How to interpret ghiro report

113 views
Skip to first unread message

Roberto Rios

unread,
Aug 16, 2015, 6:54:02 PM8/16/15
to Ghiro image forensics mailing list
Hi,

I'm trying to understand how Ghiro works.

The company that I work for, has tons of images, and I would like to separate the images that have a high probability to be fake/adultered from that ones that I could trust. Since the quantity of images is really huge, the idea is to focus (by doing human actions) only over the images that have indications of fraud. So, I was expecting that Ghiro could help me.

I downloaded the appliance and started it (nice job by the way). I performed the analysis over a two images, one original and one that I adultered by myself. Ghiro performed the analysis and produced the reports.

The fake image has more signatures that the original one ("XMP Exif DateTimeOriginal available" and "XMP exif DateTimeDigitized available" are present into the fake image, but not into the original one). I thought that absence of signatures could indicate a fake image (I did an analysis over a real fake internet image).

So, how do I determine if one image is fake or not?

I also read the documentation, but found nothing regarding the signatures classification. What low, medium and high means?

TIA,

Roberto

Alessandro Tanasi

unread,
Sep 3, 2015, 10:36:09 AM9/3/15
to gh...@googlegroups.com
Hello,
images are digital data, and we know it is quite easy to tamper digital
data.
There are many ways to fake digital images, from trivial to really
advanced, you have to know your threat model and how digital images
works to choose your "acceptable level of detection" or how much effort
you want to put to autenticate a photo.
There are commercial products out there, they promise you to detect fake
images, but what they do is choose a "acceptable level of detection" for
you, just saying we use the techniques X, Y, Z and this is image
authentication for us.
For example, if you need only to detect images downloaded from facebook
etc from original photos, you have to look at metadata. We know digital
cameras fill images of metadata, but common websites like facebook
strips them. This is why you got signatures from your original images,
and none from the others.
ELA is also a good technique to detect fake images.
You should choose the best technique for your thread model, and go for
it.
With an open source tool you can customize the tool to fit your needs in
the best way.

Ghiro signatures are meant to highlight intresting data in an image, for
example a signature at high priority means that some really relevant
data were found (i.e. gps position).

Regards,
Alessandro Tanasi (@jekil)

xujiaoper...@gmail.com

unread,
Aug 1, 2017, 3:55:53 AM8/1/17
to Ghiro image forensics mailing list
hello。
if you can separated the images that have a high probability to be fake/adultered from that ones that you could trust...
how did you got it?
Reply all
Reply to author
Forward
0 new messages