12

From what I understand, it is impossible to verify whether a file has been modified since its creation. Specifically, I was wondering whether it was possible to verify whether a photo was modified since its capture. However, according to the question "How to detect if a photo's metadata has been changed?" it is not:

It is sadly impossible to to prove when an image (or any file for that matter) originated. It is possible (if the author wants to) to prove that a file existed prior to a given time by signing the file from a third party time stamping server (through which the third party proves that the file existed at the time of the signing) but such information is not automatically possible and can easily be stripped.

I am also an IT Security guy and there is no possible secure way to prove the creation date of any file if the user controls the system creating the file with current technology that I am aware of. The best bet would be a device with a locked clock that would have a hidden key store that the user shouldn't have access to and create a signature based on this so that they couldn't fake their own signature, but since the key must still reside in the device, it is still feasibly possible for someone to break as all the necessary information is in their possession, even if it is hard to get to.

I feel like this explanation is somewhat similar to why DRM does not work (you can't give a person the lock and the key), but I'm still not clear on the explanation. I also think this is different than how TLS/SSL works. In the aforementioned case, you're trusting a source to give you files without any information on how many times the files were altered.

jwodder
  • 166
  • 1
  • 6
Seanny123
  • 511
  • 2
  • 5
  • 13
  • 7
    *"...but I'm still not clear on the explanation..."* - please explain which parts of this explanation are unclear to you, feel wrong or what you feel is missing. Also describe the use case your are asking about, for example prove to somebody that the photo was changed compared to the original you have or prove that a photo was changed without having the original. – Steffen Ullrich Nov 24 '17 at 15:53
  • 6
    There is a foolproof way to know if a file has been modified. Keep a copy of the original. – John Wu Nov 24 '17 at 22:16
  • 1
    The only way to provide proof of absence (this photo did not exist last week or another version of this photo did not exist last week) is if there's someplace every instance must necessarily go such that showing it didn't go there shows that it doesn't exist. Otherwise, it's impossible to proof some piece of data didn't exist. – David Schwartz Nov 25 '17 at 01:05
  • I think it's more accurate to say "That answer does not actually attempt to explain in any way why it's impossible, it just states that it is impossible". @SteffenUllrich – NotThatGuy Nov 25 '17 at 18:02
  • 1
    The problem runs deeper: Why is it impossible to verify whether *anything* has been modified since its creation? Then again, [is something still the same thing after it was modified](https://en.wikipedia.org/wiki/Ship_of_theseus)? What exactly is "creation" or even a "thing"? – David Foerster Nov 25 '17 at 22:26
  • I like the philosophy in DavidFoerster comments. But less philosophically, what if an attacker just removes _that file_, then creates a new file for _that file_? Without external bookkeeping, _that file_ than appears unmodified. – phresnel Nov 26 '17 at 08:45
  • @JohnWu How, exactly, do you prove that the original hasn't been modified? – user Nov 26 '17 at 11:43
  • 1
    @Michael *You* keep a copy. You. Unless you don't trust yourself, this is foolproof. This principle is known as chain of custody. – John Wu Nov 26 '17 at 11:45
  • @JohnWu Sure. Suppose I keep a copy of a file on my computer. (Some file, any file.) How do I *prove* that nobody and nothing has caused its bits to change? How do I prove that *to someone else*? Even writing it to strictly read-only media (CD-R, DVD±R, ...) doesn't necessarily help, because while that proves that the bits written did *at some time* exist in my possession, it does nothing to prove *when* they did. One can take steps to get *pretty far* in proving *to oneself* that the file hasn't been modified, but that doesn't prove to anyone else that the file hasn't been modified. – user Nov 26 '17 at 11:55
  • 1
    @Michael. The short answer is-- give them a copy too. That is the only foolproof way. The slightly longer (and more practical) answer is-- store the file on a computer that meets an agreed standard. – John Wu Nov 26 '17 at 12:19
  • First most cameras don't have this function. However, you could md5sum,sha2,crc, and possibly more the same file as soon as it touch the computer. Additional, having a backup database and more the above. Of course you could add TLS or another signing function if you want. And of course any changes to the database should be logged and dated and that log signed and possible md5sum,sha2,crc and etc. – cybernard Nov 26 '17 at 21:25

4 Answers4

35

I think you will want more of a philosophical answer than a technical one, given what you are rejecting.

A file is just a discrete collection of bits. Relevance and meaning are overlaid onto those bits by a human, but ultimately, it's just bits. How would it be possible to determine if the bits you have are in the same sequence in some unknown previous state? Answer: saving that state in a way that can be trusted to be used as a means of comparison.

