The Hacker Factor Blog

Over the last week, a bunch of friends have forwarded to me stories about the risks of GPS information embedded in pictures. For example, MythBuster Adam Savage apparently took a picture of his car at his home and forgot to disable the GPS information. Rabid fans quickly identified where Adam lived. Granted, I doubt most celebrities have secret homes, but the fact is: pictures tell much more about you than just the photo's content.

The GPS data in JPEGs is nothing new. It was part of JPEG's EXIF 2.1 Standard back in 1998. (And that may not be the earliest version...) However, it wasn't until the last few years that cameras, cell phones, and other portable devices began to incorporate GPS technologies. Today, it is hard to find a cell phone without a camera, and many of them include GPS as a feature.

While GPS information embedded in a picture may tell people where you were, Facebook has decided to use your GPS for telling people where you are. Called Facebook Places, they will broadcast your GPS location to all of your Facebook friends. While they do have options for limiting distribution, Facebook is well-known for abruptly changing policies.

iPhone, iPad, iTouch, iMac, iSpy

Today's ever-smarter portable devices are not designed for privacy-oriented people. While the embedding and publishing of GPS information may be an overt example, there are many other cases of your device leaking information about you.

I've been collecting photos from various hand-held devices. I use them to populate a photo ballistics database. My friend, Bum, recently purchased an iPad. He sent me a screenshot from the device. (His iPad doesn't have a camera.) While the picture's ballistics wasn't very interesting, the email header was!

From: Bum <b...@...com>
To: Neal Krawetz <n...@...com>
Content-Type: multipart/mixed; boundary=Apple-Mail-1-186804698
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (iPad Mail 7B405)
Subject: You wanted a photo?
Date: Sun, 8 Aug 2010 10:39:58 -0700
X-Mailer: iPad Mail (7B405)

The first thing to notice is the X-Mailer header. It identifies the device (iPad), application (Mail), and version (7B405). This isn't too exciting since most MUAs (mail user agents) include this type of information. However, it was the content boundary that got my attention: Apple-Mail-1-186804698.

I dug through my email archives and found a bunch of other examples:

Apple-Mail-11-1034880980
Apple-Mail-2--961132422
Apple-Mail-1--77112522
Apple-Mail-1-186804698
Apple-Mail-4--29131759
Apple-Mail-5--10882313
Apple-Mail-15-908210705
Apple-Mail-4-1054791469

With a little help from the DC3, I finally understand what these non-random numbers describe. The big number is actually the most uninteresting value. It is the time in milliseconds stored in a signed 32-bit register. (Negative numbers have the double hyphens.) Since it is a 32-bit register, the value rolls over about every 24.86 days. However, the zero date isn't the Unix epoch (00:00:00 on 1970-01-01). Instead, if you assume the timestamp represents today's date (from the email Date header) and repeatedly subtract 2³¹ microseconds until you reach the Unix epoch, then you'll notice that it is off... The value closest to the epoch (without going under) is 128397792ms, or Jan 2 11:39:57 1970. (You might see it vary by a second, 11:39:58, if the clock happened to roll over between generating the Date and content boundary.) I'm not sure why Apple chose this date, but it is consistent. The Mail program on the iPhone, iPad, iTouch, and Mac OS X all use the same date.

From a forensics viewpoint, this is useful. This is a quick way to identify forged emails that claim to be from Macs. (I actually had a use for this last week!)

The more interesting number is the smaller value. It took me a while to identify the purpose. That is the number of attachments sent by the mailer (Apple Mail) since the program was started. If you see "-1-" then it means that you received the first attachment that they sent since they started the program. The "-15-" means that person had started Apple Mail and sent 14 attachments before sending one to me. (Winn Schwartau sent me an email that had "-245-"!)

This is very useful, particularly if you receive multiple emails from the person over a short duration. For example, Bum always sends me with "-1-". This means he closes the Mail program frequently. (Make sense for an iPad that can't multitask.) I also received emails from a friend, M., who clearly loves attachments -- in 30 minutes he went from "--12--" to "--28--".

From a forensics viewpoint, this is awesome. Let's say the person has a couple of different Apple computers. I should be about to look over his computer and see how many attachments he sent on each system and match the count to the emails. Even if you delete a specific email, I can still determine how many attachments were included in the deletion.

Android Spies

The information leakage is not limited to Apple products. At Defcon, my friend Factor sent me a sample picture from his Android phone. The problem is, it crashed my analysis tool!



The problem was a poorly formed JPEG. Specifically, every JPEG should begin with 0xffd8, contain a stream that starts with 0xffda, and end with 0xffd9. Between the 0xffd8 and 0xffda are various other settings, including APP records (0xffe0 to 0xffef for APP0 to APP15). In his case, his Android was storing additional APP records after the end of stream (0xffd9).

