February 5, 2015
– Honest debate is not possible if Bellingcat deletes comments and responses on its website without informing readers.
Details here.
February 2, 2015
Few days ago I received an email sent by Charles Wood, a professional forensic analyst and expert witness with specific expertise in digital media, manipulation of images, metadata and micro-meteorology.
Mr. Charles Wood comments on Bellingcat article Examining the MH17 Launch Smoke Photographs written by Daniel Romein. I chose to post his entire analysis unedited.
In a follow-up piece I will ask him questions and further data supplied by others will then be discussed as well.
************************************************
The basic flaws in the Romein piece are
- No provenance for the image files
- Basic checks on authenticity not performed
- Unjustified assumptions made from the checks they did do
- Writing on areas completely outside their expertise – weather conditions, rocketry, satellite image interpretation, image forensics
- Failure to use publically available data to verify the images
- Failure to release image data to support their claims
- Failure to have effective internal checks before publication
This analysis will show that the skills and methodology of the ‘Bellingcat Team’ fall way below any accepted standard, and in the process they may have caused destruction of evidence.
Errors
Romein claims an incorrect upload time of plume photo to twitter
Romein claims an upload time of 18:23 local time (EEST)
Twitter metadata shows it was uploaded at 19:23:38 17 July EEST as evidenced by the Twitter metadata timestamp of 1405614218 (seconds UTC)
Checking on timeanddate.com using the visible time stamp also comes out as 19:23, not 18:23 as claimed. This is an error that is repeated in the Bellingcat report and indicates there were no internal checks at Bellingcat.
Romein claims the 17 July photos were taken ‘hours later’
“Note that all of the images on the next page have been taken from a few to 20 seconds after launch, while the 17 July 2014 pictures have were taken hours later. ”
This totally destroys his later argument they were taken within a couple of minutes of the actual launch. They also make no sense. No smoke trail is going to remain for hours.
Edit: Someone who read the article on the website left a comment to that effect and the text has now been altered.
Again this is evidence Bellingcat has no internal checks or incompetent internal checks.
Romein makes incorrect claims on rocket trails
“Other type of rockets like Grads or Tornados don’t leave a long white smoke trail in the air,”
This is not correct. Different ‘Grads’ have different amounts of aluminium fuel loading depending on mission. High Al loading produces dense white smoke but more power for heavier payloads.
This is easily seen in Syria where the SAA use different motor loads for their Burkan missiles and have different smoke trails.
Romein also does not appreciate that rocket artillery units often fire a sounding rocket nearly straight up to measure atmosphere parameters. These have completely different characteristics to normal ‘Grad’ missiles.
I understand there was Grad launcher activity in the area so it is possible the plume was from a sounding rocket rather than a SAM. Bellingcat does not consider or at least report on this possibility.
Romein claims specific times and dates from unreleased metadata
“What we will publish is that the second published picture was taken first at 16:25:41 EEST, and the first published picture was taken 7 seconds later at 16:25:48 EEST. ”
Given Romeins’s inability to get the twitter time correct how much faith do we have in his ability to report image metadata correctly and in particular the correct time zones?
Romein’s claim can only be confirmed by access to the RAW images.
Romein also seems oblivious to the effects of daylight saving. He notes the image metadata times and attempts to relate them to the incident time by assuming the camera clock is out by a few minutes.
Assuming the images were actually written by a camera, it appears the camera has been running long enough for the clock to drift significantly. If so, there is negligible chance the camera was adjusted by the cameraman for daylight saving a few months prior. This leaves us with the lottery of whether the camera actually supports daylight saving and/or was bought in summer or winter and so what time zone/daylight saving it has.
Bellingcat’s censorship of the raw metadata makes checking this impossible.
Romein claims file dates will be changed
“Images in a RAW format can be edited in photo editing software and saved as a different format, like BMP, JPG, PNG, TIFF, etc., but this will always result in a different file date, namely, the date and time the file has been saved after editing.”
This claim is sometimes true but highly dependent on the operating system and program used to write a file.
Without knowing what device and program wrote the images to the flash card it’s impossible to tell whether file times and dates would be altered.
What Romein doesn’t appreciate is the card itself has no clock. All times and dates are generated by the writing device / operating system / program.
There are several file times and dates recorded by the operating system for a single file. There are also multiple other times and dates recorded internally in images by application software. These internal times and dates may be modified by the operating system or by application software. Windows 7 for instance may rewrite internal metadata times and dates in an image simply from a user viewing it in the file browser.
