Okay time for a HEX dump of the jpeg file. I believe that the analysis shows that the JPEG was compressed with 53% quality loss and that there is no evidence of manipulation found in either the metadata or the error level analysis. The lack of metadata also allows us to eliminate Photoshop and finally, we have a comment entry “YCbCr” which can be used to identify the routine used to generate the JPEG.
offset $0 0xFF 0xD8 SOI Start of Image DQT length precision table # offset $2 0xFF 0xDB 0x00 0x43 0x0 0x0 : Quantization table Table 0 length 67 bytes 8 bit precision 0x08 0x0A 0x0B 0x0D 0x0B 0x09 0x0E 0x0D 0x0C 0x0D 0x10 0x0F 0x0E 0x11 0x16 0x24 0x17 0x16 0x14 0x14 0x16 0x2C 0x20 0x21 0x1A 0x24 0x34 0x2E 0x37 0x36 0x33 0x2E 0x32 0x32 0x3A 0x41 0x53 0x46 0x3A 0x3D 0x4E 0x3E 0x32 0x32 0x48 0x62 0x49 0x4E 0x56 0x58 0x5D 0x5E 0x5D 0x38 0x45 0x66 0x6D 0x65 0x5A 0x6C 0x53 0x5B 0x5D 0x59 DQT length precision table # offset $47 0xFF 0xDB 0x00 0x43 0x0 0x1 :Quantization table Table 1 length 67 bytes 8 bit precision 0x08 0x0A 0x0B 0x0D 0x0B 0x09 0x0E 0x0D 0x0C 0x0D 0x10 0x0F 0x0E 0x11 0x16 0x24 0x17 0x16 0x14 0x14 0x16 0x2C 0x20 0x21 0x1A 0x24 0x34 0x2E 0x37 0x36 0x33 0x2E 0x32 0x32 0x3A 0x41 0x53 0x46 0x3A 0x3D 0x4E 0x3E 0x32 0x32 0x48 0x62 0x49 0x4E 0x56 0x58 0x5D 0x5E 0x5D 0x38 0x45 0x66 0x6D 0x65 0x5A 0x6C 0x53 0x5B 0x5D 0x59
These tables are stored in zig-zag order. The strange thing is that these tables are identical, which does not really make sense since you can be far more aggressive with the quantization of the chroma data. Using the HP developed method, the estimated quality factor is 47% which shows quite a bit of compression. Part of the compression is due to the tables form chroma and luminance being the same. Using the jpegquality tool at Hacker Factory, I obtain a quality factor of 47% which is still low. And using the jpegdump program I obtain a quality factor of 55%.
COM length Y C b C r offset $23c 0xFF 0xFE 0x00 0x07 0x59 0x43 0x62 0x43 0x72 : Comment
Another hint, a comment indicating the color space. Using the 0xFF
I opened the jpeg in preview, printed as PDF and examined the file. The YCbCr comment is still present.
Error Level Analysis
Using Hacker Factor’s error level analysis, I obtain the following ELA picture, showing no obvious evidence of forgery. However, the low quality of the jpeg complicates such an analysis.
I have looked at various jpeg files:
Photoshop has JFIF formatted information
version Thumb J F I F 0 1 2 1 72dpi 72dpi size 0xFF 0xE0 0x00 0x10 0x4A 0x46 0x49 0x46 0x00 0x01 0x02 0x01 0x00 0x48 0x00 0x48 0x00 0x00 P h o t o s h o p sp 3 . 0 0xFF 0xED 0x05 0xA6 0x50 0x68 0x6F 0x74 0x6F 0x73 0x68 0x6F 0x70 0x20 0x33 0x2E 0x30
The metadata from Hacker Factor also supports my findings
|Encoding Process||Baseline DCT, Huffman coding|
|Bits Per Sample||8|
|Y Cb Cr Sub Sampling||YCbCr4:2:0 (2 2)|