I added a check for this situation (so my code no longer crashes). However, these APP5 records (0xffe5) turned out to be really interesting. They only appear in one type of Android phone: the Motorola Android. I have observed these fields from photos taken with:

• Motorola, Droid, 2.0.1
  
• Motorola, Droid, 2.1-update1
  
• Motorola, Droid, 2.2
  
• Motorola, DROIDX, 2.1-update1
  
• Motorola, DROID2, 2.2
  
• Motorola, Milestone, 2.1-update1

They probably appear in other phones as well. However, I have not seen them with any other type of Android phone.

These extra APP fields like:

tag='0xffe5' length='32' field='APP5' value='HPQ-MetaData'
tag='0xffe5' length='168' field='APP5' value='HPQ-HostIntf'
tag='0xffe5' length='2400' field='APP5' value='HPQ-AutoExpo'
tag='0xffe5' length='1856' field='APP5' value='HPQ-LensInfo'
tag='0xffe5' length='4112' field='APP5' value='HPQ-AutoFoS1'
tag='0xffe5' length='4104' field='APP5' value='HPQ-AutoFoLV'
tag='0xffe5' length='6140' field='APP5' value='HPQ-WhiteBal'
tag='0xffe5' length='1660' field='APP5' value='HPQ-PPR'
tag='0xffe5' length='1164' field='APP5' value='HPQ-Capture'
tag='0xffe5' length='142' field='APP5' value='HPQ-Pipe2Mdd'
tag='0xffe5' length='1692' field='APP5' value='HPQ-Flicker_'
tag='0xffe5' length='44' field='APP5' value='HPQ-SensorMD'
tag='0xffe5' length='22' field='APP5' value='HPQ-ImgGener'
tag='0xffe5' length='20' field='APP5' value='HPQ-DigiZoom'
tag='0xffe5' length='84' field='APP5' value='HPQ-MotionMd'
tag='0xffe5' length='32' field='APP5' value='HPQ-CalsMfg '
tag='0xffe5' length='65016' field='APP5' value='HPQ-CalsSec1'
tag='0xffe5' length='10016' field='APP5' value='HPQ-CalsSec2'
tag='0xffe5' length='8568' field='APP5' value='HPQ-LRGEBUFF'
tag='0xffe5' length='24' field='APP5' value='HPQ-MetaHint'
tag='0xffe5' length='12' field='APP5' length='12' value='pad pad pad '

That's right, every picture has over 95K of additional APP5 data after the picture! That is as much as 8% of the file size!

So far, I can only decode one of the fields: HPQ-Capture. This has 3-5 records (depending on the version) and the records identify your phone. Here's an example from a decoded block from a Motorola, Droid, 2.2:

field='Build Version' value='4719:5353'
field='Build Date' value='2010-06-14 15:15:45'
field='Builder Email' value='kraigp@itlbuild.fc.hp.com'
field='Build Name' value='SholesMR2_RC9'
field='Kernel Release' value='2.6.32.9-g103d848'
field='Kernel Version' value='#1 PREEMPT Wed May 26 18:02:03 PDT 2010'

The kernel information is the same as running "uname -r" and "uname -v" from a command prompt. The Build Version looks like a SVN string, but it could be some other source code revision system.

I sent an email to "kraigp" asking for more information about these undocumented fields, but got a bounced email:

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients was aborted after 34 second(s):

* kraigp@itlbuild.fc.hp.com

Different Android versions include different information. For example, the Motorola DROIDX 2.1-update1 says:

field='Build Version' value='5476'
field='Build Date' value='2010-06-24 16:02:09'
field='Builder Email' value='tanvir@tanvir-lnxdev'
field='Build Name' value='Shadow_RC7'
field='Kernel Release' value='2.6.29'
field='Kernel Version' value='#1 PREEMPT Thu Jul 1 18:18:04 CDT 2010'

All of these HPQ fields appear to be part of the HPAndroidHAL driver. Since only Motorola seems to use this driver, only Motorola photos get tagged. (If I'm wrong here, I hope someone will tell me. I'll be sure to make corrections.) It kind of makes sense that Hewlett-Packard would embed their stock symbol (HPQ) in the APP field...

Most of the HPQ records have fixed lengths. Some values don't change regardless of camera version. Some change between versions but not between cameras, some change with each photo (e.g., White balance and focus), and some seem to change between specific cameras. It is these last fields that seem interesting. Not only can I tell what camera took the picture, but I can tell you if two photos were taken by the exact same camera. Unfortunately, I don't know the meaning of these fields since the "changes between cameras" could be coincidental based on my minimal sample size.

The only variable-sized field seems to be the HPQ-LRGEBUFF record. It looks like some kind of fractional memory dump. (I really suspect debugging code that was not disabled before release.)

