Is the Image Even Real?

A CCTV still of a man at a till. A phone clip of a punch thrown outside a pub. A "confession" recorded in a stairwell. For most of forensic history the live question about an exhibit like this was who is in it. That question now waits behind an older, simpler one: did this happen at all, or did someone make it.

Maura Grossman and Paul Grimm, in the Columbia Science and Technology Law Review in 2025, put it bluntly. Between 2014 and 2024, generative AI went from a research curiosity to something anyone with a browser can use to produce synthetic images, audio, and video so realistic that, in their words, it is "nearly impossible, even for computer scientists, to tell authentic from fake content." A voice clone drained nearly 200,000 pounds from a UK energy firm in 2019. In 2024 a Hong Kong finance worker paid out 25.6 million dollars after a video call in which every participant except him was a deepfake.

The courtroom version cuts both ways, and that is the part to hold onto. The first kind of trouble is the fabricated exhibit that passes as real. A recording of a Pikesville, Maryland high school principal making racist remarks went viral in December 2023, drew death threats, and got him put on leave. Forensic analysis later found the audio held "traces of AI-generated content with human editing after the fact." The athletic director who made it was charged. The principal was telling the truth the whole time.

The second kind runs the other direction. In 2018 Robert Chesney and Danielle Citron named the "liar's dividend": once people know convincing fakes exist, a guilty party can wave away real evidence by saying it could be one. After January 6, defendants in U.S. v. Doolin and U.S. v. Reffitt told the jury the video against them might be deepfaked. Tesla's lawyers argued Elon Musk's recorded statements about autonomous driving could themselves be fakes, until Judge Pennypacker refused to let a public figure dodge his own words that way.

So an authentication call has two ways to go wrong, and both wreck a case. Say "this is real" about a fabrication and you help convict on a lie. Say "this could be fake" about something authentic and you sink real evidence that should have landed. Neither error is recoverable once a jury has seen the clip. The threshold for getting audio or video before a jury is low: the proponent need only show it is "more likely than not" what they claim. Once the jury has watched it, the court "cannot unring this bell."

That is the job this reading is about. Not who is in the frame, but whether the frame is true. The analyst stands where that question gets answered, and the lawyer questioning the analyst stands where it gets tested. Container metadata, PRNU camera fingerprints, copy-move traces, deepfake artifacts: all of it exists to answer one thing under oath. Is the image even real.

An authentication opinion is really three separate examinations stacked on top of each other, and each one answers a different question. Confuse them on the stand and counsel will pull the whole opinion apart. So keep them straight.

The first layer lives inside the pixels. This is the Hany Farid photo-forensics tradition: you look for the physical traces that editing leaves behind. A spliced-in region carries compression history that does not match the rest of the frame, so re-saving the file reveals JPEG "ghosts" where two compression levels collide. Copy-move forgery, where part of an image is cloned to cover something up, leaves two regions that are suspiciously identical. Resampling a patch to fit leaves periodic correlations between neighbouring pixels. Error-level analysis flags areas that compress differently from their surroundings. Every one of these methods only fires under its own assumptions. Chen, Fridrich and Goljan say it bluntly: each method "only works when specific assumptions are satisfied and will fail if the assumptions are not met," and digital forgery detection is "a complex problem with no universally applicable solution." The truthful pixel-level answer is rarely "this is fake." It is "I ran these tools, here is what fired, here is what did not."

The second layer asks whose camera, and it does not give you a yes or no. Chen, Fridrich and Goljan (2008) treat photo-response non-uniformity, the tiny manufacturing variation that makes every sensor respond to light slightly differently, as a camera fingerprint. They call it "a unique authentication watermark involuntarily inserted by the imaging sensor." You estimate that fingerprint from reference images, ideally out-of-focus shots of a cloudy sky, then test whether the questioned image carries it. The structure is the part that matters in court: it is a Neyman-Pearson hypothesis test. You set a decision threshold to hold a chosen false-alarm rate, then report the probability of falsely rejecting a real match. The same fingerprint, run block by block, flags tampered regions as the places where the sensor noise has gone missing. The authors warn about the boundary of the method: a change that preserves the noise, like recolouring a stain to look like blood, will not be detected.

