How to prove the authenticity of a screenshot?

152

25

I have take some screenshots of chat from Whatsapp web using Windows 8 Snipping Tool. I saved those images in PNG format.

Now I want to prove that those images are the original, not tampered or edited.

Can you please let me know how can I prove that?

Optimus

Posted 2015-12-07T14:28:42.310

Reputation: 1 441

10

Despite this old post had asked on "How to ensure the authenticity of a picture?", the answers suggested to check the metadata. But metadata is useless for screenshot images. While this question has been underestimated, I wish to read good answers for this matter. Hence, +1.

– None – 2015-12-07T18:31:27.230

8Your best bet is probably to ask whatsapp if they can provide who ever need the proof directly from their server... – DrakaSAN – 2015-12-07T20:07:27.233

29Even if you can prove that the screenshot accurately shows what was on the screen at the time, what's to say that the application displaying what you took a screenshot of is legitimate? I could easily make an application that displays an image, and take a screenshot of that. – a CVn – 2015-12-08T08:31:10.557

10Maybe I've missed it, but I'm surprised that metadata has been mentioned a couple times as being missing from a screenshot image, and therefore the metadata cannot be used to verify the image. Metadata in any image can't be used to verify an image - it's possible to modify the metadata too. – Steve – 2015-12-08T21:35:06.080

4Posting this as an answer isn't appropriate because it doesn't actually answer the question. But, I wanted to point out that the premise is false anyway. Even if there was a way to prove that the screenshots were legitimate, there is no way to prove that the application and its contents are legitimate. Further, there is no way to prove, solid screenshot or not, that the messages truly originated from the source that the screenshot claims. There's no proof that you didn't intercept the packets and modify the contents to say what you want, etc etc. The whole thing cannot be proven. – None – 2015-12-13T20:43:31.990

1Just a side point, you can have whatapp email you a full archive of any conversation you have. This would probably be easier to authenticate. (an Email directly from their server) – WhyEnBe – 2015-12-14T17:54:22.983

Answers

139

You cannot prove that. They were on your PC, fully under your control for some time. You could have tampered with them. Therefore you cannot prove that you did not tamper with them.

If you need to set up a legally safe solution then look for an independent third party and a way to have them store information in such a way that you can only trigger a store or read (e.g., a screenshot on a Citrix server to a write-once location).

Hennes

Posted 2015-12-07T14:28:42.310

Reputation: 60 739

15Chain of custody – Ƭᴇcʜιᴇ007 – 2015-12-07T14:44:55.497

4Take the picture with an digital camera ? – Freedo – 2015-12-08T01:07:29.210

114@Freedo What stops you from making a fake screenshot, then displaying it on the screen, then taking a picture of your fake screenshot with a digital camera? – user253751 – 2015-12-08T01:25:33.287

4Precisly. The onluy way to have proof is to have it under the control of a trusted, independant party. See Techie007's chain of command. E.g. I could call some lawyer firm and ask them to take a screenshot. Or to weekly download a webshops terms and conditions. But they should never be under the control of the party who wishes to prove things. – Hennes – 2015-12-08T07:51:22.203

3

If the manipulation happened after somebody took the screenshot than it can be identified (see mixdev's answer), but if you manipulated the content itself (like using Dev Tools in a browser), there is probably no way to check unless the manipulator made a mistake that can be proved by logic. Taking a photo of the screen makes it even harder to prove original because image analysis tools will have a harder time to analyse it because of the extra noise from the real world.

– totymedli – 2015-12-08T11:16:19.627

1@totymedli You should probably say that you might be able to identify manipulation of the image file, the tools mixdev mentions detect certain things like parts of the image that appear to have been saved with different compression mechanisms or metadata that is inconsistent. If someone edited a screenshot in a bitmap format, you likely could not tell using these tools. – nwellcome – 2015-12-10T18:59:30.293

The problem with proving things is that even if you could only do it in certain ways then you can still do it, and thus not prove that you did not do it. – Hennes – 2015-12-10T19:01:07.730

1@user20574, there's some very limited possibilities for a third party, automated service. The main one is archiving a public website where the archive can only be given a URL, and thus it's proof that that specific URL pointed to a specific page at some time. It's technically possible for authentication to be done, but it's complex and insecure (you'd have to give a third party your password!). – Kat – 2015-12-11T17:33:37.707

107

You can never prove authenticity in a screenshot.