If you have an Android phone and want to know if your pictures have the HPQ tags, then try this:

1. Take a photo. (Let's call it photo.jpg.)
   
2. strings photo.jpg | grep HPQ-

If you don't see anything, then your pictures are clean. If you see HPQ strings, then your photos are tagged. Use 'hexedit photo.jpg' and search for "HPQ-". This will show you all of the HPQ records.

In any case, until we learn what "HPQ" is embedding in each photo taken by a Motorola Android, I'm going to stay on the paranoid side. If you happen to know how to decode the other fields, please let me know!

The End?

Smarter devices do not mean smarter users or smarter programmers. Unless you know how to disable every undesirable feature (and remember to disable it), you are probably going to leak information. While online anonymity isn't dead, it is getting harder and harder to protect our privacy.

A little over a month ago I had the need to analyze some images stored in Flash (SWF) files. While there are programs that can extract images from SWF files, they don't necessarily extract the full image. Specifically, most applications drop alpha-channel information.

SWF Format

As far as parsing the file format goes, SWF is almost as easy to parse as PNG. The basic format has a simple header that is followed a tag-length-data structure. The first two bytes of the stream identify the tag type and amount of data. Ten bits are assigned to the tag type and six bits assigned to the data length. If the data length is 0x3f (the maximum value), then 4 more bytes follow that contain the full size. SWF files are very consistent -- even if you don't know what a particular tag value means, you can still parse the entire file.

There are actually two types of Flash files. They are identified by the first 3 bytes. If it says "SWF" then it is a regular Flash file. "CWF" identifies a compressed Flash file -- everything after the header is zlib compressed. After decompression, you can parse it as a regular "SWF" file.

Image Formats

Images can be stored in a couple of different ways within the SWF.

• Split JPEGs. Tags 6 and 8 combine to form a regular JPEG. The idea here is that many JPEGs have identical headers, quantization tables, and Huffman tables. Rather than storing them multiple times, the common parts are stored in tag 8 and the unique data streams are stored in tag 6. In reality, you'll need to play with the first few bytes of the tag 6 data and last few bytes of tag 8 for them to combine correctly. Some SWF-generating programs will end tag 8 with 0xffd9 and begin tag 6 with 0xffd8 -- the JPEG start and end markers -- so you'll need to make sure there are no start/end markers in the place where both SWF tags combine.
  
  
• Tags 20 and 36 define lossless bitmaps. The difference is that tag 36 includes an alpha channel, while tag 20 does not.
  
  
• Tags 21, 35, and 90 define images. Usually these are JPEG, but they can also be PNG or GIF. If the image is a JPEG, then tags 35 and 90 also contain alpha channel information. This is how SWF can use a JPEG with a transparency layer.

Seeing the Full Picture

While the image tag defines the picture, other tags describe how to display it. This can include cropping, scaling, flipping, and/or rotating the image. For my needs, I want the full picture. For example, the file "http://www.staging.mcdonalds.com/content/usa/sports.RowPar.0004.ContentPar.0001.ColumnPar.0001.File.tmp/Sports_07182008.swf" is part of an old ad campaign from McDonalds. Although the web page no longer shows the SWF file, it is still available on their web site and indexed through Google. This movie only shows a cropped picture of a girl dunking a basketball. But the full picture found in the SWF shows a horrendous amount of editing.



I'm not sure which is worse... the extra long arm, the cloned lights on the left, or the "I tried to erase the background" failure on the right.

The second image in this SWF isn't much better. I can understand the desire to make the background gray while leaving the person in color, but why did McDonalds gray-out her knee?

Unseen

When someone creates a Flash file, they build it in layers. Sometimes a layer is not enabled. However, just because the regular Flash movie doesn't show it does not mean it is gone. In fact, hidden images often exist in SWF files. For example, the Flash movie at http://www.liuyehu.gov.cn/index.swf (courtesy of their local Chinese Government) contains a banner showing the town and people having fun. However, there is a second, hidden image that shows the pre-edited version.





Personally, I fear our new Chinese overlords. Their children are taller than trees!

But it Tastes Good!

Ever since I started parsing SWF files, I just can't seem to stop. I'm looking at almost every Flash file I come across. Most are uninteresting. A few make me laugh, like this image from Ralph Lauren (https://www.ralphlauren.com/graphics/media/polo/1112_hp_821x709.swf)... her arm looks broken and what is going on behind the chair???


Reduced size image used for criticism, comment, teaching, and research, as specified in US Copyright Law Title 17, Circular 92, Chapter 1, Section 107 "Limitations on exclusive rights: Fair use".

But the best Flash banner so far comes from Famous Dave's Legendary Pit Bar-B-Que. I went to the site looking for directions (I was meeting some friends for lunch). Most of the images are from the animated banner, where food rises and falls onto a table. However, the first picture is hidden/unused, and it is just amazing... It is a full screen snapshot of the developer's desktop!



