Three employees return from an overseas conference. They give the standard what-we-learned presentation at a team meeting. Somehow, the presentation feels thin and generic. Also suspicious: the travellers deflect basic questions.
Flights, hotels, meals and drinks are claimed. Receipts are provided. Still, something doesn’t add up.
Their employer asks for photographs from the conference. No problem, say the employees, who produce snapshots overnight. And that’s where their story unravels.
Solving this true story from the files of the FTS cyber team came down to the same approaches used to refute UFO sightings. These approaches are making it easier to catch everyone, from the false insurance claimant to the litigant who can always produce a convenient document if given enough time.
Digital images are genes in the DNA of every business. Not only because digital photographs are commonplace at work, but also because scanners are nothing more than cameras. Like all digital files, digital images have vital information embedded within them. And like all images, digital images are a temptation to fraud.
Images have tempted people to fraud since the first camera. What changed with the arrival of digital images was the scale of the opportunity for fraud:
- There are exponentially more images in circulation
- The cost of entry to image manipulation is almost nothing. There’s a fraudster’s toolkit in every print room and on every phone, thanks to built-in cameras and app stores.
An original document and a scanner are all it takes to manufacture anything, from pumping up an expense claim to faking a manufacturing certificate, with potentially fatal consequences.
At the same time, many companies are making it even easier for the would-be fraudster.
How companies are inadvertently exposing themselves to image fraud
1. The Dress problem
In 2015, the internet melted down over The Dress. Was it black and blue or white and gold? Whatever the colour, the reminder was clear: our eyes conspire with our brains to deceive us. Yet we continue to take images at face value, whether it’s a photograph or a PDF.
An employee supports a complaint to HR with screenshots of an exchange of texts with a colleague. The colleague will need to move heaven and earth to convince HR that the screenshot is a fabrication. To the naked eye (the same one that can’t always tell black from gold), a Photoshopped text message is indistinguishable from an authentic one. When subjected to mathematical analysis however, the two will be quite different.
2. The PDF problem
Companies routinely insist on PDF for documents, even converting images from their original (and perfectly useable) format.
When you convert an image, Word document or other formats into a PDF, the operation distorts or corrupts evidence. Proving fraud is still possible. However, it takes more effort after a document is ground through the process of being converted to PDF.
Even if you must use PDF, with the right process, that evidence can be collected and preserved from the original file.
3. The knowledge problem
Few people know how to detect and prove document fraud from images, including scans. As a result, companies put up with suspiciously convenient documents or documents that don’t feel right.
However, there are people who make it possible for companies to refuse to accept frauds that would otherwise have been expensive to prove. Our FTS team can forensically examine scans and other images, increasing clients’ options dramatically. Drawing on our backgrounds in images, file forensics, maths and electrical engineering, we have repeatedly flipped suspicious documents into dispute-ending proof of fraud.
Enter the image expert
Image forensics combines maths with an understanding of images and the hardware that creates them. That expertise can be applied at a scale that surprises even people who know the discipline exists. Our FTS cyber team, for example, has used digital forensics techniques to pull out evidence hidden among millions of documents.
The case of the conference-goers who weren’t
You might be able to alter an image with a $4.99 app, and your victim’s eyes might want to believe the result before them. However, it’s exceptionally hard to fool a small but growing number of experts in digital forensics. This was the lesson learned by the conference-going (or not) fraudsters from the start of this article.
What undid these fraudsters was the combination of several techniques.
You can fake the image, but can you fake the narrative?
Every image has a story. Where was this photo taken? What time was it taken? What camera did you use? How did you get the image from the camera? Then what did you do with it? Combining a person’s answers with digital forensics know-how can find holes in the story, whether it’s a UFO sighting or a travel expenses fraud.
Those holes are easiest to find when companies run as few operations as possible on the original document. This is one reason why it’s best to leave documents in their original format wherever possible rather than compressing them into other formats, stripping out important markers.
Each step in producing a digital image alters the file in a way that leaves a trace. Those marks are like the scratches left on a bullet by the barrel of a gun. Just as ballistics is the science of matching a bullet back to a gun, image ballistics is the process of tracing an image back to its source (or proving that the image can’t have come from the claimed source).
- A photograph taken on a particular camera (including a document scanner) will have specific data in the image file. You say you scanned the document in the Melbourne office, but that office has HP scanners, so why does your document bear the markings of a Fujitsu scanner? Even if important metadata has been stripped from a file, we can use characteristics like lens scratches on the supposed source device to authenticate a file.
- Moving the photo from the camera to the computer will add a layer of data.
- Converting the file from one format to another will also alter the data.
The narrative accompanying an image says the picture was taken at a time and a place. In that case, the image will show shadows of a certain length. Measuring shadow length is one tool in the photogrammetry toolkit, the same toolkit used to refute purported images of UFO sightings.
Similarly, we can use photogrammetry to assess whether an object in an image is lit consistently with the light sources present at the time the image was supposedly made. If that image was taken looking north from this garden at noon on 31 January, why are the shadows on that side of the UFO?
Narrative plus analysis exposes fraud
Many people could Photoshop themselves into a stock image of the San Diego Convention Center, but not many could get the shadow length right. Add that to the need to match the expected signatures of the devices in the process, and a fraudster’s task is more complicated than many of them realise.