It is incredibly simple to change the apparent content of anything posted in a public place & needs no great skill to totally change the meaning into anything you like…

enter image description here

This fake screenshot took about 30 seconds in photoshop.

For those who didn't like my quick mockup the first time, here's another, lined up correctly… I chose to use the current version of the question rather then re-mock the original - the result would be the same either way.

enter image description here

Tetsujin

Posted 2015-12-07T14:28:42.310

Reputation: 22 456

13Hey, you could have changed the -2 to +97856... – glglgl – 2015-12-07T19:36:35.997

173And you don't even need photoshop... Opening "Developer Tools" in any modern browser allows you to tamper with any of the content. – hytromo – 2015-12-07T19:38:13.357

52@hakermania ... proving that even if you could prove the screenshot to be genuine, such information is not useful when you can display anything you want on the screen. – 2012rcampion – 2015-12-07T20:27:32.340

4This is good information, and I get your point, but technically it doesn't answer the OP's question on how to prove the image is the original. – CharlieRB – 2015-12-07T21:24:11.053

29@CharlieRB That's because you can't prove the image is the original. If someone asked how to prove that they copy-pasted a paragraph of unformatted text from another site instead of manually retyping it word-for-word, the only correct answer would be "you can't". – Milo P – 2015-12-07T22:31:07.080

10@MiloPrice but this answer doesn't say "you can't" (directly, at least). – ping – 2015-12-08T00:07:24.637

4@hakermania Even more easily: Run document.body.contentEditable=true; in the JavaScript console. – user253751 – 2015-12-08T01:41:26.593

If You notice the whatsapp web chat image. You will find below things

  1. some gradient background behind text
  2. Main chat window also has some gradient background
  3. Profile image shows round circle.

If there are no any changes then there is some way we can find out the truthiness – Optimus – 2015-12-08T14:46:13.603

3@Optimus - the degree of complexity only increases the difficulty of the challenge, it doesn't in any way preclude it as a possibility. As my 'fake' stands right now, it doesn't even prove who wrote it - as you appear to have changed your user name between then & now, I didn't change the poster's name… though right now it looks like I could have done. – Tetsujin – 2015-12-09T08:54:36.057

1bad example. it is trivial to see that it is a fake. the Is are not aligned – njzk2 – 2015-12-10T14:11:07.127

What do you want for a 30s quick fake? Perfection was not the aim, it is merely a simple example – Tetsujin – 2015-12-10T14:14:15.690

THIS LOOKS SHOPPED: The initial letters are not aligned between the paragraphs. (Had you used the devtools as suggested by @hakermania this wouldn't have happened) – Bergi – 2015-12-11T07:39:09.127

It IS shopped; that was the whole idea, a 30s fakeup. Had I taken the extra 30s I could have perfectly aligned it to pixel-level. I didn't, my bad. The entire point was that it was a simple trick. Had hackermania posted his own answer instead of just commenting on mine, he could have had his own upvotes, & he'd have been winning. – Tetsujin – 2015-12-11T07:49:11.060

4The 30 second claim is fake too. Photoshop can take more than 30 seconds just to start! ;-) – RockPaperLizard – 2015-12-12T01:43:01.330

1@RockPaperLizard - Point. It is usually, however, already running, as I do a lot of screenshots for SE - it also actually launches in about 5s on this machine. Anyway… there ya go ;) – Tetsujin – 2015-12-12T08:38:45.547

@Tetsujin Does the 30 second claim include the time it took to find the font? ;) – Hashim – 2018-10-29T19:14:49.913

@Hashim - the font was already here on SE. All I did was paste a screenshot of the beginning of my answer into a screenshot of the original question... hence the 30s timeline. – Tetsujin – 2019-06-18T16:51:53.080

34

Of course there is no sure shot way to find image manipulation attempts. But there are some basic techniques people use to manipulate images.

For example, people use photoshop clone tool to duplicate patterns/colors. It may be difficult to detect by manual observation but there are some tools to do that.