Here's how you can view the full thing:

1. Install swftools (http://www.swftools.org/)
   
2. Get the SWF file: wget http://www.legendarybbq.com/header.swf
   
3. Find the image ID (it is 0002): swfdump -D header.swf | grep JPEG
   
4. Extract the image: swfextract -o secretimg.jpg -j 2 header.swf

You can clearly see an open chat session with Kelly Karnetsky (you can even see his email address). The session is between Kelly and someone calling himself, "Well let's focus Mr. Million Dollars and find something that can blow up a car!" There is another chat session with someone called "Jonas". The developer is listening to Sarah Mclachlan's Surfacing and was searching his music collection for Eminem. The screenshot shows the clock at 4:06pm on Sunday, 10/26/2008.

I actually reported this information leakage to one of Famous Dave's managers. I know they received it because I provided them a zip file containing all of the extracted images, including the desktop. Moreover, the zip file was downloaded 7 times, including by people at Basic Food Group -- the parent company of Famous Dave's. However, it has been over two weeks; nobody has gotten back to me and they have not removed the image from the SWF file. I can only conclude that they don't mind if people see it.

Eventually I'll probably make a SWF decompiler for those "Do ABC" blocks of compiled code (tag 82). Just as there are unused pictures, I fully expect there to be unused code, and plain-text passwords for Flash-based cryptographic systems.

In my previous blog posting, I mentioned how some people really do "get it" when it comes to digital manipulation and photo fakery. However, others like "photographer" Nicholas Routzen and BP's Marc Morrison still don't understand why representing modified photos as if they were "real" is nothing other than fraud.

BP was heavily criticized in the media for releasing edited photos. In fact on 22-July-2010, White House Press Secretary Robert Gibbs even commented that it was sheer stupidity:

"I think it's genuinely on the stupidity part of the transparency scale," Gibbs said this afternoon at the White House daily briefing. "I mean, if you want to show a picture of what the room looks like, just take a picture."

Upon the discovery of BP's digital manipulation, BP decided to come clean. Sort of. It was actually more of a "throw the photographer under the bus" than an actual correction:

BP cast the blame entirely on a hired photographer and claimed to have no part in the decision to alter the photos. "One of BP's contract photographers used Photoshop to edit images posted on the bp.com Gulf of Mexico Response web site," the company said, adding, "[W]e've instructed the photographer who created the images to refrain from cutting-and-pasting in the future and to adhere to standard photo journalistic best practices."

Too bad this isn't an isolated incident... and it still has not stopped.

As part of their corrections, BP created a special Flickr set where they show the before and after photos of the three pictures that America Blog and Gizmodo identified as modified. However, BP is only showing the three outed photos.

Standard is Better than Better

I really like that phrase, "Standard Photo Journalistic Best Practices". There is no such standard. As I detailed last year, different organizations have different rules about acceptable manipulation. However, there are some generalizations that can be made.

For Photographers

In general, if the photo is supposed to represent something real then the person providing the photo to the media should abide by these guidelines (a combination of rules from Reuters, Associated Press, Getty Images, and other photo providers including China's Xinhua news agency):

• No splicing, no drawing. Whether it is for removal or enhancement does not matter. You never splice images and you never alter content. If Billy blinked during the photo, then the photo must have Billy's eyes closed -- don't draw in eyes or splice them from a different photo.
  
• Minor cropping. A little cropping from an edge ("little" as in "up to 5% from an edge") is acceptable if it does not remove a subject from the image. Major cropping, such as Morrison's removal of the entire upper half of the photo, chairs, and two people (before and after) is not permitted.
  
• Minor dust and speck removal. Minor dust and speck removal from a non-critical section of the photo is generally permitted. However, this really depends on the photo provider. Some providers (like the AP) are more critical than others. In general, if there is a tiny speck of dust on the lens that ends up looking like a distant UFO in the sky, then you can remove it. But if there are lots of specks, then you must suffer with a dirty picture (next time, clean your lens!). And if the speck is located on the subject matter (like Hillary Clinton's shoulder), then don't touch it!
  
• Minor color enhancements. Color corrections that do not alter the subject are permitted. As the AP described:
  

  Minor adjustments in PhotoShop are acceptable. These include cropping, dodging and burning, conversion into grayscale, and normal toning and color adjustments that should be limited to those minimally necessary for clear and accurate reproduction (analogous to the burning and dodging often used in darkroom processing of images) and that restore the authentic nature of the photograph. Changes in density, contrast, color and saturation levels that substantially alter the original scene are not acceptable. Backgrounds should not be digitally blurred or eliminated by burning down or by aggressive toning.