The third layer never opens the picture at all. Iuliani and colleagues (2019) analyse the container, the file's internal scaffolding. An MP4 or MOV file is a nest of boxes called atoms (ftyp, moov, mdat, trak), and the order and arrangement of those boxes is written differently by every device and app. Their method measures the dissimilarity between a questioned file's structure and a native reference from the claimed device. On the VISION dataset of 578 native videos plus social-media copies, it scored an AUC of 1, perfect separation, for videos altered by WhatsApp, YouTube, or FFmpeg. The result that lawyers should note: FFmpeg cutting a clip without re-encoding leaves the pixels untouched, so stream-based tools see nothing, yet the container betrays the edit. Brand identification rides a likelihood ratio, the same statistic the forensic community uses for DNA. Container analysis also rescues you when the video is too low-quality for pixel methods to bite.

Three layers, three questions: what happened inside the image, which sensor made it, and how the file was built. Describe your own work this way and you sound like what you are, a methodical examiner, not an oracle.

Dirik and Karakucuk took fifty images from a Sony DSC-H50, estimated its sensor fingerprint, and then erased it. After their anonymization, the peak-to-correlation-energy that links an image to its camera fell from an average of 5621.94 down to 6.29. The decision threshold for a match is 50. So an image that screamed "this camera took me" now falls well below the line, looking for all the world like it came from some other device. Across nine cameras, including a Canon EOS 1100D, a Nexus 4, and a Samsung S3 Mini, their method anonymized 99 percent of images. And it did this while keeping picture quality near 38 dB PSNR, meaning the photo still looks normal to any eye and any jury.

PRNU is the photo-response non-uniformity of a sensor, the fixed pattern of tiny manufacturing imperfections that acts like a fingerprint for a specific camera. The selling point in court is that it is hard to fake. Dirik and Karakucuk show the other half. They subtract a scaled noise estimate from the image, multiplying it by a factor (their typical value was around 3.0) until the correlation collapses, and they did it without ever touching the physical camera. A set of images from that camera was enough. The same machinery that removes a fingerprint can transfer a different one in. That means a PRNU "match" can be manufactured to frame a device, and a "no-match" can be engineered to hide one. The image still passes a casual look.

The pixel-level cues are softer than that. JPEG ghosts, resampling traces, double-compression artifacts: these live in the very data that gets rewritten every time a file moves. CCTV exports re-encode. Every social platform re-encodes. Yang and colleagues measured exactly this collapse for container traces. Their EVA method hit 97.6 percent accuracy distinguishing pristine from tampered video, even on a clip cut without re-encoding or shrunk to thumbnail size. Then they ran the same videos through Facebook, TikTok, Weibo, and YouTube. Accuracy fell to 0.76, 0.80, 0.79, and 0.60. On YouTube the true negative rate, the rate of correctly flagging a tampered video, was 0.36. In their words, "the social media transcoding process that flattens the containers almost independently on the video origin." After YouTube, videos edited with Avidemux and with Exiftool had identical container representations.

Container and metadata are softer still. Yang's team changed a video's date with one Exiftool command: exiftool "-AllDates=1986:11:05 12:00:00". Metadata is text in a box, and ordinary tools rewrite it or strip it at will.

Two facts carry into the box. A negative authentication result is not proof the image is real, because the same tools that read a fingerprint can forge one and the same pipelines that carry an image erase the traces. And a negative result is not exculpatory. When your analyst finds no manipulation, that finding is consistent with a real image and consistent with a fake that was laundered through YouTube or anonymized by a method published in 2014. Absence of detected tampering is not evidence of authenticity. It is absence of evidence, and a careful witness says so before counsel says it for them.

