Barack Obama Birth Certificate Image Tampering Analysis

So, apparently Barack Obama's birth certificate is a big controversial deal. In an effort to appease conspiracy theorists, his web site now contains a copy of his birth certificate. As soon as it appeared, people began to wonder if the image had been tampered with. Well, it has...

Update 11/02/08: Obama's Birth Certificate Verified By State of Hawaii

But not in any nefarious way. First, look at the original image from his site, here:

It's quite obvious that there has been blatant tampering. Duh, they're erased the Certificate Number. I'm not sure why that was necessary, but maybe someone out there can perform voodoo-ish rites to ensure his downfall IF ONLY THEY HAVE HIS BIRTH CERTIFICATE NUMBER. And here I've been safeguarding my Social Security Number all along... But is there more that has been altered?

There are dozens of method for detecting image alteration. Many of them are specific to "photo" type images, and have no bearing on a scanned document, but some are relevant to any image type. We'll try a few easy ones. We're assuming that if Obama was really up to a great digital forgery, it'd be easier for him to just subvert someone into printing of obtaining for him a blank Birth Certificate and then laser-printing whatever he wanted onto it. So, we're just looking for digital tampering.

First, let's exmine the EXIF data in the file with Phil Harvey's excellent ExifTool:

---- ExifTool ----
ExifTool Version Number : 7.25
---- File ----
File Name : BO_birthcert.jpg
Directory : C:\Documents and Settings\Xenon\My Documents\ImageTampering
File Size : 107 kB
File Modification Date/Time : 2008:06:13 14:15:24
File Type : JPEG
MIME Type : image/jpeg
Image Width : 585
Image Height : 575
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
---- JFIF ----
JFIF Version : 1.2
Resolution Unit : None
X Resolution : 100
Y Resolution : 100
---- Ducky ----
Quality : 60%
---- Adobe ----
DCT Encode Version : 100
APP14 Flags 0 : [14], Encoded with Blend=1 downsampling
APP14 Flags 1 : (none)
Color Transform : YCbCr
---- Composite ----
Image Size : 585x575

Absolutely nothing of interest here. Zilch.

Let's examine the hex dump of the JPEG image file:

Interesting. The words "Adobe" and "Ducky" are visible in the beginning of the file, which is the fingerprints of Adobe Photoshop, probably the "Save For Web" feature, which would omit lots of the other metadata:
http://en.irfanview-forum.de/vb/showthread.php?t=724
http://www.networkworld.com/columnists/2004/062804gearhead.html

Ok, let's try examining the JPEG error level, using the process described by Dr Neal Krawetz at Black Hat 2007 (Section 3.4.2, page 16)
http://www.hackerfactor.org/papers/bh-usa-07-krawetz-wp.pdf in a GUI implementation by TinyAppz: http://www.tinyappz.com/wiki/Error_Level_Analyser

It can be hard to read this sort of image, so I'll simply tell you that you're looking for areas of the image that disagree with other similar areas.

Clearly the blackout area differs, but all of the other borders, text and seals look exactly like each other. Nothing to see here.

Examining the least significant bits of the RGB value making up the image sometimes shows evidence of tampering. I use a tool I quickly wrote the other night called PixelSwizzle to do this. Source and Windows EXE found attached, below.

Again, not much to see here. Next I'll show you what you were looking for.

So, since the Internet is full of Photoshoppers it didn't take long before someone did retouch the image available here:

A decent job, though even the untrained eye can see a slight mismatch in the color/weight of the font where the text has been replaced.

What does the EXIF data say?


