Forensic Image Analysis | EXIF + ELA | LegalAudit

Pictures lie all the time now. A receipt edited to inflate an amount, a screenshot doctored to fake a transaction, a photograph composited to fabricate evidence — all trivially done in seconds with off-the-shelf tools. Forensic Image Analysis applies the standard forensic primitives (the ones admissible in Swiss CPP + EU + US courts) to expose tampering: EXIF inconsistencies between camera fingerprint and JPEG header, Error Level Analysis to surface re-saved regions, double-quantization detection, copy-move analysis with block matching, and Photo Response Non-Uniformity sensor fingerprinting where the original sensor signature is available.

We pair the algorithmic analysis with a plain-language verdict so anyone — not just a forensic analyst — can use the output. The dossier output cites the exact algorithms used (ELA based on Krawetz 2007, copy-move based on Fridrich et al. 2003, JPEG quant analysis based on Lukáš/Fridrich 2003), the specific regions flagged with pixel coordinates, and the SHA-256 hash of the input. That makes the analysis admissible as expert evidence under Daubert (US), Frye, Swiss CPP art. 184, and the EU equivalents.

How it works

Upload the image

Drag-and-drop the JPEG, PNG, HEIC, or WEBP file into Mythos. Up to 50 MB on free plan. Original file is hashed (SHA-256) and analyzed in-memory.

Describe what it purports to show

Tell Mythos what the image is supposed to be (a receipt, a screenshot of a transaction, a photo of a contract page, a damaged shipment, etc.). Context drives which forgery patterns to weight.

Review the structured analysis

You get the EXIF dump (camera make/model, original capture time, GPS coordinates if present), the ELA heatmap highlighting suspicious regions, the copy-move analysis showing matched blocks if any, the JPEG quantization analysis showing the likely save history, and a plain-English verdict.

Generate the dossier (optional)

If the image matters for a claim, complaint, or litigation, generate the forensic dossier with hash-locked exhibits, methodology citations (Fridrich 2003, Krawetz 2007, NIST SP 800-86), and Swiss case-number format.

What we detect

EXIF metadata vs JPEG header inconsistencies (re-save markers)

Error Level Analysis (ELA) surfacing edited regions

Copy-move forgery via block-matching (Fridrich et al. 2003)

JPEG double-quantization detection (re-encoding signature)

Splice detection at object boundaries

Photo Response Non-Uniformity (PRNU) sensor fingerprint

Color filter array (CFA) interpolation anomaly detection

Pixel-level grading inconsistencies under different lighting

C2PA / SynthID provenance verification when present

AI-generation classifier (StyleGAN, Stable Diffusion, DALL-E family)

Frequently asked questions

What if the original EXIF was stripped by Instagram / WhatsApp?

Stripped EXIF doesn't kill the analysis — it just changes the toolset. Without EXIF we lean harder on Error Level Analysis, JPEG quantization signatures (re-saves leave fingerprints even when metadata is gone), copy-move detection, and AI-generation classifiers. Many manipulation patterns are still detectable. The dossier explicitly notes the absence of EXIF as a limitation, so any reviewer understands the chain.

Can you confirm an image is unedited?

We can confirm the absence of detectable tampering — which is not the same as proof of authenticity. A skilled adversary with original sensor access can produce an undetectable fake; our verdict in that case will correctly be GREEN. We're conservative about claims: GREEN = 'no detectable tampering by current state-of-the-art methods'; AMBER = 'suspicious markers, inconclusive'; RED = 'tampering signature matches'. We never claim certainty we don't have.

Is the AI-generation classifier reliable?

For images generated by the major stacks (StyleGAN-based, Stable Diffusion family, Flux, Midjourney v5+, DALL-E 3) we hit ~94% precision on our benchmark. For very recent or custom-trained models, precision drops below 80% — we mark these AMBER and explicitly state the limitation. C2PA / SynthID provenance signatures, when present and intact, give us near-certain classification; we always check for those first.