Digital Camera Image Verification

Polo writes "While reading dpreview, I noticed that among several new products, Canon has announced a Digital Image Verification Kit to prove that an image taken by a particular camera has not been modified. It's disturbing to think about the conditions that would allow digital images to be accepted in a courtroom. I guess one defense would be to figure out how to 'verify' a photo of shark attack..."

Windows only?

[Moderator]

The card reader connects to a computer USB port (only Windows 2000/XP compatible at the moment).

Suddenly, this throws out the validity of anyone who owned a Mac or was using FreeBSD as their primary desktop operating system.

Re:Windows only?

[redJag]

That's really not insightful. All this means is that, as of now, only Windows computers can *check* the validity of the picture in question. The computer you use has nothing to do with the pictures your camera takes.

It's called MD5 (?)

[Shakrai]

The kit consists of a dedicated SM (secure mobile) card reader/writer and verification software. When the appropriate function (Personal Function 31) on the EOS-1D Mark II or EOS-1Ds is activated, a code based on the image contents is generated and appended to the image. When the image is viewed, the data verification software determines the code for the image and compares it with the attached code. If the image contents have been manipulated in any way, the codes will not match and the image cannot be verified as the original.

So it's basically an MD5 (or equiv hashing method) of the image at the time it's taken? Too bad -- I thought they had a unique idea to verify images that had already been taken.

Two or three questions I suppose:

The article states that they are pursing ISO 15408 certification (evaluation criteria for IT security). Do they have to open up any source code to obtain that certification?

What's to stop me from editing the MD5sum on the image and the smart media (it's presumably read/write)?

In the mostly-serious-but-with-a-little-sarcasm dept -- does this take into account rotating the images if the camera doesn't automatically do it when you take a portrait vs a landscape? ;)

All in all I suppose it's a neat idea -- hope it actually works before somebody is on trial for his life though...

Re:It's called MD5 (?)

[filtersweep]

"All in all I suppose it's a neat idea -- hope it actually works before somebody is on trial for his life though..."

Well, the camera is only one step in the chain. Are they going to keep a bunch of these presumably more expensive memory cards lying around, or are "they" going to archive them on a CDR or hard drive? Once the image is out of the card, the verification is meaningless (if it wasn't already meaningless in the first place).

I provide "expert testimony" in court on a semi-regular basis in a completely different field. I always submit "photostatic replicas" of original documents and sign a notarized affidavit of their authenticity. Overall, it is simply the sworn testimony of the authenticity of any evidence that holds more weight than some "technological solution."

Photoshoppers be dammed! Long live fark.com

Re:It's called MD5 (?)

[Directrix1]

What exactly would keep anyone (using film or digital) from taking a picture of a picture?

Re:It's called MD5 (?)

[jdbarillari]

So it's basically an MD5 (or equiv hashing method) of the image at the time it's taken? Too bad -- I thought they had a unique idea to verify images that had already been taken.

[snip]

What's to stop me from editing the MD5sum on the image and the smart media (it's presumably read/write)?

Obviously, just storing the checksum of the image in the EXIF headers (or somewhere else) won't work -- you could just modify the image and calculate a new checksum. One variant on that scheme that would work (reasonably well) would be the following: each camera would be assigned a RSA private key. Canon would keep a record of which key was assigned to which camera (by associating it with the camera's serial number). The private key would be stored in a tamper-resistant chip on the camera's logic board. The camera could then digitally sign all of the images it captures. If the camera saved both its serial number and the digital signature in the EXIF headers of each image (or the JPEG comments, or whatever), a third party who wanted to verify the image could go to the Canon website, get the public key for that serial number, and verify the digitial signature.

The weak point is in the 'tamperproof' chip -- research on smart cards has shown that virtually any so-called 'tamperproof' security system can be cracked. A court could demand to see one's camera (to ascertain that it had not been altered), but some smartcard attacks (such as those based on timing or power consumption) don't even need to modify the card to get at the key -- some of these attacks might translate to cameras, as well. It would be possible to provide pretty good image verification with this system. But a determined attacker could break it.

