ANALYSIS Forum (IPACO) Forum Index

Dedicated to the analysis of alleged UFO photos and videos

 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Post new topic   Reply to topic    ANALYSIS Forum (IPACO) Forum Index -> Analysis: technical subjects -> Tools kit
Previous topic :: Next topic  
Author Message


Joined: 20 Jun 2012
Posts: 67

PostPosted: 07/01/2012, 07:23 pm    Post subject: JPEGSnoop Reply with quote

JPEGsnoop is a free Windows application that examines and decodes the inner details of JPEG and MotionJPEG AVI files. It can also be used to analyze the source of an image to test its authenticity.



Every digital photo contains a wealth of hidden information -- JPEGsnoop was written to expose these details to those who are curious.
Not only can one determine the various settings that were used in the digital camera in taking the photo (EXIF metadata, IPTC), but one can also extract information that indicates the quality and nature of the JPEG image compression used by the camera in saving the file. Each digical cameras specifies a compression quality levels, many of them wildly different, leading to the fact that some cameras produce far better JPEG images than others.
What can I do?
Check out a few of the many possible uses for JPEGsnoop!   
One of the latest features in JPEGsnoop is an internal database that compares an image against a large number of compression signatures. JPEGsnoop reports what digital camera or software was likely used to generate the image. This is extremely useful in determining whether or not a photo has been edited / tampered in any way. If the compression signature matches Photoshop, then you can be pretty sure that the photo is no longer an original! This type of analysis is sometimes referred to as Digital Image Ballistics / Forensics.   
JPEGsnoop reports a huge amount of information, including: quantization table matrix (chrominance and luminance), chroma subsampling, estimates JPEG Quality setting, JPEG resolution settings, Huffman tables, EXIF metadata, Makernotes, RGB histograms, etc. Most of the JPEG JFIF markers are reported. In addition, you can enable a full huffman VLC decode, which will help those who are learning about JPEG compression and those who are writing a JPEG decoder.   
Other potential uses: determine quality setting used in Photoshop Save As or Save for Web settings, increasing your scanner quality, locating recoverable images / videos, decoding AVI files, examining .THM files, JPEG EXIF thumbnails, extract embedded images in Adobe PDF documents, etc.   
File Types Supported
JPEGsnoop will open and attempt to decode any file that contains an embedded JPEG image, such as:
  • .JPG - JPEG Still Photo
  • .THM - Thumbnail for RAW Photo / Movie Files
  • .AVI* - AVI Movies
  • .DNG - Digital Negative RAW Photo
  • .CRW, .CR2, .NEF, .ORF, .PEF - RAW Photo
  • .MOV* - QuickTime Movies, QTVR (Virtual Reality / 360 Panoramic)
  • .PDF - Adobe PDF Documents

* Note that video file formats (such as .AVI and .MOV) are containers, which can include video streams encoded in one of a wide variety of codecs. JPEGsnoop can only interpret this video footage if the codec used is based on Motion JPEG (MJPG).

Latest version can be downloaded here

Last edited by elevenaugust on 07/12/2012, 10:34 pm; edited 1 time in total
Back to top

PostPosted: 07/01/2012, 07:23 pm    Post subject: Publicité

PublicitéSupprimer les publicités ?
Back to top


Joined: 20 Jun 2012
Posts: 67

PostPosted: 07/12/2012, 10:32 pm    Post subject: JPEGSnoop Reply with quote

Simply open an image in JPEGsnoop and scroll down to the section titled, *** Searching Compression Signatures ***. This option can be enabled/disabled with the Signature Search item in the Options menu.
The utility will compare the compression characteristics of the photo against an internal database of thousands of camera "signatures" to locate a match. If a match is found, the matching digital camera or editor is shown. If the signature matches a photo editor (such as Photoshop), then there is a good chance that the photo has been edited (i.e. not original!).
The assessment line indicates one of four possible outcomes:
  • Class 1 - Image is processed/edited
  • Class 2 - Image has high probability of being processed/edited
  • Class 3 - Image has high probability of being original -- NOTE: Please see description below!
  • Class 4 - Uncertain if processed or original
Image is Authenticated as very likely original

What is "Original"? How confident can we be?

