Accepting digital images of official documents is common practice. It's a convenient and quick way to exchange contracts, photographs, or identity verification documents (e.g. birth certificate, utility bill, etc.). Customers don’t need a traditional fax machine. For less than $300, anyone can purchase a multi-function device that prints, scans, faxes, and copies everything needed. However, many organizations that receive and process scanned or faxed documents are either unaware of--or are ignoring--the risk involved.
Technology today makes it easy for anyone with a PC to modify official documents, including photos, changing material content. Receivers of this material might process these digital forgeries unless they have controls in place to verify key information.
So what is digital image forgery?
What is digital image forgery?
First, let’s define what we mean by a digital image. For the purpose of this article, a digital image is any photograph, agreement, letter, or other written instrument, which as been scanned or faxed, creating an image of the original. And we’re also making an assumption: any image can be modified. Cleanup of these documents is not forgery. Digital image forgery is the process of changing material elements of a document and representing the changes as true copies of the original.
Modifying digital images is not difficult. Simple applications can be purchased for under $100 that do a reasonable job of changing key elements. The following are a few examples of what can be done with photographs. As we’ll see later in this article, criminals can use these same techniques to alter document images.
Tampering is manipulation of an image to achieve a specific result. Figure 1 is a good example. In the photo on the left, Lenin and Trotsky stand side-by-side. On the right, Trotsky seems to have disappeared.
Figure 1: Image Tampering (Farid)
Sometimes changing the meaning of a document or attempting to make a point requires combining images from different documents. This is known as compositing. The original image on the left in Figure 2 shows John Kerry without Jane Fonda. She appears alone in another original image on the right. However, the composite image in the center brings these two images together into a message-telling composite.
Figure 2: Compositing (Summers and Wahl, 2006)
Copying background or other features from one part to hide or alter other areas of the original is another approach to document forgery. Figure 3 is an example of this copy-move process, as is the written document alteration example that follows. Notice the truck has disappeared, “covered” by foliage copied from higher and to the left in the same photo.
Figure 3: Copy-Move (Summers and Wahl)
Example of copy-move and compositing in written document images
Using these techniques to alter written documents is not difficult. I proved this to myself by using Adobe Photoshop Elements, my Canon MP530 multi-function printer, and Microsoft Office 2007 (Professional). It’s important to note that my abilities with imaging technology is very limited, bordering on non-existent. So if I can achieve these simple results, more experienced users can accomplish much, much more.
The objective of the test was to determine how easy it would be to alter a scanned notarized document for the purpose of emailing or faxing falsified information. The best document I had available for this was my Kansas birth certificate. Kansas stopped using raised seals and went to a standard stamp and signature for certifying authenticity. They coupled this with a multi-colored form that is supposed to prevent forgeries.
Figure 4 is an image of the back of my certificate, as scanned into Photoshop Elements (PE) from my Canon printer. The red arrows point to the text I altered in a copy-move during the test. I intentionally blurred the last name in the signature.
Figure 4: The back of my unaltered birth certificate
Figure 5 depicts the altered certificate. The first change is the removal of “true and correct” from the first line. The second change was the removal of the stamped date near the center. Finally, I blanked out the last name in the registrar’s signature. This was all done to a PE image by copying background pixels and overlaying them on top of the original pixels. I could have easily replaced the original text with “adjusted” text if needed. (The white box at the top of the form was intentional. Copying the background as an overlay leaves no trace.)
Figure 5: Altered birth certificate
This process would produce a “good enough” forgery of any document, resulting in most organizations accepting it as authentic.
Next, I tested how easy it would be to remove the registrar’s information from the document for use on something else. For this test, I used the Microsoft Office Document Imaging (MODI) utility. This application comes with Microsoft Office 2007, although it isn’t installed unless you choose a custom installation. I hadn’t, so I installed it using Add Programs from the Control Panel.
MODI performs two useful tasks. First, it performs an OCR analysis of the scanned document. All text is then available to be copied to Word. It also provides an easy way to select and create high-quality copies of images contained in the document. These capabilities allowed me to create the document shown in Figure 6. A forger could potentially copy the registrar’s information, seal, and signature onto any other document to make it appear authentic.
Figure 6: Compositing test
But suppose a criminal isn’t inclined to spend the time to forge his or her own documents. Well, there is a solution for the time-deprived or lazy criminal—scanlab.name. For the right price, ScanLab can produce just about any forgery required. But don’t forget to use the English translation. The original is in---wait for it---Russian. Go figure.
In Part 2 , we’ll look at ways organizations can combat digital forgery.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.