How to prove the authenticity of a screenshot?

Question

I have take some screenshots of chat from Whatsapp web using Windows 8 Snipping Tool. I saved those images in PNG format.

How can I prove that those images are original, i.e. not tampered or edited?

Answer 1

You cannot prove that. They were on your PC, fully under your control for some time. You could have tampered with them. Therefore you cannot prove that you did not tamper with them.

If you need to set up a legally safe solution then look for an independent third party and a way to have them store information in such a way that you can only trigger a store or read (e.g., a screenshot on a Citrix server to a write-once location).

Answer 2

You can never prove authenticity in a screenshot.

It is incredibly simple to change the apparent content of anything posted in a public place & needs no great skill to totally change the meaning into anything you like…

This fake screenshot took about 30 seconds in photoshop.

For those who didn't like my quick mockup the first time, here's another, lined up correctly… I chose to use the current version of the question rather then re-mock the original - the result would be the same either way.

Answer 3

Of course there is no sure shot way to find image manipulation attempts. But there are some basic techniques people use to manipulate images.

For example, people use photoshop clone tool to duplicate patterns/colors. It may be difficult to detect by manual observation but there are some tools to do that.

Have a look. The tool has a number of features to detect image manipulation. http://29a.ch/photo-forensics/#thumbnail-analysis

Answer 4

Proving that using technical measures is hard. What you can do is document the way you took the screenshots.

One possibility is having a witness present while taking the screen shots. After taking the screenshots, you could print them out with the filenames, date, and time they were taken. Then the witness and you sign those prints.

A digital version of that is screen recording while taking the screenshots. Ideally with audio commentary. At the end you can timestamp and digitally sign all the resulting screenshots and the screen recording.

Answer 5

Remote browser with public key signed inputs / outputs

http://www.icanprove.de is most general method I've seen so far.

It provides a remote browser (Firefox based) that records your input, and produces public key signed PDFs that contain the inputs you've made and the screenshot. So you can even login into pages and prove things afterwards.

The remote browser is slow, so if the information is removed quickly after you see it, you won't be able to prove anything.

For this to work perfectly the output has to contain one screenshot for every single pixel that changes on the screen, e.g. during scrolling or JavaScript animations. Maybe a video format would be more suitable in those cases than PDF as it encodes frames differentially.

And of course, you give your plaintext passwords to that service and to the evidence verifiers. A possibility is to change your password for a dummy one temporarily, but that means yet more overhead.

Wayback machine services

• http://archive.org/web/ is possible, but respects robots.txt, making some pages inaccessible, and you can't login to take screenshots.

  But note that it has already been declined as legal evidence in court once.

• https://archive.is is similar to archive.org, but did not respect robots.txt last time I checked

See also

I had asked a similar question for browsers at: https://softwarerecs.stackexchange.com/q/18651/3474

Answer 6

There are two issues, prove that you took the picture (not fake), and prove that the picture you took is the picture I received. The first is as noted by others of course impossible as screenshots are trivial to fake as the content is computer generated anyway. The second is much easier with solutions from comprehensive signature solutions (pgp detached signatures have been around for around twenty years), to basic fingerprint (sha is a good choice). Also worth considering are trusted copies (think archive.org or something similar).

Answer 7

First of all, you can't.

If you want to prove that you received message X from Y, ideally you would receive it in front of a notary, on their computer. Lacking a notary, an independent witness may help.

This doesn't preclude that the person at the other side, that you believe to be Y, in fact isn't. So you better have them in front of you and the notary, too.

You can prove that the image existed before a given date (send a hash of the image to a CA signing service, or otherwise publish it in a way that preserves timestamp and you can't later tamper), and that it existed after a given date (like including the headline of today's newspaper).

You cannot trust that what the computer showed was what was sent through the Whatsapp service, not even the logs stored in the suspect's phone. They could all be tampered by the suspect.

Maybe even what you thought to have received is not what the guy at the other side sent. Perhaps it was modified by a trojan in your computer (or WhatsApp servers). Even the telco could theoretically hijack a whatsapp account. It would be a bad idea for a hired killer to accept works by whatsapp. He could believe to be instructed to kill lord Capulet, while the hirer wanted to kill the Montague!

Answer 8

There's no way to verify the authenticity of a screenshot.

Unlike real photographs, screenshots do not have any metadata such as EXIF, nor can they be fingerprinted by the noise in the photo. Screenshots are just a handful of pixels grabbed from the screen at a specific point in time plus a timestamp, and as such can be edited at will.