Clone tool detection

Have a look. The tool has a number of features to detect image manipulation. http://29a.ch/photo-forensics/#thumbnail-analysis

mixdev

Posted 2015-12-07T14:28:42.310

Reputation: 473

17This does not apply, however, to some types of images and many types of manipulations. Altering the content of an uncompressed or lossless image with clean lines, UI elements, or text simply cannot be detected. – J... – 2015-12-08T13:13:17.670

1@J...: Unless you use a program that advertises in the file metadata. I've caught a lot of "screenshots" that were saved with Photoshop. Of course it's not foolproof as it's super easy to strip it. – apscience – 2015-12-09T02:59:28.057

10@gladoscc you have to save your screenshot with something. I normally paste into the GIMP so I can crop, but that's also what I'd use to fake it. If I wanted a fake to look less fake in the metadata I'd open it in MSpaint and do a "save as". – Chris H – 2015-12-09T10:49:24.040

1

@mixdev, yeah ELA is also something I've found out, I posted some comments here on the subject: http://photo.stackexchange.com/questions/26170/how-to-identify-photoshop-edited-files/26190#26190

– fduff – 2015-12-09T12:06:43.347

1Or screenshot the photoshop :) – Tim B – 2015-12-10T12:10:24.010

Or: doctor your image up in Photoshop, select all, copy. Open Paint, paste, save as PNG. Metadata gone. – Dan Henderson – 2015-12-10T20:12:47.693

30

Proving that using technical measures is hard. What you can do is document the way you took the screenshots.

One possibility is having a witness present while taking the screen shots. After taking the screenshots, you could print them out with the filenames, date, and time they were taken. Then the witness and you sign those prints.

A digital version of that is screen recording while taking the screenshots. Ideally with audio commentary. At the end you can timestamp and digitally sign all the resulting screenshots and the screen recording.

orkoden

Posted 2015-12-07T14:28:42.310

Reputation: 759

11Sometimes the best solution is not a technical solution. This is one of those cases. Have a lawyer or a police officer present when you take the screenshot. – Amedee Van Gasse – 2015-12-10T08:30:53.753

4+1 For having a witness, but it's not enough. You should use their (or a 3rd party) computer/phone and network connection (or VPN) to get the thing you're taking a screenshot of. This avoids tampering with the network, hardware, or application. For example, I could install GreaseMonkey on my browser, use it to alter a web page, bring a witness over, and take a screenshot. If they're using their own computer I could have them do it on my network and modify the content at my network router. Then take a checksum of the resulting image and sign off on that. – Schwern – 2015-12-10T10:01:23.883

1@Schwern Of course sometimes we want to use the screenshot to demonstrate something directly concerned with the own computer, e.g., "Look, after I left my laptop alone in the hotel for an hour, the foobar.dll has an unusual file size and everytime I open a browser funny kittens appear" – Hagen von Eitzen – 2015-12-10T21:47:12.307

1@HagenvonEitzen In that case, all the witness can do is verify the screenshot has not been altered. They can say nothing about the validity of the content. – Schwern – 2015-12-10T22:15:37.330

3@HagenvonEitzen something like that would be reproducible and thus wouldn't need proof of a valid screenshot, you could always show it again on your machine. The real concern I should think for this is content that may be removed in response to raising concerns about it. For example illegal content on a webpage, that, once reported might be removed before proceedings – Centimane – 2015-12-11T12:51:52.737

@Dave OK, different scenario: I want to prove that visiting www.example.com installs a virus and downloads child pron, provided you have flash installed. What independent 3rd party would be willing to retry the experiment for documentation and voluntarily risk to have their computer infected, illegal material downloaded, and flash installed? OK; they might run a disposable VM for that, but that is also demanding a lot for just alittle witnessing ... All I wanted to say is that this method may not always be applicable – Hagen von Eitzen – 2015-12-11T18:05:11.857

1@HagenvonEitzen in a case such as that the police would likely be willing to attempt such a thing if reported. Anything that extreme would be valid to report to police I should think, though what with the internet it can be hard to enforce local laws they would still be very credible witnesses. – Centimane – 2015-12-11T18:09:46.933

@HagenvonEitzen you actually have a good way to prove to some degree the authenticity of your screenshot. That is something to say. To use this to prove claims about a third-party is a totally different issue. For that you need to go steps further. Eg. proving that a certain IP responds with payloads including a certain data, to certain requests at a given time frame. Or: what way could property A be proven about entity B about a given time period C. You should raise a different question(s) about it. – n611x007 – 2015-12-11T18:59:04.480

12

There are two issues, prove that you took the picture (not fake), and prove that the picture you took is the picture I received. The first is as noted by others of course impossible as screenshots are trivial to fake as the content is computer generated anyway. The second is much easier with solutions from comprehensive signature solutions (pgp detached signatures have been around for around twenty years), to basic fingerprint (sha is a good choice). Also worth considering are trusted copies (think archive.org or something similar).