Run around

[MacFury]

1.) Take picture
2.) Photoshop picture
3.) Print picture
4.) Take picture of printed picture :-)

Re:Run around

[MoonBuggy]

But seriously, you'd need a pretty good digicam/scanner for that not to be completely obvious

You would, but in a few years time when this technology has legal precident spending a few grand on modding a 'secure' camera to forge evidence in order to get away with millions sounds like a good investment.

won't work

[contrasutra]

It won't work. From everything I've seen, attempts to verify ANYTHING digital will be cracked within a week or three.

Re:won't work

Really? When was the digital signature function of GnuPG cracked?

Re:won't work

[contrasutra]

Haven't read the gnupg.org website? From the front page:

GnuPG's ElGamal signing keys compromised (2003-11-27)
A severe problem with ElGamal sign+encrypt keys has been found. This leads to a full compromise of the private key.

Re:won't work

[iminplaya]

Maybe the machine spits out a paper "receipt" verifing the veracity of the photo...or is it manufactured by Diebold?

Re:won't work

No I hadn't noticed that one. That particular bug hits extremely non-standard keys and according to the developer's announcement affected less than 0.04% of all keys on keyservers. Not only that it took a few years to detect-- which is a far cry from your time-to-crack maximum of three weeks. And the standard signing method still seems to be secure. Or at least no one who knows how to crack it is telling anyone else about it.

None of that is to say that I think Canon's solution sounds very workable. So it embeds a hash in the image and uses that to detect if the image has been changed? So? I can do that already by hashing images as I import them. I don't understand how it prevents re-hashing, either. Besides, who cares if you can verify the digital file? It still has to be printed out at least once if it's going to be used in court. I don't know about you guys, but I know my GIMP printer drivers allow for all kinds of filters to be used on the print stream itself. Not only could I intercept and alter the data as it's being printed, but I don't see how you can verify that the printout comes from a verified file.

Re:won't work

[Lehk228]

all it would take would be for someone to tear apart the camera and replace the image sensor with a USB cable so that the camera would sign the image going onto the card, then put the card into a different camera, unless the camera also wrote it's serial number to part of the image in a way that could not be hacked (yea right) this verification would be useless if someone really wanted to fake a digital image

Re:won't work

[Corpsesarecute]

Sounds like a dare to me. A Slashdoter race for it anyone?

Re:won't work

[Trejkaz]

ElGamal signing keys aren't even used by anyone. You use RSA or DSA for signing, and ElGamal for encryption. ElGamal encryption keys haven't been compromised yet.

hmm

1. take picture
2. modify picture
3. regenarate image verification data
4. profit?

Canon

[swordboy]

Canon is very cool - they are one of the only camera manufacturers that still supports the cheapest, non-proprietary form of flash media in all of their cameras - CompactFlash.

To everyone out there: you are an idiot if you buy a camera that does not support CompactFlash. You'll end up paying twice as much for the media.

In other good Canon news, they've announced that they'll be releasing 20 new digicams this year. Hail to the king, baby!

Re:Canon

[Shakrai]

To everyone out there: you are an idiot if you buy a camera that does not support CompactFlash. You'll end up paying twice as much for the media.

We have that interesting problem at work (Insurance Agency, which is half the reason this article caught my eye) -- we need digicams to do photo inspections of property or automobiles. All of our CSR workstations have CompactFlash readers. Half the new digicams out there don't use CF anymore -- which automatically takes them off my shopping list when I need to get new cameras.

I'd also add to your statement that you are an idiot if you buy a camera that doesn't take standard AA (or AAA) batteries. We also have several sets of NI-MH batts and chargers -- I refuse to buy a digicam with propriety batteries. I can't count how much money and aggravation the standard formats of CF and AA NI-MH batts have saved me -- both on a business and personal level.

Re:Canon

[gooman]

Don't forget Nikon.
I'm currently shopping for a new camera. I'm only looking at brands that support CF. Partly because I already have several CF cards, but there is a reason I deciced on CF in the first place.
Looks like I'm going to buy a Canon or a Nikon.