  
  In general, any acceptable, minor color enhancements should be equally applied over the entire image and not isolated to a specific region. Highly focused or region-specific color alterations are no different than drawing. ("Select all" or "select none", but if you touch the selection tool or magic wand then you are drawing.)
  
• After effects. Blur, sharpen, smudge, liquify, rotate, blend, and other enhancements are not permitted. Basically, if it is not found in the real picture then this is considered "drawing".
  
• Acceptable drawing. There are only two situations where drawing, such as blurring or using a black censor box, are permitted: (1) to protect anonymity, and (2) to prevent advertising. A blurred face, blurred logo on a hat or shirt, or black box over a license plate is acceptable. However, the blurring/drawing must be blatant and obvious.

For Media Outlets

The photographers who provide the photos to the media must abide by much stricter rules than the media outlets. In contrast, outlets are permitted to perform manipulations that match their medium and format. These include:

• Scaling and cropping. While the photographer must provide the whole picture, the media is permitted to crop it to show a specific subject matter. For example, the photo may show President Obama surrounded by thirty people, but USA Today may crop it to just show his head.
  
• Color adjustment. The media, particularly printed media, are permitted to color correct an image. The photographer's picture may be too dark or not print well for a magazine. The media outlet can, and usually does, color correct the image. In this case, the pictures may actually be color corrected in specific regions or specific color bands, and not applied uniformly across the image.
  
• Acceptable drawing. The media may also choose to blur faces, censor logos, or annotate features with arrows or circles that highlight specific items. However, these modifications must be blatant. The subtle removal of a logo, when discovered, can lead to sharp criticism (or worse).

BP used to take photos and use them in their advertising campaigns; anything goes in advertisements. However, that role has changed. Since the Gulf disaster, BP has been providing photos that document recovery and cleanup efforts to the mass media. As someone who provides photos to the media, BP is expected to adhere to the higher standard. BP should not be making modifications reserved for media outlets.

BP: Best Practices

Unfortunately, BP seems to be making up their "Standard Photo Journalistic Best Practices" as they go. While I have not seen any splicing in the last few days, some of their photographers are still taking liberties with the crop tool and recoloring. Here are a few examples from BP's Flickr feed. (Click on the photo to see the full picture.)

Creative Cropping


This photo by Marc Morrison is dated 26-July-2010 but was last modified on 27-July-2010. The full picture is 3981x1496. The problem is, the Canon EOS-1Ds Mark II does not take photos at these dimensions. The closest it gets is 4992x3328. This means that Marc cropped nearly 20% from the horizontal and over 55% from the vertical. So what did Marc not want us to see?

A few years ago I was told a story about a photo from China. It appeared to show a government vehicle with people standing around it cheering. But the uncropped photo showed the crowd throwing stones; the people were not cheering, they were yelling. Creative cropping can alter the meaning of a picture. For this reason, "Standard Photo Journalistic Best Practices" requires the photographer to submit the whole picture and not something with creative cropping. For all we know, there could be a dead whale on the right, and that gray structure in the top-left could actually be pollution filling the sky. If the picture has too much sky, then BP needs to let the media outlets decide what to crop.

BP's True Colors
Here's a very colorful photo by BP:



This photo by Harrison McClary is dated 26-July-2010 and last modified a day later. The image itself measures 3600x2400. That is close to a native resolution for the Canon EOS-1D Mark III, which can take pictures at 3888x2592 (cropped or scaled 7% horizontal and 7% vertical). However, McClary over-applied the color correction. We can see this in the color histogram (graphing HSV).



There are two things that really stand out as abnormal: (1) the clusters of blue and yellow at the top shows a blown-out color space, and (2) the wide color blobs are too wide, too tall, and too blended for a natural picture. This is not a typical color space for a Canon EOS-1D Mark III.

For a comparison, consider this sample photo from the same model camera (and not provided by BP):




Notice how the unmodified photo does not blow out colors at the extreme intensities, and has less-blended color bands. This is very typical for a digital camera, including cameras made by Canon, Olympus, Nikon, Ricoh, and other manufacturers.

So why would BP's Harrison McClary over-correct the color space? Perhaps he is inexperienced with cameras. Or maybe he really wanted that brown water to look blue. By blowing out the color spectrum, he has given the image a "clean" look -- the sand is white, the sky and water are blue, the tractor does not look dirty, and even the brown grasses look green.

Here's another example from Harrison McClary:




Again, the blue and green are blown out (blobs at the upper intensities). Also, notice how the orange spike actually curves with intensity (vertical). That's why they call it a "color curve adjustment".

Of course, McClary isn't the only one tweaking colors. BP's Robert Seale also did some color corrections.




Notice how Robert's dark red, blue, and green all lean toward the left at the top? While he didn't blow out the color range, he did adjust the sky, grass, and maroon stripe on the bookmobile (the RV in the background-right that says "Vermilion Parish Public Library").

