Forensic Software Tool for Detecting JPEG Double Compression Using an Adaptive Quantization Table Database

Most digital forensic investigations involve images presented as evidence. One of the common problems of these investigations is to prove the image's originality or, as a matter of fact, its manipulation. One of the guaranteed approaches to prove image forgery is JPEG double compressions. Double compression happens if a JPEG image is manipulated and saved again. Thus, the binaries of the image will be changed based on a “previous” quantization table. This paper presents a practical approach to detecting manipulated images using double JPEG compression analysis, implemented in a newly developed software tool. The method relies on an adaptive database of quantization tables, which stores all possible tables and generates new ones based on varying quality factors of recognized tables. The detection process is conducted through image metadata extraction, allowing analysis without the need for the original non-manipulated image. The tool analyzes the suspected image using chrominance, and luminance quantization tables utilizing the jpegio Python library. The tool recognizes camera sources as well as the programs used for manipulating images with the related compression rate. The tool has demonstrated effectiveness in identifying image manipulation, providing a useful tool for digital forensic investigations. The tool identified 96% of modified images whereas the other 4% identified as false positives. The tool fixes the false positives by extracting the software information from the image metadata. With a rich sources database, forensic examiners can use the proposed tool to detect manipulated evidence images using the evidence image only.