hildred

Posted 2015-12-07T14:28:42.310

Reputation: 506

1+1 for 'trusted copies' (and all that that implies) – Hennes – 2015-12-08T07:52:29.317

1And 3) that you took the picture from the source you claim it to be (and not some mockup) – Hans Kesting – 2015-12-09T10:55:29.760

prove that the picture you took is the picture I received - it won't prove that. It will prove the picture you received was not changed during transport from them to you, and can prove that nobody else sent it as a forged-sender, but it can never prove the picture they sent you is the picture they took - separately from the truth/fake status of the picture they took. – TessellatingHeckler – 2015-12-11T19:56:08.183

11

Remote browser with public key signed inputs / outputs

http://www.icanprove.de is most general method I've seen so far.

It provides a remote browser (Firefox based) that records your input, and produces public key signed PDFs that contain the inputs you've made and the screenshot. So you can even login into pages and prove things afterwards.

The remote browser is slow, so if the information is removed quickly after you see it, you won't be able to prove anything.

For this to work perfectly the output has to contain one screenshot for every single pixel that changes on the screen, e.g. during scrolling or JavaScript animations. Maybe a video format would be more suitable in those cases than PDF as it encodes frames differentially.

And of course, you give your plaintext passwords to that service and to the evidence verifiers. A possibility is to change your password for a dummy one temporarily, but that means yet more overhead.

Wayback machine services

See also

I had asked a similar question for browsers at: https://softwarerecs.stackexchange.com/q/18651/3474

Ciro Santilli 新疆改造中心法轮功六四事件

Posted 2015-12-07T14:28:42.310

Reputation: 5 621

9

First of all, you can't.

If you want to prove that you received message X from Y, ideally you would receive it in front of a notary, on their computer. Lacking a notary, an independent witness may help.

This doesn't preclude that the person at the other side, that you believe to be Y, in fact isn't. So you better have them in front of you and the notary, too.

You can prove that the image existed before a given date (send a hash of the image to a CA signing service, or otherwise publish it in a way that preserves timestamp and you can't later tamper), and that it existed after a given date (like including the headline of today's newspaper).

You cannot trust that what the computer showed was what was sent through the Whatsapp service, not even the logs stored in the suspect's phone. They could all be tampered by the suspect.

Maybe even what you thought to have received is not what the guy at the other side sent. Perhaps it was modified by a trojan in your computer (or WhatsApp servers). Even the telco could theoretically hijack a whatsapp account. It would be a bad idea for a hired killer to accept works by whatsapp. He could believe to be instructed to kill lord Capulet, while the hirer wanted to kill the Montague!

Ángel

Posted 2015-12-07T14:28:42.310

Reputation: 960

6If you want to prove that you received message X from Y, ideally you would receive it in front of a notary, on their computer. This might prove you received message X. It doesn't prove it came from Y (man-in-the-middle is an example of why not). – Steve – 2015-12-08T21:36:28.693

@Steve It could be deducted from the more detailed explanation on tampering below, but you are right. I have now edited it to make it clearer. – Ángel – 2015-12-08T21:41:28.480

7

There's no way to verify the authenticity of a screenshot.

Unlike real photographs, screenshots do not have any metadata such as EXIF, nor can they be fingerprinted by the noise in the photo. Screenshots are just a handful of pixels grabbed from the screen at a specific point in time plus a timestamp, and as such can be edited at will.

If the screenshot just so happens to be in JPEG format and you believe something was added or modified in a part of the image, you could (slowly and patiently) discern the features of the image that have less artifacts from the rest of the image due to the lossy effects of doubly compressing the image.

If you have reason to doubt the authenticity of a screenshot, assume that it has been altered unless there is additional evidence to support the screenshot. Do not use screenshots as legal evidence that something occurred in a person's computer.

oldmud0

Posted 2015-12-07T14:28:42.310

Reputation: 3 858

4

You can't prove that.

If you did tamper with the image, there are mistakes you could make that might make the tampering obvious. For example (at least on Windows 7), Snipping Tool doesn't write any extra metadata to the image file, and always saves as 32-bit RGBA image data (but maybe that's based on screen image depth). If your purported screenshot has a "Software" tag of "Paint.NET v3.36", then you've definitely tampered with it.