Seeing Red

Dear British Petroleum,

If you want to us to believe that the pictures are real, then please release real pictures. Don't crop out stuff you don't want us to see. Don't make the sky and water look bluer. And most importantly, don't think that we won't notice.

Having been caught splicing images, BP promised to adhere to "Standard Photo Journalistic Best Practices". However, this is clearly not the case. While BP claimed that the modifications were limited to one photographer, the actual problem is more systemic. BP's photographers may no longer be splicing, but they are still striving to literally show that the grass is always greener. This isn't a problem with BP's photographers; this is a problem with BP.

This week really gave me a thrill. Readers, models, and even large companies have taken steps against digital photo manipulation in the media.

The first big congrats goes to Domino's Pizza. They recently announced a promise to use real photos of real pizzas in their advertisements. No more cardboard, glue, and partially-cooked food that looks "better" when photographed.

Our Photo Promise
Here at Domino's, we don't think our inspired Domino's pizza needs the "extra" things typically done to food at photo shoots to look mouth watering. Our pizza is good enough to stand on its own. That's why we're making the following promises about how we photograph our pizzas from this day forward. Did we just buck the food photography trend? Oh yes we did.

1. We will only photograph real, honest-to-goodness pizzas.
That means fresh from our own ovens, with exactly the same ingredients we deliver to your doorstep. Nothing else added.

2. Our employees will make the pizza we shoot.
Not an art director or model maker or food stylist. A Domino's employee trained to make pizzas the only way they know how: by hand.

3. We will not artificially manipulate the food we shoot.
No tweezers, no steam guns, no model knives cutting perfect perforations in the cheese. The only thing that will touch the pizzas we shoot is the pizza-maker's hands and a standard Domino's pizza cutter.

Russell Weiner, Chief Marketing Officer

Bravo! I've looked at some of the pizza photos on their web site and I must say: no detectable manipulation (beyond scaling and cropping, which does not modify the look of the food). Moreover, the food actually looks good! (Good enough for me to now have a pizza craving.)

Pizza Photo by Makena B. from Houston, TX

Worth the Wait

Not to be outdone, plus-size model (and super hottie) Crystal Renn just went on the record saying that she is offended by some photoshopping done to her picture. As she said in her Today Show interview this morning, "When I first saw the photos, I would have to say I was absolutely shocked." The photographer turned this well-known size-10 into much thinner version. (But at least he didn't give her noodle arms, right Ralphie?)

The photographer, Nicholas Routzen, has this reply:

I want to reiterate that I feel Crystal looks amazing in both images and the minimal retouching that I did do - it's nothing you wouldn't see in any magazine today. There is nothing hidden about this.

This tells me three things: (1) he sways to peer pressure (everyone else is doing it...), (2) he does not listen to the models that he shoots (Renn has been a strong voice against the unhealthy, unrealistic anorexic female shape that most of the fashion companies strive for), and (3) he photoshops his pictures. It makes me want to take a much closer look and see if he also does splicing, smoothing, and other common forms of deceptive manipulation.

However, I would not recommend browsing Routzen's blog. Some of his photos could easily pass for child pornography. (Full frontal nudity of a minor.)

Feeling Pumped

But I am saving my largest applause for America Blog and Gizmodo. These people have been looking at the media photos released by British Petroleum (BP).

It isn't enough that BP's runaway deep-sea oil well poisoned the Gulf of Mexico, after they lied to the United States by claiming that they knew how to handle any deep-sea accidents. Or when they repeatedly underestimated the amount of oil and would not assist scientists in creating an accurate estimate (we still don't know how much oil was leaked). Or that they only provided low resolution video feeds to the public while they had high resolution footage available. Or that they tried to stop the media from documenting the disaster. No... they also have to doctor pictures. (Is anyone really surprised?)

One photo has the title "Aerials over Gulf of Mexico". With a name like "aerials", one would think it would be taken from the air...

The problem is, the view out the window has been photoshopped. I noticed many things in this picture, but the people on Reddit just shredded the photo. Some of the findings:

• The display clearly says that the door is open, ramp is open, rotor brake is on, and parking break is on. There is no way this helicopter is in the air.
  
  
• The radar shows something to the far left, but nothing in front of him. Thus, no boats.
  
• There is a light that says APU GEN ON. This is the alternate power unit. It provides power until the engines are started.
  
• The pilot is holding a pre-flight checklist. (Ironic that his fingers are crossed.)
  
• Neither pilot is holding the flight stick!
  
• There is a waterbottle resting in the handhold above the guy on the right. The water in the bottle is smooth and flat -- no vibrations at all.
  
• The pilot on the left is wearing glasses. The glasses are reflecting some type of straight-line object. This is likely a runway or edge for the helipad.
  