In the case of images on Flash cards the format is almost always some version of FAT so it’s very easy to modify any file time and date with simple utilities or DOS commands. In addition simple ‘Hex’ editors can change internal metadata without a trace. There is no requirment to use photo editing software.
A basically competent forger can change most image metadata in seconds to minutes. A more competent forger can ensure there are no file fragments or OS data on the storage device that can be used to detect the forgery.
Romein claims photo software can’t create raw images
“Photo editing software is not able to save files in a RAW format, because this is not a “positive” image format. In addition, because pictures can only be edited by photo editing software, changes to the pictures will always result in modified metadata.”
This is incorrect. There are dozens of image manipulaton programs that can write raw image format. They can also be set to write out specific metadata. Even then, as pointed out before, a simple hex editor can subsequently change internal metadata at will.
Romein claims saving data will modify metadata
“Also, when the file in RAW format is saved, the modified date of the metadata will be changed.”
Which is partially true assuming the saving program wants to change the metadata. In many cases it won’t – which is quite reasonable with many editing activities where preservation of metadata is desirable. However it’s trivial to edit the metadata after saving and it’s possible to use command line image manipulation tools to set whatever metada you want..
Romein claims to be completely certain
“Based on the metadata of the RAW files we received, we can be completely certain that these files are the original files and that the pictures were taken on 17 July 2014 at 16:25:41 EEST and 16:25:48 EEST, ”
This is completely untrue. All he can certain of is the image metadata gives those dates, not that they are true. As an aside he also does not even try to do a comparison of file dates vs internal metadata dates – a basic forensic process. N.B. depending on how the images are packaged they can easily be transmitted with file original time-stamps.
Romein relies on camera times and dates
“according to the date and time set in the camera”
This is a completely unjustified claim.
Romein does not know what the time and date was set in the camera; he has no idea what camera actually recorded the images; and he has no idea whether the images were written to the card by a camera or were copied there from a computer. These are the sorts of things that a professional forensic examination looks at with a view to finding inconsistencies.
Romein has not performed any type of forensic examination and has made completely unjustifiable assertions as a result.
For a simple example of well known daylight saving and leap year issues see DST
Romein has not performed image consistency checks
There is no evidence Romein has looked at the metadata of the images to see if it is consistent. For instance comparing the serial number field if present, and software/firmware revisions, let alone the camera model.
From what I have read there are significant differences in image settings between the two images so differences in metadata are of high interest.
There may well be no significant difference, but a failure to report that this was checked is a red flag for the quality of the work.
Romein states incorrect publication time
“when we take into account that the first picture was released two hours after the crash,”
This is incorrect. Twitter metadata shows the first image was published on twitter three hours after the crash, not two.
This error affects Romein’s subsequent claims about the time available to alter images.
Romein claims low probability of wrong date
“is that the photographer took a picture of a missile launch on a previous date, and his camera date and time was inadvertently set to 17 July 2014 at 16:25 EEST. The probability of this being the case, of course, is close to zero.”
This is simply untrue. The camera could have been out by a day easily – for instance if it doesn’t support leap years. 2012 was the immediately prior leap year so depending on age the camera could have been a day ahead. This would result in images recorded on 16 July presenting as 17 July.
There is also the very simple option that the image was taken on some other date and the metadata altered. Without corroborating evidence – for instance access to the complete flash device – this cannot be eliminated as an option.
Bellingcat claims impossible meteorological effects
“We assess, based on the direction of the wind only a few hours earlier, that varying wind speeds at different altitudes caused this sharp turn.”
There is no evidence of microburst activity in the area and the photos certainly don’t support any ground level storm activity.
Absent a storm, the purported wind-shear is only possible in deep inversions which only occur at night. This image is in daylight presumably in summer with overhead cloud. Known meterological data for the supposed time shows a brisk wind from North of East. There is no possibility of an inversion under these conditions.
The only conclusion is that the dark plume is unrelated to the white plume.
The Bellingcat claim regarding the wind direction shift is also completely unfounded. The met record shows a slow change in direction over a period of many hours with a period of calm during the night. This is a large scale regional shift and does not relate to any sharp vertical backing or veering.
Time (UTC) |
Dirn (deg from) |
Speed (m/s) |
2014-07-17 00:00 |
50 |
4.0 |
2014-07-17 00:30 |
50 |
5.0 |
2014-07-17 01:00 |
60 |
4.0 |
2014-07-17 02:00 |
40 |
4.0 |
2014-07-17 03:00 |
50 |
5.0 |
2014-07-17 03:30 |
50 |
4.0 |
2014-07-17 04:00 |
60 |
4.0 |
2014-07-17 04:30 |
60 |
5.0 |
2014-07-17 05:00 |
60 |
5.0 |
2014-07-17 05:30 |
M |
1.0 |
2014-07-17 06:00 |
260 |
4.0 |
2014-07-17 06:30 |
M |
2.0 |
2014-07-17 07:00 |
330 |
6.0 |
2014-07-17 07:30 |
350 |
5.0 |
2014-07-17 08:00 |
350 |
6.0 |
2014-07-17 08:30 |
10 |
7.0 |
2014-07-17 09:00 |
10 |
6.0 |
2014-07-17 09:30 |
40 |
4.0 |
2014-07-17 10:00 |
50 |
5.0 |
2014-07-17 10:30 |
40 |
7.0 |
2014-07-17 11:00 |
40 |
6.0 |
2014-07-17 11:30 |
60 |
4.0 |
2014-07-17 12:00 |
60 |
5.0 |
2014-07-17 12:30 |
60 |
5.0 |
2014-07-17 13:00 |
70 |
6.0 |
2014-07-17 13:30 |
70 |
7.0 |
2014-07-17 14:00 |
80 |
6.0 |
This is yet another example of Bellingcat stepping way outside its area of competency to make unsupportable claims.
Romein claims smoke trail has moved because of regional wind
“Based on the visual information from the pictures and metadata of the original versions of the pictures, it is clear that the white smoke trail has moved because of the wind coming from the east, and it is our conclusion that the pictures are authentic and not fabricated or manipulated.”
The wind records show it coming from the North of East, not East. Wind behaviour is a vertical gradient in velocity and direction, either veering or backing with altitude and increasing in velocity with altitude. The plume shows no such characteristics. Because of the lack of lateral dispersion, one conclusion is the wind is blowing towards or away from the camera and under nearly calm conditions. Alternatively the images were taken seconds after a launch – which is inconsistent with the cameraman’s statement.
Romein claims the image weather matches actual weather
“Based on the original images, it is clear that the weather visible in the pictures matches the local weather conditions at the time.”
That is not correct. The local air navigation data at 13:30 UTC 17 July 2014 were:
Time (UTC) |
Speed (m/s) |
Gust (m/s) |
Dirn (from) |
Visibility (km) |
13:00 |
6 |
11 |
70 |
10 |
13:30 |
7 |
12 |
70 |
10 |
14:00 |
6 |
11 |
80 |
10 |
And in particular cloud cover:
Time (UTC) |
Sky 1 |
Sky2 |
13:00 |
3-4 Oktas 3300ft |
5-7 Oktas 10000 ft |
13:30 |
3-4 Oktas 3300ft |
5-7 Oktas 10000 ft |
14:00 |
3-4 Oktas 3300ft |
5-7 Oktas 10000 ft |
The combination of at least two levels of significant cloud indicate that little or no blue sky will be visible.
Incorrect claim of cloud density from satellite image
Romein claims visible light satellite imagery shows patchy cloud with large clear areas.
This is a basic error. Visible light satellite images mostly show white where there is high altitude highly reflective cloud – usually cirrus or cirro-stratus at typically 20,000 feet. Very often lower level cloud does not show well or at all as it is not as bright.
As noted in the sky2 data based on local sensors there was significant cloud at the time. In addition eyewitness reports talked of it being cloudy at the time.
Issues
Bellingcat may have destroyed evidence
Romein stated
“Bellingcat contacted the photographer who took the smoke trail images, and provided the images in a RAW image format. ”
The mere act of reading a device alters time and date data stamps on it. It loses a great deal of forensic value when this is done.
Bellingcat by asking for copies has helped obliterate key metadata on the device.
Bellingcat/Romein uses media of unknown provenance
There is no evidence that the person who supplied the images was the photographer, nor that the images were unaltered.
In legal terms, there is no chain of custody.
What we have is Bellingcat ‘procuring’ a pair of images some time after the event and claiming they are pure and unaltered. There is not the slightest attempt by Bellingcat / Romein / Higgins to see if they could have been tampered with, and in particular no mention whatsoever the various scenarios.
They then proceed to write a large post on the images, forgetting the basic problem that they have zero means of independently verifying their authenticity.
A lot of Romeins’ report is spent trying to justify the images. I note that much of that justification is bad research, bad forensics, and bad science.