It is virtually impossible for any software to ever guarantee with absolute certainty that a file or image has not been modified in some way. Even files that have an integrated cryptographic hash (eg. SHA-1 or MD5) could theoretically be altered to give a false positive integrity check, albeit unlikely. Apart from the use of cameras providing tightly-integrated authentication features (such as the Canon 1Ds / 1D mk II with the Data Verification Kit DVK-E1 / DVK-E2), it becomes a formidable task to prove that an image is guaranteed to be in its original, unaltered state. It is a much easier task to prove with certainty that an image has been processed / edited (ie. not original).
JPEGsnoop can be used with reasonable confidence in identifying "processed" images, but what can we draw from the tool's assessment that an "Image has a high probability of being original"? ... only that the JPEG compression "signatures" and certain metadata elements match those expected from the indicated camera model(s). Note that assessment "Image is Original" is not used, for this reason.
Is this sufficient information to prove that an image is "original"? In a word, no.
Important Note: For this, and related reasons, the tool should not be used as direct evidence for legal investigations!
It would take a very specialized set of tools to create a false positive "original" from an altered image. It is possible, and I have proven this in my own development. However, in most circumstances, it is highly unlikely that a set of JPEG analysis tools have been used to produce such a fabrication. Even if the compression signatures and metadata were altered carefully to match, there is an array of advanced image content analysis techniques (eg. statistical noise analysis, etc.) that could then be applied to further identify possible alterations.

In-Camera Editing
More interesting perhaps, is that some new digicams allow for a limited set of in-camera editing facilities. These digital cameras may allow for an externally edited photo to be brought back into the camera for resaving (via the editing functions). This mechanism may indeed enable an image to present all of the hallmarks of an "original" image (matching metadata and quantization tables), but bare no relationship to the original captured image.

Video Frame Analysis
JPEGsnoop's image assessment functions are not designed to be performed on JPEG frames extracted from video files (eg. AVI MJPG). In most cases, these will report as "Processed/Edited".

Therefore, while JPEGsnoop cannot absolutely guarantee an image's authenticity, it can be used to indicate with reasonable probability that an image has not been modified. If authenticity must be "proven", further analysis methods would be required. On the other hand, disproving an image's authenticity is accomplished quite easily (provided that the original image camera's signatures have been captured in the database)

Images that are not "Original"
You would be surprised at how many images on the web are apparently original, but are quickly revealed as being edited / post-processed. For example, even some of the "Sample Images" on Canon's official website have been edited in Photoshop, using Save As quality 10. The following is one such example #3.

In this example, Canon may have simply enhanced the sharpness or increased the saturation, but one could easily see how it could be misused.
Canon's Sample Image example was edited!

Compression Signatures

Matching IJG Library Signatures
In some cases, JPEGsnoop may determine that the image's signature matches the digital fingerprint characteristic of IJG's compression quality scale. This scale is based on a formula that generates DQT tables based on a quality value from 1-100. The majority of image editors that provide a quality scale across this range use the same formula to generate their compression tables.
Once JPEGsnoop has determined a match, it will list out several known editors that use this particular scale, as they are all candidates and can produce the same signature.

Submit your own Compression Fingerprint / Signature!

While the built-in database includes thousands of signatures, not all digital cameras or software editors have been analyzed. If JPEGsnoop does not recognize the digicam or software editor, you have an opportunity to submit the compression signature to the JPEGsnoop database (stored on your computer and in the shared database).
If you know the origin of a file (i.e. you took a file direct from your digital camera, or the file is direct from saving within a photo editor / image processing program), then you are invited to submit the compression signature with the Add Camera/SW to DB... command. A dialog box will display the calculated compression signature unique to that file, along with a request for some additional details:
  • What is the source of the file? Was it direct from your digital camera or has the file been processed / edited?
  • The name of the software (e.g. Adobe Photoshop), if the file has been processed (i.e. no longer original).
  • The image quality setting. In this field, you are requested to enter the quality setting (if you happen to know it). Digicams generally provide the user with a selection of up to three image quality modes (e.g. superfine, fine, normal). Similarly, if you have edited / processed a file with software, you are often given the choice of JPEG quality (e.g. high, medium, low, 70, etc.).

When submitting the compression signature to the database, no identifying information or image content is captured -- only the compression signature (a long series of digits) and setting info.

Local User Database
When you add a camera / editor to your database, it is included in all future searches for compression signatures when processing photos. If you want to modify or clear this list (for example, if you entered information that was invalid), then you can use the Manage User DB option.
JPEGsnoop stores the local user database (and configuration options) in the following location:
<Profile Drive>/Documents and Settings/<User Name>/Application Data/JPEGsnoop/
In Windows 95/98 (or in operating systems where the User Profiles haven't been configured), the data file is stored in the same directory as the executable.  

Back to top
Contenu Sponsorisé

PostPosted: Today at 02:53 am    Post subject: JPEGSnoop

Back to top
Display posts from previous:   
Post new topic   Reply to topic    ANALYSIS Forum (IPACO) Forum Index -> Analysis: technical subjects -> Tools kit All times are GMT + 2 Hours
Page 1 of 1

Jump to:  

Index | Create free forum | Free support forum | Free forums directory | Report a violation | Conditions générales d'utilisation
Powered by phpBB © 2001, 2005 phpBB Group