Re:Canon

[Shakrai]

Compact Flash is old and it is big and bulky.

What is the difference between Type I, Type II, and Type III PC Cards?

* Type I - First standard defined by PC Card Association. Dimensions: 85.6 mm x 54.0 mm x 3.3 mm.

* Type II - Second standard form factor defined by PC Card Association. Dimensions: 85.6 mm x 54.0 mm x 5.0 mm. The KODAK Picture Card with Adapter fit into a Type II slot.

* Type III - Third standard form factor defined by PC Card Association. Dimensions: 85.6 mm x 54.0 mm x 10.5 mm. An example of this is the PCMCIA hard drive in a KODAK PROFESSIONAL DCS Digital Camera.

Quoted from this site.

I'd hardly call 8.5cm x 5.4cm x 0.5cm "big and bulky". If you start using the Type III cards they are a whole .55cm thicker. That's too big? And what's wrong with "old" as long as it still works and the standard is updated for new technology?

Re:Canon

[swordboy]

Don't forget Nikon.

Nikon supports CompactFlash only in their high-end cameras. I'm not sure why they don't support it in their low-end cameras. Probably some sort of kick-backs from selling a camera that supports the more expensive media. There's always collusion when ignorant consumers are involved.

Someone tell me what I'm missing. From PriceWatch.com, we get the following for a 512MB media card (many of the proprietary don't go larger than this):

$95 - CompactFlash
$138 - Memory Stick
$141 - MMC/SD
$165 - xD
$199 - ATA

As geeks, it is our duty to inform people from being stupid and buying cameras that don't support cheap, open standards. Why is SD so popular if it is 50% more expensive?

Re:Canon

[zfalcon]

I'd also add to your statement that you are an idiot if you buy a camera that doesn't take standard AA (or AAA) batteries. We also have several sets of NI-MH batts and chargers -- I refuse to buy a digicam with propriety batteries. I can't count how much money and aggravation the standard formats of CF and AA NI-MH batts have saved me -- both on a business and personal level.

None of the high end digital SLR cameras use NiMH batteries. Regular NiMH batteries run out of juice way too quickly. Using the Canon lithium ion packs you can get hundreds of shots with 1 battery. Also, unlike NiMH, lithiums don't lose like 10% of their charge daily.

Re:Canon

[Shakrai]

None of the high end digital SLR cameras use NiMH batteries. Regular NiMH batteries run out of juice way too quickly. Using the Canon lithium ion packs you can get hundreds of shots with 1 battery. Also, unlike NiMH, lithiums don't lose like 10% of their charge daily.

You completely missed the point of my statement -- in our setting, a small business with several dozen cameras of different models (old models that still worked that were discontinued, needed more functionality, etc) it would be very stupid to have a camera with a propriety battery or memory card. I can swap batteries or CF cards with any camera in our office -- and the CF cards are easily readable on any machine with a $20 reader -- without the need to install drivers and completely OS independent. I can also toss them into our laptops (again without drivers) using PCMCIA adaptors. Name another format that offers all of those advantages.

I would also question the 10% of their charge daily. I used to be quite the digitial photography buff back in the day but nowadays I only use my (personal) digicam every few weeks. I have picked up my digicam (a Casio QV-3500X) after having it sit idle (with the batteries in it no less -- so assume there is a small draw on them to maintain the clock/camera settings) for over two months and proceeded to take 40-50 pictures using the LCD the entire time. My four AA NiMH batts lasted the entire time. With a fully charged set loaded fresh I can take 200+ pictures (again using the LCD the whole time) without problems.

When we use them at the office we typically only wind up recharging them once every three weeks or so -- and we take dozens of pictures daily.

Granted li-ion is a better technology overall (I love my extended run-time li-ion batt for my cell phone) but NiMH still has a place and until they figure out a way to put li-ion technology into standard battery sizes (AA/AAA) I'll stick with my NiMH batts for my digicams/CD-players. In the worst case scenario if my NiMH batts die and I don't have a spare set (like that's ever going to happen) I can always buy AAs at any store in the world and toss them into my product -- try that with your propriety formats that only exist to make the manufacturer more money.