In 2019 Andreas Rossler and colleagues released FaceForensics++, a dataset of over 1.8 million manipulated facial images built from four methods (DeepFakes, Face2Face, FaceSwap, and NeuralTextures), and an XceptionNet detector that hit 99.26 percent binary accuracy on raw video. That number is where the modern deepfake-detection field gets its confidence. It is also where the trouble starts, because that number describes the detector recognising the exact manipulations it was trained on, in the conditions it was trained in.

Rossler's own paper shows the floor under those numbers. Push the same XceptionNet from raw video to low-quality H.264 compression (the kind a social platform applies) and accuracy falls from 99.26 to 81.00 percent. On their own held-out benchmark, where videos were re-compressed and re-sized in unknown ways to mimic the wild, the same low-quality model lands at 70.10 percent total accuracy, and its precision on pristine (real) images drops to 52.40 percent, barely above a coin flip. The detector is now wrong about authentic footage almost half the time.

Then the generators move. Dell'Anna, Montibeller, and Boato built TrueFake in 2025: 600,000 images from current GANs and diffusion models, with 180,000 pushed through Facebook, X, and Telegram. Five state-of-the-art detectors scored 0.93 or higher on the image classes they saw in training. On StyleGAN3, a generator absent from training, three of the four CNN detectors collapsed to true-positive rates of 0.00, 0.02, and 0.00. They called real every fake. After Facebook sharing, the NPR detector's fake-detection rate fell to zero across StyleGAN images, and Facebook alone drove true-positive and true-negative losses of 10 to 100 percent across every detector tested. Even CLIP-D, the best performer, still lost roughly 10 percent or more on half the image classes once images were socially compressed.

Luuk Spreeuwers and colleagues at Twente found the identical pattern in face-morphing attack detection in 2022. Their LBP/SVM detector scored an equal error rate of about 2.5 percent within a single dataset, in line with the 99-percent-plus rates the morphing literature reports. Trained on FRGC and tested on ARF, a different morphing set, the equal error rate jumped to 80 percent. Adding Gaussian noise invisible to the eye pushed within-dataset error from under 5 percent to above 20 percent; down-up scaling pushed it above 12 percent. On the SOTAMD benchmark, built from seven morphing tools with print-and-scan variants, every algorithm tested failed the hardest cases.

The mechanism is the same each time. These detectors learn the fingerprint of a specific generation pipeline, then meet an exhibit made by a tool they never saw, compressed by a platform that launders the traces. A high benchmark score is an in-distribution recognition rate, not a casework error rate. When counsel asks your opinion on whether an image is real, the relevant question is never how the detector did on FaceForensics++. It is what the detector does on this exhibit, from an unknown generator, at this compression level, with an error rate nobody has measured on these conditions.

Leonard Rosenthol chairs the technical working group of the Coalition for Content Provenance and Authenticity, and at a 2022 presentation he laid out the fix everyone keeps reaching for. C2PA does not try to catch fakes after the fact. It attaches history. A camera signs an "origin manifest" at capture: Canon body, Truepic software, this time, this place. Photoshop adds an "active manifest" when someone applies a filter, signed by Adobe on the user's behalf. The New York Times compresses it, adds a caption, signs again. Each step bundles assertions, cryptographic hashes, and an X.509 certificate, the same trust model behind the padlock in your browser. The pitch, in Rosenthol's words: unlike detection, "it's not an arms race." You are not guessing whether the image is fake. You are reading who touched it and when.

That sounds like the witness's dream exhibit. Then Golaszewski, Krawetz, Sherman and colleagues at UMBC, Hacker Factor and the NSA ran the first independent security analysis of the specification, and the conclusion in their executive summary is blunt: the current C2PA specifications "fail to achieve their claimed security goals." C2PA makes only two security claims, claim integrity and a weak file integrity that, by design, protects only bits outside an "exclusion range." Their formal-methods work shows timestamps can be replaced without detection, because nothing in the signed data references the timestamp. Conforming validators are not required to check for revoked certificates, so a compromised key keeps signing. They demonstrate it with a worked case: a Nikon Z6 III certificate that Nikon revoked in November 2025 still reads as valid in Adobe Inspect six months later, while a second tool calls the same file invalid. Same image, two "conforming" tools, opposite verdicts. A Pixel 10 Pro puts GPS in the exclusion range, so an attacker can insert a false location the validator happily displays. And credentials expire: an Arizona Secretary of State pilot image validated in January 2025 and failed a year later, file unchanged.

