What is FourMatch?

FourMatch™ software is a product that instantly identifies photos that have been unaltered since leaving the camera or other mobile device. Installed within Adobe Photoshop as a floating panel, FourMatch automatically updates to display the status of the current image without requiring any user interaction.

How does FourMatch work?

The technology in FourMatch software is based on the fact that there is nearly endless variety in how the JPEG and EXIF file format standards can be implemented. Every hardware and software developer must make a series of choices in implementing support for these standards, and these choices result in a relatively distinct set of variations of the JPEG format for each hardware and software product. We refer to each one of these JPEG permutations as a signature, because it can point to the potential sources for an individual JPEG file.

When an image is first captured and stored in the camera, it carries one of the signatures that are characteristic of that particular camera model. Later, if the file is opened and then resaved from a software application or an online service, the resulting file will carry the signature of that software application or service, and at least a portion of the original camera signature is lost. However, even though the signature may have changed, the image metadata generally continues to list the name of the device that was used to capture the image.

The power of FourMatch comes from a large, continuously updated database of signatures for thousands of devices and software products. FourMatch reads the image metadata to see what device was used to capture the image, and then it compares the image signature to the known signatures for that device stored in the FourMatch database. If a match is found, then it is generally safe to assume that the file has not been rewritten since it left the capture device.

What can you conclude from a FourMatch analysis?

Though FourMatch is an invaluable tool for assessing the veracity of an image, it’s important to have an understanding of what it can and can’t tell you. FourMatch cannot tell you how an image file has been edited. Whether an image was substantially modified in a photo editing application, or just opened and immediately resaved, the signature will still be modified in the same way, and the resulting file will fail the FourMatch test.

Moreover, because signatures—sometimes numbering in the hundreds for a single device—are not publicly documented, and may change over time, it is not possible for Fourandsix to guarantee that we have a complete set of signatures for any device. If a signature match is not found for a particular image, it is always possible that this failure to match is simply due to a gap in the database. For this reason, when a match is not found, FourMatch will analyze a variety of other factors so as to infer the possible editing history of the image. This insight may assist you in further investigation.

The most conclusive evidence that FourMatch can provide, however, is a complete signature match. Such a match can powerfully assert that an image is an unaltered original.

Definition of an image signature

The signature is comprised of four components:

  1. Dimensions: the actual pixel dimensions of the image file, without regard to image orientation (whether landscape or portrait).

    Though image dimensions are not unique, they do vary from device to device, and each device has a fixed set of possible image sizes. When an image doesn’t conform to the dimensions that can be captured on-camera, then that is a clear sign that the image has been modified in some way.

  2. Compression: the numeric values used to compress the image data in the JPEG file.

    This tends to be the most distinctive aspect of the image signature, because the JPEG standard specifies a multi-step compression process permitting a significant variety in compression parameters. These values vary from camera to camera and, depending on the quality setting(s), within a single camera. Do not confuse these parameters with the JPEG compression options available in the user interface of the camera. For example, the “high quality” JPEG setting in two different cameras will typically use completely different sets of compression parameters.

  3. Thumbnail: the thumbnail dimensions and compression settings.

    A thumbnail-sized version of the full resolution image is often created by the camera at the time of recording. The thumbnail is typically saved as a JPEG whose properties, like those of the full resolution image, vary from camera to camera. There are some cameras that do not save any thumbnail, and this in itself is a distinctive characteristic of a signature. Thumbnail sizes do not vary as much as image sizes, so FourMatch groups the dimensions and compression settings for the thumbnail together as a single signature component.

  4. Metadata: the formatting of the EXIF metadata.

    The EXIF metadata stores a variety of information about the camera and the image file. The specific information stored in the EXIF and the formatting of this information varies from camera to camera. Rather than consider the complete contents of the EXIF metadata, which varies too much from image to image, the signatures used by FourMatch store only some key, distinctive details about how the EXIF metadata is organized by the camera. 

None of these four individual components are unique to a single camera. The combined set of components, however, is fairly distinct. When an image is modified from its original recording, it is likely that at least one of these components will be altered. For example, if an image is cropped, the Dimensions will change; if an image is edited and saved from within a photo editing software, the Compression and Thumbnail will change; if an image is uploaded to an on-line service the Metadata may change. By building a large database of signatures from original un-modified images, any change to the expected JPEG signature can be detected.