Likewise, tampering could introduce artefacts or inconsistencies in the image itself. For example, if WhatsApp uses a certain font in their user interface and you use a different font; or if you use a slightly different color than what they would actually use; or if they watermark the screen with a QR code of a digitally-signed tag encoding the current date and time, and you destroy or corrupt that watermark. However, a lot of that depends on knowing the details of the WhatsApp application... and once you know the details (so that you can reference them in a "proof"), you can generally in principle make sure that a tampered image conforms to them as well.

WhatsApp might provide a QR code or other barcode of a digital signature over the data you actually want to prove, either easily visible or as a hidden watermark somewhere (in which latter case it might be corrupted by a JPEG screenshot, but should be preserved in PNG). That data might be a recognizable thumbnail of an image, or the text of an associated chat session, or the identity of the person who sent the message. However, I doubt that WhatsApp actually does such a thing.

david

Posted 2015-12-07T14:28:42.310

Reputation: 179

"If your purported screenshot has a 'Software' tag of 'Paint.NET v3.36', then you've definitely tampered with it." That's not true either. – Lightness Races with Monica – 2015-12-10T14:49:39.200

I meant "tampered" in the sense "you didn't take it with Snipping Tool, and immediately save it". Of course it's possible to take a screenshot by some other method, paste it into Paint.NET, and save it without actually making any deliberate changes. – david – 2015-12-10T15:13:19.627

4

Maybe not a screenshot, but maybe a video would be more difficult to fake. The exact steps could be different but you could record a video on the following lines:

  1. start with all windows closed
  2. show the network config to show what proxies you are using
  3. open the command prompt and type the hosts file to show that you are not tampering
  4. in the command prompt ping the hostname that you are going to open so we can see the resolved ip.

  5. open the browser

  6. open the browser network settings so we can see the proxy settings
  7. open a reference site
  8. open the site which you want to actually record
  9. navigate till all the contents you want record are done
  10. end the video.

What things people may think of faking you can add some controls for it. Maybe a remote recording system, possibly operated by a third party, possibly a law enforcement agency or a law firm, can work here. Maybe you can open a skype session with them, share your screen and do all these things, and use the video that is recorded by them.

Maybe someone can come up with a 'secure' screen recording system. A screen recording system that 'shakes' the screen in every frame to make linear editing cumbersome and error prone, and stores metadata about the the video to make some level of verification possible.

Kinjal Dixit

Posted 2015-12-07T14:28:42.310

Reputation: 161

3

There is no fully secure way to authenticate your screenshot. However you can use a third-party application that sends instantly the read-write date and time of files in the screenshot folder (if it is saved locally) and send them as fast as possible to your authenticator (maybe a friend, your superior or someone that wants to verify its authenticity). This way, the authenticator can see the time that took from the time to create the screenshot file to the time that he received the file information. If it's small, it's authentic.

If you choose to use other methods to authenticate and it involves sending the file, you might want to use stegonography. It's a technique to hide information inside an image. If the image gets altered in the process of sending to someone that might not be fully trusted, the message will be corrupted and, therefore, not authentic.

Victor Marcelino

Posted 2015-12-07T14:28:42.310

Reputation: 213

1Nothing stops you from preparing script in advance that would replace part of screenshot with whatever content you want in less than a second, so "time before arrival" is absolutely useless metric for checking if screenshot was tampered with or not. – Oleg V. Volkov – 2015-12-10T08:14:43.477

You don't even need a fast script. The script itself can modify the timestamp of the files. – orkoden – 2015-12-10T13:04:49.733

2

Your question is not really about how to ensure the authenticity of the screenshots you took - it is about how you can prove that your Whatsapp conversation was real and happened as you said. The other answers already made the point (and quite good, I must say) that you cannot really ensure a screenshot was not modified before it was saved.

Whatsapp Web is just a web app that let you use your browser instead of your phone - however, everything is passing through your phone as you type and send/receive stuff in your browser. Therefore, you can access the original logs for all your conversations in the actual app within your phone.

  • If you need those screenshots because they show a conversation that, for whatever reason, is not stored in your phone anymore, then you might find a solution here.
  • If the conversation you are looking for is in your phone, you can export it into a .txt file using the instructions here.

jimm-cl

Posted 2015-12-07T14:28:42.310

Reputation: 1 469

1

You cannot as it could have been edited at anytime and resaved. What you could do, is have an imaging particle analysis done to verify if it was tampered. You would have to use a company that is known for doing this for evidence. Best bet, besides have it analyzed, it to get a court to subpoena the records of your whatsapp conversation.

Tim

Posted 2015-12-07T14:28:42.310

Reputation: 578