• The outside water goes from clear blue to smokey. You can clearly see the waves in the blue and smokey areas, but the waves are fuzzy/blended where the two meet.
  
• The water is also blurry around the pilot on the left and near the top of the right window.
  
• The edge of the boats on the left are precisely in the fuzzy section.
  
• The first boat in the right window has a very visible shadow. So all boats should have shadows. However, none of the boats in the left window have shadows.
  
• The boat with shadow indicates that the sun in in front of the helicopter. However, the entire copter is in shadow and so is the tower structure (top left).

This isn't even the entire list. It is suffice to say that this is not an "aerial" photo and it has been grossly modified.

Another photo shows people in front of some monitors. The problem is, the image shown in some of the monitors was changed. Technically, content from three screens was replicated into the three off-line screens. Oh, and the picture has an internal timestamp indicating that it was created in 2001 (2001-03-06 15:16:50.25) and not 2010 (EXIF data modified time 2010-07-19 18:54:04.25). In either case, the timestamps do not match the "HIVE at Houston Command Center 16 July 2010" as BP captioned the picture.

Modified

Allegedly Unmodified

The final picture (so far) shows people in a meeting room. However, the splicing of the content on the screen was done very poorly.

Here's a closeup of some of the splicing:

Frankly, I'm not sure what is more offensive -- the fact that the picture was modified, or the quality of the modification. In either case, this should be a firing offense.

Of course, I began to do what everyone else is probably doing -- poring over bp.com and looking for more doctored photos. That's when I noticed something. All of the modified photos appear to have something in common. The meta data and associated credits identify the photographer as "Marc Morrison".

Hello, Marc

According to his bio, Marc has been a photographer for 26 years and works for BP. A significant number of photos released by BP were taken by Marc.

Marc prefers Canon cameras like the EOS-1Ds Mark II or EOS 5D. While these cameras usually take very good photos, Marc's pictures always have a large mount of sensor noise and discoloration. (I can actually pick out Marc's photos on BP's site just by looking for the sensor noise and grainy coloring. Not every picture has had content modifications, but all look grainy and noisy.)

When it comes to manipulation, Marc seems to rely on overlaying and blending. He primarily targets flat surfaces like monitors or windows. His non-grainy photos appear to have color enhancements to make bright colors pop -- look for things that are red or yellow (his favorite bright colors). I have not seen him advance to people splicing, reflections, or lighting. He also appears to be fond of image cropping; I have yet to see any of his photos that are anywhere near close to a native camera resolution size. Oh, and Marc likes to use something called Photoshelter. (Since I have no experience with it, I can't tell if it is a program for editing or only web creations and annotations... In either case, many of his photos were modified by it.)

Two photos by Morrison. The left is "AP Photo/BP, Marc Morrison". The right is "EPA/Marc Morrison/BP Handout". Both show the same room and same people but at slightly different times. Some monitors are the same, some are different. Is either unmodified?

Now, for clarity, there appears to be many photographers named "Marc Morrison". One lives in Steamboat Springs, Colorado -- I really don't think it is him. Another lives in Houston, Texas. The Houston guy seems to take some celebrity photos as well as plenty of oil rig and related industrial photos. However, I haven't seen anything that says the guy in Houston works for BP. (This Marc could be a different Marc.)

In any case, many of the photos provided by BP's Marc Morrison were credited as "AP Photos/BP, Marc Morrison" and "Marc Morrison - AP". (Example: Washington Post, look at the slide show.) However, I cannot find any of Marc's photos at AP's web site. I wonder if they already booted him for altering images...

(Thanks to the 11 people who sent me links to this BP story. Keep 'em coming!)

The hardest parts of forensic analysis isn't the tools; it's the training. Anyone can buy rubber gloves, swabs for collecting blood samples, and plastic evidence bags. But if you are not trained to properly collect, handle, and evaluate evidence, then the tools and methods are meaningless.

The learning curve is the hardest part. To address this, I've been working on documentation and worksheets for digital image analysis and photo forensics. While there is still a steep learning curve, the investigator can review the worksheets as a checklist for common things to evaluate. The associated documentation provides details regarding the checklist items, in case the investigator needs to review how a particular system works.

An Eye For Details

While luminance gradient and error level analysis draw pretty pictures, the most important tool is basic observation. It is one thing to see the big and obvious signs of manipulation. It is something else to remember all of the fine details.

The folks at Photoshop Disasters recently posted a couple of amazingly bad shopped pictures that clearly illustrate the power of observation for detecting image modifications.

The first picture comes from an ad campaign for fingernail polish. The picture is supposed to show a model and some nail polish. The magical stars that go from her elbow to the picture frame are just artistic. However, it is the fine details that make this such an obvious disaster... Just using your eyes, what stands out as abnormal and not intentionally artistic? Give yourself a minute to look over it, then scroll down and see how many things you noticed.