That's why TLS/SSL uses 3rd party CAs to verify certificates, and why digitally signing files is useful. They provide a trusted means of having a state to compare. It's not perfect, but very effective if performed correctly.

schroeder
  • 123,438
  • 55
  • 284
  • 319
21

Imagine you're on a desert island and I hand you a print out of the US constitution, claiming that it is an exact copy (no words changed). With nothing to compare it against, you have no way to verify that, right?

As @schroeder says, a digital file (and its metadata) is just a collection of bits. How do you determine if the bits you have in front of you are in the same sequence as when they were first written? Well, you need some "baseline" version of the document to compare against. There are many cryptographic tools that will provide this baseline: hashes, MACs, digital signatures, and finally timestamping servers may actually be the closest to what you're looking for.

Trusted timestamping is the process of securely keeping track of the creation and modification time of a document

But ultimately, unless the original copy of the file was submitted to some form of crypto at the time it was created, you're in the desert island scenario with no baseline for comparison.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
1

Because you are trying to prove a negative: namely that the file didn't exist before time X and that after time X the file wasn't changed.

There is nothing preventing the bits of a file to be ordered in a particular way before, after or during any particular time period other than available physical medium didn't exist. This includes the file "contents" and any associated meta-data.

So, no one can prove that you (or someone you know if you are too young) didn't hand assemble the last Avengers movie on an brand new Mac in 1996. If you present a file of the movie where the meta data says it was created in 1996, we can't rule it out based upon the arrangement of the bits that make up the file and it's meta data -- just because you could have faked it doesn't mean you did. OTOH, your ability to fake the file is in no wise proof that you didn't fake it.

If you are wanting to win a copyright suit, you will need something else to prove that you didn't fake it--someone else that will swear to having seen it in 1996, a copy of it which you can prove came from 1996 and which you have had no subsequent ability to access.

Finally, note that either way, you aren't talking about proof in the sense of a mathematical proof, that does not and cannot exist. You can say it is exteremly unlikely, you can say that no evidence has been presented that it happened, but you can't show that it couldn't have happened.

jmoreno
  • 496
  • 2
  • 9
1

It may be worthwhile to point out that virtually all photos are changed during or after capture. As a funny (well, not really funny) anecdote, the same can be the case in a totally-not-obvious way when scanning documents.

Virtually all photos (except when saving RAW data, which is, outside professional photography, very unusual) undergo a rather elaborate manipulation which involves both convolution filters and adjusting curves (and, possibly, other things, such as mixing several captures into one, possibly with different exposures, motion compensation, etc.).

Also, the overwhelming majority of photos (not "virtually all", but really most) are compressed with JPEG, which is technically and factually a change (technically insofar as it's a different representation, and factually because the decompressed signals are not 100% identical). There was a discussion about whether or not JPEGs are admissible as legal evidence (due to not being the original photo) here some 10-12 years ago. I actually never learned what came out of that discussion...

In addition to that, metadata, including time and location data, is saved with the image data, which is sometimes added up to 30-60 seconds after the photo was taken and saved to disk (for example on Panasonic TZ-class cameras where the GPS sensor is rather slow, this happens almost regularly).

That being said, it often possible to show that an edited photograph was edited. That's because the editing process usually is not perfect under high magnification (both in resolution and intensity), and you can usually show artefacts which do not match the normal compression artefacts, or differences in gradients compared to nearby locations.

However, that is proving a positive whereas proving that a photo was not tampered with would be proving a negative which is by definition not possible with absolute certitude (absence of evidence is not evidence of absence).

A digital certificate can somewhat help, but is only as good as the trust that is put into the certificate and the signer. You could very well use a trusted certificate and sign a completely false photo, after all.
Together with your testimony (or another person's of good repute testimony) this is usually good enough, but of course it is not, and can never be, 100% certain.

Damon
  • 5,001
  • 1
  • 19
  • 26
  • -1 "Citation Needed". Can you provide a link backing up the claim that jpgs are not admissible in court? Can you explain on more detail how jpg compression / decompression causes a file on disk to change over time? – Mike Ounsworth Nov 25 '17 at 16:56
  • I'm sure JPEGs are considered legal evidence pretty much anywhere... Otherwise anyone could get away with possession and distribution of child pornography by ensuring every image they have is a JPEG. – forest Dec 14 '18 at 10:08
  • Note also that video formats, which generally are admissible, are often built from JPEGs (I-frames, or intra-coded picture frames, are usually JPEG). – forest Dec 14 '18 at 10:11