---- ExifTool ----
ExifTool Version Number : 7.25
---- File ----
File Name : BO_birthcert-fake.jpg
Directory : C:\Documents and Settings\Xenon\My Documents\ImageTampering\Antarctica
File Size : 141 kB
File Modification Date/Time : 2008:06:13 14:38:46
File Type : JPEG
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Image Width : 585
Image Height : 575
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
---- JFIF ----
JFIF Version : 1.2
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
---- IFD0 ----
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : Adobe Photoshop CS3 Windows
Modify Date : 2008:06:12 20:47:59
---- ExifIFD ----
Color Space : Uncalibrated
Exif Image Width : 585
Exif Image Height : 575
---- IFD1 ----
Compression : JPEG (old-style)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Thumbnail Offset : 332
Thumbnail Length : 5532
---- IPTC ----
Application Record Version : 8143
---- Photoshop ----
Photoshop 0x0425 : û".Þ÷¹[.B¦Pg3.ç€
X Resolution : 72
Displayed Units X : inches
Y Resolution : 72
Displayed Units Y : inches
Photoshop 0x0426 : ?€
Global Angle : 30
Global Altitude : 30
Print Flags : .
Copyright Flag : False
Print Flags Info : ..
Color Halftoning Info : /ff.lff../ff.¡™š..2.Z..5.-..
Color Transfer Funcs : ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.èÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.èÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.èÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ.è
Layer State Info : .
Layers Group Info :
Photoshop 0x0430 : .............
Photoshop 0x042d : ..
Grid Guides Info : ..@.@
URL List :
Slices : ..?.I.BO_birthcert...I.?...null..boundsObjc.Rct1.Top longLeftlongBtomlong.?Rghtlong.I.slicesVlLs.Objc..slice..sliceIDlong.groupIDlong.originenum.ESliceOrigin.autoGeneratedTypeenum.ESliceTypeImg .boundsObjc.Rct1.Top longLeftlongBtomlong.?Rghtlong.I.urlTEXT.nullTEXT.MsgeTEXT..altTagTEXT..cellTextIsHTMLbool..cellTextTEXT..horzAlignenum.ESliceHorzAlign.default.vertAlignenum.ESliceVertAlign.default.bgColorTypeenum.ESliceBGColorTypeNone.topOutsetlong.leftOutsetlong.bottomOutsetlong.rightOutsetlong
Photoshop 0x0428 : .?ð
ICC Untagged : .
ID's Base Value : .
Photoshop Thumbnail : (Binary data 5532 bytes, use -b option to extract)
Version Info : ...Adobe Photoshop.Adobe Photoshop CS3.
Photoshop 0x0fa0 : maniIRFR.8BIMAnDsà..null.AFStl[...]
Photoshop 0x0fa1 : mfri....
Photoshop Quality : 9
Photoshop Format : Progressive
Progressive Scans : 3 Scans
---- XMP-xmp ----
Create Date : 2008:06:12 20:47:59-05:00
Modify Date : 2008:06:12 20:47:59-05:00
Metadata Date : 2008:06:12 20:47:59-05:00
Creator Tool : Adobe Photoshop CS3 Windows
---- XMP-dc ----
Format : image/jpeg
---- XMP-photoshop ----
Color Mode : 3
History :
---- XMP-xmpMM ----
Instance ID : uuid:15D3BAA5EA38DD11BF32CC38706C0881
Document ID : uuid:14D3BAA5EA38DD11BF32CC38706C0881
Derived From Instance ID : uuid:38FB7EC3E838DD11924FBA8EDB8F4042
---- XMP-tiff ----
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Native Digest : 256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;8832D027852711993089A315EE10AD34
---- XMP-exif ----
Exif Image Width : 585
Exif Image Height : 575
Color Space : Unknown (-1)
Native Digest : 36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;011EA308FDEC0C3BDA0896FF9A4A4B82
---- Adobe ----
DCT Encode Version : 100
APP14 Flags 0 : [14]
APP14 Flags 1 : (none)
Color Transform : YCbCr
---- Composite ----
Image Size : 585x575
Thumbnail Image : (Binary data 5532 bytes, use -b option to extract)

Wow. This one has Photoshop's DNA all over it, as you can see. Photoshop CS3 for Windows, in fact. Some of the contents of the "slices" item look intruiging. Further investigation is needed.

Ok, let's look at the Error Level:

Can you see it? I can, and you can too if you look carefully. Examine some of the text areas against the others. Do you notice the "Antarctica" and "North Korea" regions have a teal color in their noise, and none of the other text does? Here they are highlighted:

It doesn't tell us exactly what was done, but it flags those areas as being different and therefore suspect. Let's examine the Least Significant Bits extraction:

Even from a distance, a couple little smudges are apparent, and they correlate with what ErrorLevel flagged. A second damning opinion:

Ok, so now we know what tampering does and doesn't look like. What else can we learn from this document though?

While playing with the contract and brightness early on (sometimes an easy way to reveal unseen information in an image) I noticed some overlooked text at the bottom center:

Let's look at that up close, contrast boosted.

And flip it horizontal, since it's apparently printed on the OTHER side of the document, and enlarge:

Yep. This birth certificate copy was printed on Jun 6th of last year. It's those little touches that lend an air of credibility to this document. Now, granted, anyone who really knows digital imaging could STILL have faked this digitally, but at first glance, it appears legit. In the next few days, I'll see if anything else jumps out to validate or repudiate the provenance of this file, but it looks to me like the only tampering done to it was erasing the document number.

More importantly, I've given you all the tools necessary to try this yourself on these images, or others. Of course, it's not always the tools that are the barrier, it's knowing how to use them, and read the results. But go try it for yourself. Find some images and analyze them. Take a real image (like something from your own camera, that you know is "clean") and doctor it up, and see if you can detect the alterations yourself. And read Neal's excellent paper.

Thanks to Dr Neal Krawetz, who I finally got to meet at a the NCLUG meeting the other night, for pioneering some great practical work in the field.

AttachmentSize
BO_Birthcert-errorlevel.png320.92 KB
BO_BirthcertLSb.png823.91 KB
BO_birthcert-fake.jpg140.63 KB
BO-birthcert-fake-ErrorLevel.png320.88 KB
BO_birthcert_hexdump.png9.42 KB
BO-birthcert-fake-ErrorLevel-anno.png281.1 KB
BO-birthcert-fake-LSb.png826.77 KB
BO-birthcert-fake-LSb-anno.png444.58 KB
BO_birthcert-hiddentext.png609.87 KB
BO_birthcert-hiddentext-crop-cont.png9.38 KB
BO_birthcert-hiddentext-crop-cont-flip-4x.png141.57 KB
PixelSwizzle.cpp1.21 KB
PixelSwizzle.exe6.5 KB