The deeper point for your case is what provenance cannot do. Their report draws the line precisely: "C2PA provides provenance signals, not proof of authenticity." Provenance is the file's history. Authenticity is whether the content truthfully shows a real event. A perfectly signed manifest can wrap a fabricated scene, and the absence of a credential proves nothing, because most exhibits that land on the bench carry no credential at all.

Williams and colleagues at Liverpool John Moores add a problem from the other direction. The tools you use to examine the exhibit can change it. Feeding a known synthetic image through Magnet Copilot AI, they found the detector outputs a content-identical copy with a new inode change date and altered file permissions, an entirely separate file to the operating system even when the pixels match at SSIM 1.0. They also flag Matter of Weber (October 2024), where a court rejected an expert's use of Microsoft Copilot for lack of repeatability. So provenance helps for cooperatively created, signed-at-capture media. For the arbitrary exhibit in front of the jury, it mostly tells you nothing, and the act of checking can itself disturb the original.

Onyekwere and colleagues reviewed ten of the strongest deepfake detection studies published between 2018 and 2025 and scored each one against forensic evidence standards. Not one cleared the bar. XceptionNet, the field's reference detector, hit 99.26% on FaceForensics++ in the lab and fell to 65.18% on Celeb-DF, a 34-point collapse the moment the manipulation method changed. MesoNet did worse, dropping to 54.82%, barely better than a coin. Across every tool reviewed, zero studies reported confidence intervals, and only 40% reported false positive or false negative rates at all. That is the gap you carry into the witness box, and it is why "the tool flagged this as a deepfake" cannot become "this is a deepfake" on the stand.

Hold the line on what you actually found. SWGDE's Best Practices for Image Authentication (version 2.0, March 2025) is blunt about this: it is impossible to prove a negative. A thorough examination can support that it is unlikely the imagery was manipulated or digitally created, and if alterations are detected, the practitioner may conclude the imagery is not authentic. Those are the two truthful directions. "No indications of manipulation were found" is a finding about your examination, not a certificate of authenticity. SWGDE also warns that a single still can be manipulated in a way a trained examiner may not detect, and that it is now theoretically possible to generate a single frame of a person that no human can flag as virtual. So you authenticate a series of images or a video where you can, and you say so when you cannot.

Counsel will ask for your error rate on this tool, for this kind of exhibit. If you have a validated casework rate, give it. If you do not, concede it directly, because the literature says you almost certainly do not have one to give. Onyekwere notes that reported false positive rates around 12.8% run vastly above DNA or fingerprint analysis, and that at realistic prevalence a strong detector can produce dozens of false accusations for every true one. A benchmark number is not a casework number.

Keep integrity separate from authenticity. SWGDE is explicit that image authentication must not be confused with demonstrating the integrity of the evidence: a hash confirms a copy is identical to the file it came from, but it cannot speak to the veracity of the scene depicted. So you hash on receipt, preserve the original, work only on a working copy, and document the workflow contemporaneously. That is chain of custody. It does not make the picture true.

Measure your method against standards, not leaderboards. Geradts, writing the Interpol review of forensic video analysis for 2019 to 2022, draws the line sharply: the research community treats detection as binary real-or-fake, but the forensic expert does not pass a verdict on authenticity. The expert explains, often through likelihood ratios, what the analysis shows, and leaves the verdict to the court. SWGDE adds that results should not be reported as numerical probability without a proper scientific foundation, and must be qualified against the propositions you set out.

What you can say: this image is consistent with manipulation; these features are unlikely to arise from an unaltered capture; no indications of manipulation were found in this examination; the PRNU correlation supports capture by this device. What you must refuse: this is a deepfake, this is authentic, this tool is right ninety-five percent of the time on evidence like this. The competent witness never lets a "consistent with" be run up to "it is a fake" or "it is real."