An open source image forensic toolset

"Forensic Image Analysis is the application of image science and domain expertise to interpret the content of an image and/or the image itself in legal matters. Major subdisciplines of Forensic Image Analysis with law enforcement applications include: Photogrammetry, Photographic Comparison, Content Analysis, and Image Authentication." (Scientific Working Group on Imaging Technologies)

Sherloq is a personal research project about implementing a fully integrated environment for digital image forensics. It is not meant as an automatic tool that decide if an image is forged or not (that tool probably will never exist...), but as a companion in experimenting with various algorithms to discover potential image inconsistencies.

While many commercial solutions have unaffordable prices and are reserved to law enforcement and government agencies only, this toolset aims to be a powerful and extensible framework as a starting point for anyone interested in state-of-the-art forensic algorithms.

I strongly believe that security-by-obscurity is the wrong way to offer any kind of forensic service (i.e. "Using this proprietary software I guarantee you that this photo is pristine... and you have to trust me!"). Following the open-source philosophy, everyone should be able to try various techniques on their own, gain knowledge and share it to the community... even better if they contribute with code improvements! :)

The first version was written in 2015 using C++11 to build a command line utility with many options, but soon it turned to be too cumbersome and not much interactive. That version could be compiled with CMake after installing OpenCV, Boost and AlgLib libraries. This first proof of concept offered about 80% of planned features (see below for the full list).

While also including novel algorithms, the 2017 version mainly added a Qt-based multi-window GUI to provide a better user experience. Multiple analyses could be shown on screen and a fast zoom/scroll viewer was implemented for easier image navigation. That project could be compiled with Qt Creator with Qt 5 and OpenCV 3 and covered about 70% of planned features (see below for the full list).

Fast forward to 2020 when I decided to port everything in Python + PySide2 + OpenCV for a much easier installation and development. While iteration is just begun and I have ported about 70% of the previous code on the new platform, I think this will be the final "form" of the project (as long as someone does not volunteer up to develop a nice web application!).

I'm happy to share my code and get in contact with anyone interested to improve or test it, but please keep in mind that this repository is not intended for distributing a final product, my aim is just to publicly track development of an unpretentious educational tool, so expect bugs, unpolished code and missing features! ;)

This list contains the functions that Sherloq will provide once the beta stage is reached.

• Modern Qt-based GUI with multiple tool window management
• Import BMP, JPEG, PNG, WebP, PGM, PFM, TIFF and GIF formats
• Highly responsive image viewer with panning and zooming
• Contextual help with current tool explanation
• Export both visual and textual tool outputs

• Original Image: display the unaltered reference image for visual inspection
• File Digest: retrieve file information and compute many hashes and ballistics
• Hex Editor: open an external hexadecimal editor to show and edit raw bytes
• Similar Search: use online search services to find visually similar images

• Header Structure: dump the physical EXIF structure and display an interactive view
• Metadata Extraction: scan through file metadata and gather all available information
• Thumbnail Analysis: extract optional embedded thumbnail and compare with original
• Geolocation Data: retrieve optional geo-location data and show it on a world map

• Enhancing Magnifier: use various visual enhancement for better identifying forgeries
• Reference Comparison: open a synchronized double view to compare two different pictures
• Image Histogram: display independent channel or composite interactive image histogram
• Global Adjustments: apply standard adjustments (contrast, brightness, hue, saturation)

• Quality Estimation: extract quantization tables and estimate last saved JPEG quality
• Error Level Analysis: show pixel-level difference against different compression levels
• Multiple Compression: use residuals to detect multiple compressions at different levels
• DCT Dimples Map: analyze periodic quantization artifacts to detect manipulations

• RGB/HSV 2D Plots: display an interactive 2D plots of RGB and HSV pixel values
• Pixel Statistics: compute minimum/maximum/average RGB values for every pixel
• Space Conversion: convert color channels into HSV/YCbCr/Lab/Luv/CMYK/Gray spaces
• PCA Projection: use color PCA to project RGB values into reduced dimensions

• Luminance Gradient: analyze horizontal and vertical brightness variations of the image
• Echo Edge Filter: use derivative filter to reveal artificial out-of-focus zones
• Correlation Plot: exploit spatial correlation patterns among neighboring pixels
• Wavelet Reconstruct: reconstruct image with different wavelet coefficient thresholds

• Noise Extraction: estimate and visualize gaussian noise components of the image
• Min/Max Deviation: highlight pixels deviating from block-based min/max statistics
• Image Bit Planes: visualize bit planes values to find different noise patterns
• Frequency Separation: divide image luminance into high/low frequency components

• Contrast Enhancement: analyze color distribuions to detect contrast enhancements
• Region Cloning: use feature descriptors for copy/rotate clone area detection
• Image Resampling: analyze 2D pixel interpolation for detecting resampling traces
• Composite Splicing: exploit DCT statistics for automatic splicing zone detection

Here are some screenshots from the previous C++ Qt GUI:

File Analysis: Metadata, Digest and EXIF

Color Analysis: Space Conversion, PCA Projection, Histograms and Statistics

Visual Inspection: Magnifier Loupe, Image Adjustments and Evidence Comparison

JPEG Analysis: Quantization Tables, Compression Ghosts and Error Level Analysis

Luminance and Noise: Light Gradient, Echo Edge, Min/Max Deviation and SNR Consistency

1. Clone repository content into a local folder
2. Create a Python 3 virtual environment (these are Linux instructions, for Windows you can follow this guide, while this guide is for MacOS):

Install package manager
$ sudo apt install python3-distutils python3-dev subversion
$ wget https://bootstrap.pypa.io/get-pip.py
$ sudo python3 get-pip.py

Enable virtual environments
$ sudo pip install virtualenv virtualenvwrapper
$ echo -e "\n# Python Virtual Environments" >> ~/.bashrc
$ echo "export WORKON_HOME=$HOME/.virtualenvs" >> ~/.bashrc
$ echo "export VIRTUALENVWRAPPER_PYTHON=/usr/bin/python3" >> ~/.bashrc
$ echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.bashrc
$ source ~/.bashrc

Create virtual environment and switch
$ mkvirtualenv sq -p python3
$ workon sq

3. Go to gui folder and execute pip install -r requirements.txt
4. Launch GUI with python sherloq.py

• Black Hat Briefings DC. (2008) A Picture's Worth: Digital Image Analysis and Forensics [White paper]. Washington, DC. Retrieved from http://blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf