Contents
Error Level Analysis (ELA) is a useful pointer, not proof. It can flag a region of a JPEG that was compressed differently from the rest, which sometimes lines up with an edit, but a bright ELA map is not evidence of tampering on its own, and a blank one does not mean a photo is clean. Treat ELA as one weak signal to corroborate, never as a verdict.
What Error Level Analysis actually does
ELA was introduced by Krawetz (Black Hat USA 2007). It resaves a JPEG at a known quality, by convention around 95 percent, and compares that fresh copy against the original. Because JPEG discards detail in fixed 8x8 pixel blocks, areas already compressed many times barely change when resaved, while a region recently pasted in or painted over still has detail to lose, so it shows a higher error level and looks brighter. Uniform brightness across the frame is the expected result for an untouched photo. There is no numeric threshold: an analyst reads heatmap contrast by eye, which is the first reason the method is a lead rather than a verdict.
A bright region does not mean an edit
The most common mistake is reading any bright area as a forgery. High-contrast edges, sharp text and saturated colours naturally carry more high-frequency detail, so they light up under ELA whether or not anyone touched them. Saving the file in an editor does the same for innocent reasons. Krawetz shows that resaving in an editor changes the file on its own: “each time a JPEG image is resaved by a graphics editor, the image loses quality,” even when the tool made no deliberate change, and opening a file in Photoshop can raise the error level across whole regions because the software has rewritten the pixels. ELA often detects only that an image passed through editing software, which is not the same as detecting a deliberate manipulation.
Where ELA fails: resaves and recompression
ELA depends on there still being a compression difference to measure, and that difference is fragile. Every resave moves the whole image closer to a uniform error floor, erasing the contrast ELA looks for. Krawetz is explicit about the dead end: the error is confined to the JPEG’s 8x8 cells, and “after roughly 64 resaves, there is virtually no change,” so a heavily recompressed file flattens toward a uniform floor with no contrast left to read. In his own worked example an added airplane “has been resaved enough times to obscure that information from ELA.” This is why ELA is close to useless on anything pulled off social media or a chat app, where the pipeline recompresses the file repeatedly before you ever see it. A clean ELA result on a heavily shared photo is meaningless, not reassuring.
The fragility is not unique to ELA. Its closest peer-reviewed relative, JPEG ghost analysis, was designed by Hany Farid (2009) for low-quality images, and even that formal method rests on the same precondition, because, as Farid notes, low quality images “often destroy any statistical artifacts that could be used to detect tampering.” The weakness is field-wide on real images: when Zampoglou, Papadopoulos and Kompatsiaris (2015) tested a battery of state-of-the-art forgery detectors against 82 real-world web forgeries, 57 went undetected by every algorithm, and the authors concluded that “the algorithms we applied failed in the majority of cases.”
The stronger JPEG methods still infer, not prove
A blank ELA map is not a clean bill of health, and the more rigorous double-JPEG methods that sit beside ELA show why. Lukáš and Fridrich (2003) estimate the primary quantization matrix of a doubly compressed JPEG, and Bianchi and Piva (2012) detect nonaligned double-JPEG compression from the integer periodicity of its DCT coefficients. Both are stronger than an eyeballed heatmap, yet both still infer an edit from compression statistics rather than proving one, and both are erased by the same repeated recompression that flattens ELA. A clone made inside one editing session and exported once can be visually false while leaving every one of these JPEG signals quiet.
Even the learned detectors carry the caveat
The recompression problem reaches the modern CNN detectors too. The camera-model fingerprint Noiseprint degrades in exactly the conditions ELA does, its authors reporting that “global image processing tends to reduce the noiseprint strength,” and across nine datasets it averaged a Matthews correlation of only 0.403 (Cozzolino and Verdoliva, 2020). TruFor, a current forgery localizer, averages an F1 of 0.696 and, tellingly, ships a reliability map that marks where its own prediction is unsafe (Guillaro et al., 2023). ELA offers no such self-check: it shows a heatmap and leaves every judgment to the viewer. Agreement across physically different signals is what carries weight, which is why pairing a bright ELA region with a local PRNU integrity failure (Chen, Fridrich, Goljan and Lukáš, 2008) says more than two JPEG-only views of the same artifact.
So when can you trust ELA?
ELA is most informative on a single-generation JPEG, straight from a camera or a first save, where a spliced region was added at a clearly different quality from the background. Even then it is a lead. Krawetz’s own approach is to corroborate: in the whitepaper he reads ELA alongside principal component analysis and wavelet analysis, and even then reports that “the details of the manipulation are inconclusive,” because ELA “only identifies ‘a’ change.” In the Forensics Media team’s review of the major image-forensics toolkits, ELA appears in roughly one in three, always bundled with metadata, clone detection and noise analysis, and never offered as a standalone verdict. It earns its place precisely because nobody relies on it by itself, and a bright map becomes worth quoting only when an independent method points the same way. The wider one-method-is-never-enough rule runs through how reliable photo forensics actually is, and the metadata caveat is covered in Can EXIF data be faked?.
Sources
- Krawetz, N. (2007). A Picture’s Worth: Digital Image Analysis and Forensics. Black Hat USA 2007.
- Farid, H. (2009). Exposing Digital Forgeries from JPEG Ghosts. IEEE Transactions on Information Forensics and Security 4(1):154-160. DOI: 10.1109/TIFS.2008.2012215
- Lukáš, Fridrich (2003). Estimation of Primary Quantization Matrix in Double Compressed JPEG Images. Digital Forensic Research Workshop (DFRWS) 2003.
- Bianchi, Piva (2012). Detection of Nonaligned Double JPEG Compression Based on Integer Periodicity Maps. IEEE Transactions on Information Forensics and Security 7(2), April 2012. DOI: 10.1109/TIFS.2011.2170836
- Cozzolino, Verdoliva (2020). Noiseprint: A CNN-Based Camera Model Fingerprint. IEEE Transactions on Information Forensics and Security 15:144-159. DOI: 10.1109/TIFS.2019.2916364
- Guillaro, Cozzolino, Sud, Dufour, Verdoliva (2023). TruFor: Leveraging All-Round Clues for Trustworthy Image Forgery Detection and Localization. CVPR 2023. DOI: 10.1109/CVPR52729.2023.01974
- Chen, Fridrich, Goljan, Lukáš (2008). Determining Image Origin and Integrity Using Sensor Noise. IEEE Transactions on Information Forensics and Security 3(1):74-90. DOI: 10.1109/TIFS.2007.916285
- Zampoglou, Papadopoulos, Kompatsiaris (2015). Detecting Image Splicing in the Wild (Web). IEEE International Conference on Multimedia & Expo Workshops (ICMEW) 2015. DOI: 10.1109/ICMEW.2015.7169839