Re:Canon

[ColaMan]

Thats PCMCIA / CARDBUS adaptors there,champ :-)

He's taling about COMPACTFlash cards, which are a whopping 36.4(L) x 42.8(W) x 3.30(T) mm for the type-I's

Any smaller physical size for your media and you tend to lose them. A lot.

"honey, have you seen my postage-stamp sized SD card?"

"I think one of the kids snapped it in half when they tried to feed it to the cat."

"Oh that's ok, it was only 75 bucks (sob)"

Re:Canon

[T'Kethry]

Canon does have 20 new digital cameras coming out this year. Of our current cameras, only 2 use the SC memory card, the SD10 and the SD100. Those cameras use that card only because some consumers want a *tiny* camera. Probably at least one of our new cameras will be SD - most of them won't.
I work for Canon doing tech support for their cameras, oh by the way.

Not just court rooms

[evn]

I'm willing to be that one of the first customers for this software is the tabloid newspapers/magazines. They pay small fortunes of photos of celebrities in their most intimate and private moments and without a way to verify digital photographs they could be duped of millions of dollars.

Re:Not just court rooms

[S.Lemmon]

Because, as we all know, tabloids have a unwavering commitment to the truth! :-)

Re:Not just court rooms

[Scrameustache]

I'm willing to be that one of the first customers for this software is the tabloid newspapers/magazines.

Time to sell you Weekly World News stock!

I fear the days of Bat Boy and "face of satan in 'x'" are coming to an end : (

Courtroom.

[dsb3]

There's nothing concerning about digital images in the courtroom.

Ask the photographer, under oath, "is this representative of what you saw?".

If it was, he says so.

It's really the same as with any other evidence that can be tampered with. If someone testifies under oath that it is what it is then there's no difference between a digital image and any (many?) other types of evidence.

Re:Courtroom.

[Polo]

From this review of the new eos-1d mark ii:

• An optional ($749) accessory Data Verification Kit DVK-E2 will permit verification of original untampered image data, allowing the EOS-1D Mark II to be used in legal proceedings and other applications where the ability to confirm that images haven't been altered in any way is crucial.

Re:Courtroom.

[pixas]

What if the fotage is from a automated security camera and there is no human photographer to testify?

juries know images can be faked

[kaltkalt]

any image, not just a digital one, can be changed, modified, or completely faked. Yes, digital technology makes it easier, but this is not a new phenomenon. Juries know (and should be told) that any image introduced into evidence might not be real and could have easily been altered by the other side. Depending on who took the image and the chain of possession, weighed against how believable the picture actually is, will determine how much weight the jury gives to a given photograph.

These digital picture verifiers are nice but not the end of the question. A validation from one of these machines is just some more evidence that the picture is real. It's not conclusive and shouldn't be taken as so. In fact, the evidence of validation from one of these machines might not even be allowed into court if they're extremely unreliable. Daubert to the rescue.

What a joke

[Rosco+P.+Coltrane]

When the appropriate function (Personal Function 31) on the EOS-1D Mark II or EOS-1Ds is activated, a code based on the image contents is generated and appended to the image. When the image is viewed, the data verification software determines the code for the image and compares it with the attached code. If the image contents have been manipulated in any way, the codes will not match and the image cannot be verified as the original.

Note to self: run the signing software *after* altering the image. If the image was alrady signed, display it, take screenshot, alter the image, and re-run the signing software.

Re:What a joke

[Beryllium+Sphere(tm)]

Non-issue if the camera does the signing with an embedded private key or if the "Secure Mobile" memory card prevents uploading hashed images from your computer.

Non-issue, that is, until someone cracks the memory card, or discovers that the camera's signing software is defective, etc.

Re:What a joke

[Joe+Decker]

FYI, Personal Function 31 is a mode, the signing happens automatically after you take the picture if that mode is on, you can't just ask it to sign after the picture is taken.

2D autocorrelation...