If the screenshot just so happens to be in JPEG format and you believe something was added or modified in a part of the image, you could (slowly and patiently) discern the features of the image that have less artifacts from the rest of the image due to the lossy effects of doubly compressing the image.

If you have reason to doubt the authenticity of a screenshot, assume that it has been altered unless there is additional evidence to support the screenshot. Do not use screenshots as legal evidence that something occurred in a person's computer.

Answer 9

Maybe not a screenshot, but maybe a video would be more difficult to fake. The exact steps could be different but you could record a video on the following lines:

1. start with all windows closed
2. show the network config to show what proxies you are using
3. open the command prompt and type the hosts file to show that you are not tampering

4. in the command prompt ping the hostname that you are going to open so we can see the resolved ip.

5. open the browser

6. open the browser network settings so we can see the proxy settings
7. open a reference site
8. open the site which you want to actually record
9. navigate till all the contents you want record are done
10. end the video.

What things people may think of faking you can add some controls for it. Maybe a remote recording system, possibly operated by a third party, possibly a law enforcement agency or a law firm, can work here. Maybe you can open a skype session with them, share your screen and do all these things, and use the video that is recorded by them.

Maybe someone can come up with a 'secure' screen recording system. A screen recording system that 'shakes' the screen in every frame to make linear editing cumbersome and error prone, and stores metadata about the the video to make some level of verification possible.

Answer 10

You can't prove that.

If you did tamper with the image, there are mistakes you could make that might make the tampering obvious. For example (at least on Windows 7), Snipping Tool doesn't write any extra metadata to the image file, and always saves as 32-bit RGBA image data (but maybe that's based on screen image depth). If your purported screenshot has a "Software" tag of "Paint.NET v3.36", then you've definitely tampered with it.

Likewise, tampering could introduce artefacts or inconsistencies in the image itself. For example, if WhatsApp uses a certain font in their user interface and you use a different font; or if you use a slightly different color than what they would actually use; or if they watermark the screen with a QR code of a digitally-signed tag encoding the current date and time, and you destroy or corrupt that watermark. However, a lot of that depends on knowing the details of the WhatsApp application... and once you know the details (so that you can reference them in a "proof"), you can generally in principle make sure that a tampered image conforms to them as well.

WhatsApp might provide a QR code or other barcode of a digital signature over the data you actually want to prove, either easily visible or as a hidden watermark somewhere (in which latter case it might be corrupted by a JPEG screenshot, but should be preserved in PNG). That data might be a recognizable thumbnail of an image, or the text of an associated chat session, or the identity of the person who sent the message. However, I doubt that WhatsApp actually does such a thing.

Answer 11

There is no fully secure way to authenticate your screenshot. However you can use a third-party application that sends instantly the read-write date and time of files in the screenshot folder (if it is saved locally) and send them as fast as possible to your authenticator (maybe a friend, your superior or someone that wants to verify its authenticity). This way, the authenticator can see the time that took from the time to create the screenshot file to the time that he received the file information. If it's small, it's authentic.

If you choose to use other methods to authenticate and it involves sending the file, you might want to use stegonography. It's a technique to hide information inside an image. If the image gets altered in the process of sending to someone that might not be fully trusted, the message will be corrupted and, therefore, not authentic.

Answer 12

Your question is not really about how to ensure the authenticity of the screenshots you took - it is about how you can prove that your Whatsapp conversation was real and happened as you said. The other answers already made the point (and quite good, I must say) that you cannot really ensure a screenshot was not modified before it was saved.

Whatsapp Web is just a web app that let you use your browser instead of your phone - however, everything is passing through your phone as you type and send/receive stuff in your browser. Therefore, you can access the original logs for all your conversations in the actual app within your phone.

• If you need those screenshots because they show a conversation that, for whatever reason, is not stored in your phone anymore, then you might find a solution here.
• If the conversation you are looking for is in your phone, you can export it into a .txt file using the instructions here.

Answer 13

You cannot as it could have been edited at anytime and resaved. What you could do, is have an imaging particle analysis done to verify if it was tampered. You would have to use a company that is known for doing this for evidence. Best bet, besides have it analyzed, it to get a court to subpoena the records of your whatsapp conversation.

Answer 14

The only way to do this, theoretically, is to take the screenshot in the presence of a notary, then save it as an image file and calculate a hash value of that file. After that – make the notary document that this hash value corresponds to the original screenshot.