Allows user to specify quality setting QAllows user to specify quality setting Q
!! Examples:Examples:
–– The GimpThe Gimp
–– Microsoft PaintMicrosoft Paint
–– InfranviewInfranview
–– Some camera phonesSome camera phones
DC3DC3
Extended IJG TablesExtended IJG Tables
!! Three tables instead of twoThree tables instead of two
!! The third is a duplicate of theThe third is a duplicate of the secondsecond
A BA B
A B BA B B
DC3DC3
Adobe PhotoshopAdobe Photoshop
!! Adobe Photoshop uses its ownAdobe Photoshop uses its own
quantization tablesquantization tables
!! Users select one ofUsers select one of 12 quality settings12 quality settings
!! Table depends only on quality settingTable depends only on quality setting
–– Does not consider imageDoes not consider image
DC3DC3
CategorizingCategorizing
Quantization TablesQuantization Tables
!! AllAll onesones
–– No dataNo data
!! Standard TablesStandard Tables
!! Two IJGTwo IJG
!! Extended Standard TablesExtended Standard Tables
!! Three IJGThree IJG
!! Custom Fixed TablesCustom Fixed Tables
!! Adobe PhotoshopAdobe Photoshop
!! Custom Adaptive TablesCustom Adaptive Tables
DC3DC3
Custom Adaptive TablesCustom Adaptive Tables
!! Table is computedTable is computed
on the flyon the fly
!! Usually based onUsually based on
image beingimage being
processedprocessed
!! Most cameras do thisMost cameras do this
–– Most vendors haveMost vendors have
patents onpatents on
quantization tablequantization table
constructionconstruction
DC3DC3
Digital BallisticsDigital Ballistics
!! Match images back to the device that created themMatch images back to the device that created them
–– Match to Match to individualindividual device device
–– Match to Match to type of type of devicedevice
DC3DC3
Digital BallisticsDigital Ballistics
!! Match to individual devicesMatch to individual devices
–– Depends on smallDepends on small imperfections in lens, sensorimperfections in lens, sensor
–– RequiresRequires lotslots of images from each camera of images from each camera
–– Beyond the scope of this presentationBeyond the scope of this presentation
DC3DC3
Digital BallisticsDigital Ballistics
!! Match to type ofMatch to type of devicedevice
–– Possible to identify IJG tablesPossible to identify IJG tables
•• Except when adaptive makes these by accidentExcept when adaptive makes these by accident
–– Possible to identify PhotoshopPossible to identify Photoshop tablestables
•• But could, in theory, be adaptive tablesBut could, in theory, be adaptive tables
–– Possible to identify adaptive tablesPossible to identify adaptive tables
•• ButBut could be either hardware or softwarecould be either hardware or software
!! In all cases, may only be last device toIn all cases, may only be last device to processprocess
DC3DC3
Digital BallisticsDigital Ballistics
!! Set of known quantization tablesSet of known quantization tables
–– 99 Standard Tables99 Standard Tables
–– 99 Extended Standard Tables99 Extended Standard Tables
–– Tables from Adobe PhotoshopTables from Adobe Photoshop
!! Compare each unknown images to set of knownCompare each unknown images to set of known
–– Matches are Matches are most likely last processed bymost likely last processed by software software
DC3DC3
CalvinCalvin
!! Col. Calvin Goddard, 1891-1955Col. Calvin Goddard, 1891-1955
–– Founded firearms identificationFounded firearms identification
–– Identified weapons used by AlIdentified weapons used by Al
Capone in St. Valentine's DayCapone in St. Valentine's Day
MassacreMassacre
Picture courtesy FBI, http://www.fbi.gov/hq/lab/labdedication/labstory.htm
DC3DC3
CalvinCalvin
!! By default, displays filenames not matched (e.g.By default, displays filenames not matched (e.g.
possible photographs)possible photographs)
C:\> C:\> calvin calvin *.jpg*.jpg
C:\kitty-pr0n.jpgC:\kitty-pr0n.jpg
DC3DC3
CalvinCalvin
!! Can display results for all filesCan display results for all files
C:\> C:\> calvin calvin -vv *.jpg-vv *.jpg
C:\from-gimp.jpg: Standard Tables, Q=80C:\from-gimp.jpg: Standard Tables, Q=80
C:\kitty-pr0n.jpg: possible hardwareC:\kitty-pr0n.jpg: possible hardware
DC3DC3
CalvinCalvin
!! Can dump tables from an imageCan dump tables from an image
C:\> C:\> calvin calvin -g kitty-pr0n.jpg-g kitty-pr0n.jpg
C:\kitty-pr0n.jpgC:\kitty-pr0n.jpg
5,4,2,6,7,2,4,5,2,10,3,6,3,6,4,2,2,11,7,3,9,6,4,6,7,4,5,65,4,2,6,7,2,4,5,2,10,3,6,3,6,4,2,2,11,7,3,9,6,4,6,7,4,5,6
6,3,6,4,2,3,5,10,4,6,9,7,5,3,8,6,4,6,3,1,6,8,5,3,3,6,8,4,1,6,3,6,4,2,3,5,10,4,6,9,7,5,3,8,6,4,6,3,1,6,8,5,3,3,6,8,4,1,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,00,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
DC3DC3
CalvinCalvin
!! Can use signatures on next runCan use signatures on next run
C:\> C:\> calvin calvin -g kitty-pr0n.jpg > -g kitty-pr0n.jpg > sigssigs.txt.txt
C:\> C:\> calvin calvin -a -a sigssigs.txt -vv d:\unknown\*.jpg.txt -vv d:\unknown\*.jpg
D:\unknown\also-kitty-pr0n.jpg: kitty-pr0n.jpgD:\unknown\also-kitty-pr0n.jpg: kitty-pr0n.jpg
DC3DC3
Digital BallisticsDigital Ballistics
!! This is just one step in the processThis is just one step in the process
!! Image from camera processed in PhotoshopImage from camera processed in Photoshop
–– According to Calvin, is from PhotoshopAccording to Calvin, is from Photoshop
–– But image contains EXIF and other metadataBut image contains EXIF and other metadata
–– Clues in the image itself (e.g. presence of skin tones)Clues in the image itself (e.g. presence of skin tones)
DC3DC3
Digital BallisticsDigital Ballistics
Processed with the Gimp
Standard Tables, Q=80
DC3DC3
Digital BallisticsDigital Ballistics
But contains skin tones, EXIF data
“Konica Minolta”
DC3DC3
Digital BallisticsDigital Ballistics
!! Best used as part of a larger systemBest used as part of a larger system
!! DC3 VISION systemDC3 VISION system
DC3DC3
AcknowledgementsAcknowledgements
!! Imagery provided by FBI, Imagery provided by FBI, Pisan KaewmaPisan Kaewma
!! libjpeglibjpeg: http://www.: http://www.ijgijg.org/.org/
!! No animals were harmed in the making of thisNo animals were harmed in the making of this
presentationpresentation
DC3DC3
Department of DefenseDepartment of Defense
Cyber Crime CenterCyber Crime Center
Jesse KornblumJesse Kornblum