[dargaud]

I've been wrestling with the idea of writing an image modification detector. The idea is that when you modify an image, you copy one part into another part (using the clone brush of Photoshop or such).

By doing an autocorrelation of the image, you can detect parts that have been copied, but the mathematical part is not that easy, particularly if there are uniform noiseless areas (sky).

I can still deal with 1D autocorrelation, but in 2D my maths skills are rusty...

Re:2D autocorrelation...

[Rosco+P.+Coltrane]

I've been wrestling with the idea of writing an image modification detector

Forget it. Only amateurs copy/paste regions and leave them like that. Those who alter images to produce really credible results may copy/paste bits of images at first, but then will blur/sharpen/solarize/burn/lighten/brush slightly part of them, drop some noise in them to match the pizelization of an original jpeg for example, merge several together and modify gradiants to make the final patch blend in just right in the bit of background you want to mask or change. The final resulting altered regions usually doesn't have much to do with the original bits you copied.

Re:2D autocorrelation...

[wotevah]

Since you said "uniform noiseless areas (sky)" - funny thing is, the sky is one of the most difficult things to get an "uniform" picture of. All digital cameras I know of produce "sky noise" in various proportions.

A picture of the sky is how you can quickly check how noisy of an image the camera can make (part of it can be internal image processing, of course).

Don't re-invent the wheel

You know the world is full of free, robust, debugged and utterily trustworthy code for such operations.

You don't have to re-invent the wheel.

Digital Images and ghosts

[paddlebot]

This is a funny article on why you shouldn't use your digital camera when trying to detect / prove the existance of ghosts. No not like a bad flat screen playing Quake, but like Casper the Friendly.

He seems real serious about it too....

Wrong audience ....

This is mostly for the use of Law Enforcement, where the cops have to prove the photos taken as evidence, haven't been tampered with....

Canon in talks with Adobe

[teamhasnoi]

Jan 31, 2004 - "We're working on more technology that can be easily circumvented!", says Canon's Product Manager, Wayne Innass.

"We're also trying to annoy our customers like Adobe, but that software is still in beta. We might try to license some software form Microsoft, as they seem to be the leaders in that field."

Wayne continues, "Our R&D department has some great ideas, such as forcing the user to take every picture twice, erasing photos at random, and my personal favorite - increasing the time between pressing the shutter release and when the picture is taken!"

"We won't stop until our product is unusable at last!"

Still does not

[www.sorehands.com]

Even when taking a photo, to have it admitted as evidence you must have the person taking it verify that they did take it. This goes with digital or film camera -- or any type of documentary evidence.

This is just general, but there are many rules about entering photograghs and other documents.

Could there be a way around this? Hmmm

[rufusdufus]

What if you had a different piece of hardware other than the camera that can write to the memory card? I wonder...can you buy those off the shelf today?

The shark picture is not faked

[91degrees]

I know! I was the one on the ladder. One of the scariest moments of my life, as well. Hanging from a chopper is bad enough, but having sharks take dives at you is worse.

The separate images that the debunkers claim they're made up from are the fakes.

The security lies in the key...

[stienman]

How it works

The kit consists of a dedicated SM (secure mobile) card reader/writer and verification software. When the appropriate function (Personal Function 31) on the EOS-1D Mark II or EOS-1Ds is activated, a code based on the image contents is generated and appended to the image. When the image is viewed, the data verification software determines the code for the image and compares it with the attached code. If the image contents have been manipulated in any way, the codes will not match and the image cannot be verified as the original.

So the upshot is that they use a memory card which has some additional security functionality. This additional functionality can only be accessed by the card reader and the camera.

The the crackers simply need to break that functionality or bypass it. This could be accomplished by breaking the camera's firmware (or the card reader) and changing it, or sitting between the USB reader and the computer (software or hardware wise) and changing the data as it goes along. Alternately it woud not be impossible to modify the camera so it gets the image from a computer instead of an image sensor.

The ultimate, however, would be to break the protocol and keys between the reader and card or camera and card. Hopefully they are using a good encryption algorithm with fully secured sessions and a long key. I'd hate to see this broken in less than a few months time.

