42

Is there a threat from screenshots with blacked out info? That is can someone take out that aftermarket addition so to speak?

For instance

I take a screenshot (using MS snipper) enter image description here


Then I 'blur/blackout' some info enter image description here

Is the picture above vulnerable to someone looking through its hex values for that extra green layer and just removing it, thus reconstructing the original image (or any other way to 'take off' my attempt of redacting info)?


To make it more secure I always then open up the blurred out screen and then screen capture that. enter image description here

Does the above screen of a screen add better security -there is no way to reconstruct missing data because nothing is "missing"?


I have always been paranoid but after finding out a colleague does the same thing, I'd thought I'd ask.


update So I compared pics one and two (from above) and looked at the hex values, the metadata had not changed at all and the only change was within the image data itself (results below). The results are specific to this particular editor and process. The possibility (likelihood) does exist for data to be recovered if using other tools. enter image description here

R1W
  • 1,617
  • 3
  • 15
  • 30
Matthew Peters
  • 3,622
  • 4
  • 21
  • 39
  • Somewhat relevant: https://www.schneier.com/blog/archives/2005/05/pdf_radacting_f.html – paj28 Sep 12 '14 at 14:22
  • I don't have a proper answer, more of a stimulus for an actual answer. If I remember correctly some image formats such as JPEG and PNG keep thumbnails of themselves. So depending on the format and view size, the original version of the image will be shown. Usually the quality is too low to actually read something there, but you get the drift. I believe they discuss the topic here: https://security.stackexchange.com/questions/116552/the-history-of-thumbnails-or-just-a-previous-thumbnail-is-embedded-in-an-image – SaAtomic Oct 22 '18 at 05:31

3 Answers3

47

Usually the PNG format does not support multiple layers. So when you draw over something, whatever was there before is lost.

However, the PNG format supports storage of an unlimited amount of metadata which is usually not displayed by image viewers. This feature is often used by image editors to add additional metadata to the image. One possible use-case is to store the undo-history of the image. This could mean that the previous version can be restored. To prevent this, make sure to set the exporting settings of your editor in a "export for web" mode which is supposed to strip all unnecessary data from the file. How to do this (and if it is even necessary) depends on the image editor.

Another possible faux-pas is to use an image blurring method which isn't 100% effective. You could, for example, accidentally set the opacity of your brush to almost but not completely 100%, which would mean that the section isn't recognizable by the human eye but might be made readable again by enhancing the contrast of the section. Another mistake is to use a filter which is reversible. I remember a case of a child-pornographer who got caught because he blurred out his own face with the "twirl" filter in Photoshop not realizing that when the same filter is applied in reverse, the image is restored to almost the original.

Philipp
  • 49,017
  • 8
  • 127
  • 158
  • 2
    Interesting. Are there any documented cases of tools doing this? I would suspect they don't because that would rapidly add up to an immense amount of data. – Xander Sep 12 '14 at 14:36
  • Exactly what I suspected but havent been able to prove (yet)! I want to find the time to analyze it but thought I'd ask here first to see if it's been done and already well documented... – Matthew Peters Sep 12 '14 at 14:37
  • @Xander I had this with GIMP once. One image viewer (I think it was IrfanView) used to show an older version of one of my images because it was accidentally reading an old version GIMP saved as metadata. However, this was years ago and I didn't really research it further. – Philipp Sep 12 '14 at 14:40
  • 7
    The most common metadata case is when an image includes both a thumbnail/preview version and a full-sized version. Editors don't always update the thumbnail version. – Mark Sep 14 '14 at 22:22
  • @Mark, that's a good point about the thumbnail data although the amount of 'readable' data that could be recovered from the thumbnail does largely depend on what you are trying to recover in the first place... – Matthew Peters Sep 16 '14 at 15:12
  • 1
    @Philipp The mister swirl image is no longer available. Can you link to a picture with similar effect? – Marcel Jul 31 '18 at 12:31
  • I believe this article shows the mentioned image with the swirl effect: https://thelede.blogs.nytimes.com/2007/10/08/interpol-untwirls-a-suspected-pedophile/ – SaAtomic Oct 22 '18 at 05:37
13

When you paint over a jpg or png file, you are not putting a sticker over the image, you are more ripping a hole on the image and filling the hole with ink.

Even on Photoshop, if you export the picture as jpg it will flatten the image, merging all layers together and destroying the original obscured area forever.

There's no way to reconstruct the original image. Taking a second screenshot will not add any security, just adding more steps to your job.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
7

No, the security is no better. The typical formats used for screenshots (JPEG or PNG) are not image formats that support layers like say, a PSD does. When you add the green scribble, you're not adding a layer, you're replacing part of the image. The extra step, the screenshot-of-a-screenshot should give you an image file that's materially the same.

It's extra effort, but doesn't add any security value.

Xander
  • 35,616
  • 27
  • 114
  • 141
  • Once I get a chance, I want to test this out myself but I though PNG does support layers (I do recall fireworks letting me save and later edit the layers of a standard .png [not .png.fw] but maybe fireworks just stored some metadata internally -hmmm another test I hear... – Matthew Peters Sep 12 '14 at 14:23
  • @MatthewPeters Yeah, the tools may have a mechanism to offer pseudo-layers within the editing experience, but they won't exist in the PNG itself, as the format specification has no concept of layers. – Xander Sep 12 '14 at 14:26
  • Well my real question isnt so much the tools or image layer at all, but really if forensically is there a chance that someone could recover info via hex values. That is how is the green blur added/how is the info deleted? That is something I need to test it looks like. – Matthew Peters Sep 12 '14 at 14:33
  • @MatthewPeters, hex values (or binary, or decimal) are not magic; they're just a number assigned to the colour of each pixel, like the names on the colour swatches from a paint store. Thus, if I've got a splash that's all the same Burnt Eggshell colour, that's (assuming a big enough splash of colour) gives no one any information. If there was some transparency involved in my scribbling process, I might have some lighter or darker dots, and that could give someone some information. This is as true whether we're talking about the edited screenshot or of a copy (screenshot) of it. – Mathieu K. Apr 24 '18 at 03:08