If you only saw the disconnected leg, then give yourself one point. (If you didn't notice the leg, then go back and try again. As Thall commented at PsD, "That women could birth a horse or two with those hips!") Other oddities include:

• Her waist is out of proportion.
  
• There is a black triangle between her torso and floating leg. The artist forgot to cut out this area.
  
• Her left forearm (photo right) is significantly longer than her right forearm.
  
• She has two thumbs on her lower hand. (One thumb could be her foot showing through a strap in the shoe, but it is actually blended into the hand.) Oh, and don't mind the "S" on her finger; other photos show it as a tattoo or something.
  
• Her neck is showing a tendon, indicating that her head is turned. However, her head is looking straight and is not centered on the neck. Yes, they cut off her head and pasted on a different head.
  
• She is missing a clavicle (shoulder bone) -- one is there, but the other was erased.
  
• Her boobs are different sizes, and not in a natural way (unless the left one is half as long and deflated...).
  
• The shadow under her head indicates a bright light to the upper right. But the floating leg isn't casting the same shadow onto the other leg. And the shadow from the sleeve onto her straight arm has a shadow going the other direction. Inconsistent lighting means splices.
  
• Of course, all of these are issues with the woman. Over at PsD, ZaphodQB noticed that the reflection of the black polish does not meet the bottom of the black bottle.

This isn't the full list. What else do you see? No wonder their product is called "Oops!"

The Perfect Model

I'm always looking for good sample images that demonstrate specific points. Ideally, I want one picture that only demonstrates one thing, then another that demonstrates the same thing with more complexity, and finally an example that brings everything together.

From the Oops! example, we know to look for different classes of manipulation. These attributes become our checklist:

• Limbs: Are all of them accounted for? Are all connected? Are they the right proportions?
  
• Reflections: Do items line up properly?
  
• Shadows and lighting: Are they consistent?

Now we can apply this to a new set of pictures.

At Photoshop Disasters, they featured a picture from the French fashion house, Louis Vuitton. However, the web page at Fashion Gone Rogue contains many pictures from the "Louis Vuitton Fall 2010 Campaign" (also available at Fashionologie). It is an homage to digital distortions.

Starting at the top is the banner for Fashion Gone Rogue. Her upper arms are very different lengths. It is also faint (better seen with luminance gradient), but it looks like there is a strap or something going across her shoulder and down her cleavage. (This could be where the artist stopped altering the skin.)

Mirror Mirror On The Wall

The various photos from Louis Vuitton have been equally mangled. Let's use our new checklist...

The picture claims to show three women in a dressing room. Each has different color hair: red, blonde, and brunette.

Limbs
Every person has two arms? Check! Extra fingers? Nope. Legs and feet? Uh... the brunette on the right has an ankle but is missing toes.

Reflections
The right-most mirror (behind the toe-less brunette) is not reflecting anyone in the room. The blonde has her hand up in the room but her hand is down in the mirror. That same mirror also shows a light bulb in the reflection, but the bulb does not exist in the room.

The second mirror from the right shows bulbs but they don't align with the bulbs in the room.

The mirror on the far left shows red's head from the back. However, red's head is not turned to show her back to that mirror. And the mirror's reflection shows the lamp on the wrong side. The reflection does not match the room.

Lights and Shadows
When an item sits next to a illuminated light, it is made brighter. And when items are facing away from the light, they are in shadow. Complex lighting, such as floods, reflectors, and bright ambient lighting, can mitigate shadows.

However, those mirrors have a lot of bright lights. The women should have brightly lit backs. But this isn't what we're seeing. The brunette has bright reflections off her chest but not her back. The blonde has a bright clavicle but an under-lit neck. The pile of junk in the back has a brown fabric thing above the handbag; it is lying next to a light bulb and not lit up.

This isn't a comprehensive list and there are other oddities that are not in our checklist. For example, the blonde's dress seems to have a layering issue with red's chair. The dress fabric suddenly becomes semi-transparent and you can see the chair through it.

Frankly, I kind of doubt that these three women even posed together for this picture.

Some of the pictures in this series are much worse than others...


Dear Louis: While fabrics may be diaphanous, people are not. And while models may be vamps, they are not vampires. Please fix the left mirrors. You know, the ones with the time-delay reflections that show the brunette in two alternate positions and don't reflect the blonde.

Dress For Success

While I can criticize these ads for pasting in people, changing reflections, and digitally altering lighting, I have to give Vuitton one piece of credit:

Beyond expected color enhancements (applied to the entire picture) and spicing blends (expected from a composite image), I have not detected any modifications to the clothing. Well done. Unlike Ralph Lauren and Victoria's Secret, Vuitton's pictures do not appear to be a product bait-and-switch.