-Adam

it's targetted to a specific market

[sir_cello]

I'm thinking this is for Canon to target the camera at a specific market where legal evidenciary issues come into play: crime scenes, insurance, autopsy, etc. This is likely not to be a feature that will appear for most consumer products.

What it really shows is more about how the professional film camera market is facing realistic competition from digital cameras.

What about SECURE photography?

[Speare]

I would love to see the firmware write all photographs to the CompactFlash already encrypted to my public key. Of course, that would mean you'd have to (1) forego viewing the images on the LCD, or (2) require the private key and allow entering some kind of text phrase or biometrical key.

It's not like I engage in some sort of espionage or porn market, but I want to see more publically available data devices support cradle-to-grave security.

A Fake! Go get me the original and I'll prove it!

[psi42]

All this hinges on the testers having an _original_ copy of the image in addition to the supposedly modified version.

Let's say someone tries to use a doctored digital photo as evidence. They eliminate the original md5 with the aforementioned screenshot trick, and then recreate it. The photo is contested on the grounds it is a fake. To prove it, they go off and get their wonderous DVK-E2 kit, and then they get their md5. The test works just fine, so they know the md5 has been altered, so they go and ask for the original image. And so where is the original image? Do they have it? No, of course not, because it went on a little stroll down memory lane and landed without a sound in the fastness of /dev/null

Have we accomplished anything here?

What!

[rspress]

You mean that was not a picture of the Olsen twins giving some guy a blow-job?

As an attorney..

[JANYAtty.]

I would point out that there was a noted case where someone took pictures with a reduced scale ruler to make a crack or pothole look that much bigger. The picture was all original but already manipulated.... Ultimately I think I would go with affidavits (this is a true, accurate and unmodified picture of what it purports to be) containing a print in b&w on the affidavit as well as an md5 checksum of the pic file or files if I was attaching a cdrom or floppy. There are issues here about submitting info this way which I wont go into, but this may be appropriate in certain situations. And btway- I really like my canon a300. CF, AA batteries, 3.2meg.. no zoom function though, and a little large.

Re:Courtroom.Rules of evidence

This is correct. The federal rules of evidence (and the rules of most states) require that the witness testify that the photograph actually depicts what it is that the witness says it depicts. The witness could paint the photograph, if he were an adequate artist.
All writings and papers and so forth have to be introduced in such a way as to either not be hearsay or to gain a hearsay exception.
I don't know why you might think that a video movie is more sacrosanct than something like a blood sample. Both require someone to testify about them and in both cases the person can convict someone simply by lying.
By the way---remember the video in the Microsoft trial? They could have easily faked that too.
Sooner or later you have to rely upon people to tell the
truth and there is no way around that fact. These cameras will make no difference whatsoever.

EXIF, distortions

[wotevah]

The camera stores information about focus distance, focal length (zoom) and exposure parameters as well as other data in each image (in EXIF format, commonly). Example:

Camera make : SANYO Electric Co.,Ltd
Camera model : J1
Date/Time : 2004:01:15 14:21:22
Resolution : 2048 x 1536
Flash used : No
Focal length : 6.0mm
Exposure time: 0.400 s (1/2)
Aperture : f/2.9
ISO equiv. : 113
Metering Mode: center weight
Exposure : program (auto)
(focus distance is manufacturer-dependent and jhead couldn't get it).

Also, you'd also have to account for the distortion effects that are measurable and reproducible with each camera model. For example, barrel or pincushion distortions compound if you take a shot of an existing picture.

Re:Camera fingerprinting

[wotevah]

The problem is, that kind of noise will only appear in areas with low exposure (due to the gain control which amplifies the noise). When the sensor is getting sufficient light, the noise becomes less pronounced to invisible.

ElGamal

[metalhed77]

ElGamal was a legacy key and not really meant to be used that much. The one slashdot poster who said he was affected (when that came out) said he chose it because he liked the sound of the name. ElGamal is legacy and shouldn't really be counted against GPG