Writing a Media Authenticity Examination Report

A media authenticity report has a defined structure because courts and reviewing experts need to locate specific information quickly and assess whether the examination was conducted properly. The sections below are mandatory in the sense that omitting any of them leaves a gap that will emerge under cross-examination or peer review.

The findings and conclusion sections must remain clearly separated. A finding is an observation: 'ELA analysis identified elevated error levels in the region covering the subject's face.' A conclusion is an inference drawn from one or more findings: 'The combination of elevated ELA values in the facial region, inconsistent EXIF metadata, and a high synthetic probability score from the deepfake detector is consistent with AI-assisted facial replacement.' Merging observations with inferences makes the report harder to challenge and harder to defend.

The exhibit description section establishes the integrity of the examination before any analytical finding is mentioned. If the file examined cannot be shown to be the same file that was submitted, every subsequent finding is contestable. The minimum information to record is the original file name, the file format and codec, the file size in bytes, the SHA-256 hash computed at acquisition, the date and time of acquisition, the name and role of the person who submitted the exhibit, and the storage medium from which it was imaged.

The examiner must also record the hash of the working copy used during examination and confirm it matches the acquisition hash. If examination requires format conversion (for example, re-muxing a video to allow frame-level analysis), the report must document the conversion step, the tool used, and the hash of both the original and converted file. Undisclosed format conversion is a chain-of-custody failure that defence counsel will identify.

Error level analysis is one of the most commonly applied and most frequently misrepresented techniques in image authentication. The output is a visualisation, not a score: regions with elevated residual error after controlled re-compression appear brighter. The challenge in report writing is that ELA outputs look compelling but rest on several assumptions that may not hold for a given file.

The limitations that the report must disclose: First, JPEG re-compression history matters. An image that has been saved multiple times before reaching the examiner will have a flattened error level baseline across all regions, making elevated regions harder to identify. Second, different camera manufacturers and image editing applications apply different compression algorithms, producing different baseline error patterns for unaltered regions. Third, ELA cannot distinguish between alteration for deceptive purposes and innocent re-encoding, such as a thumbnail generation or an automated social-media compression pass. Fourth, the technique has no published, standardised false-positive rate across image types because results depend so heavily on the individual file's compression history.

A correctly written ELA finding looks like this: 'ELA analysis at a re-compression quality of 70 was applied to the exhibit. The facial region of the subject (approximately bounded by coordinates [x1,y1] to [x2,y2] in the 1920x1080 frame) showed residual error levels approximately 40% higher than the surrounding background regions. This result is consistent with that region having a different compression history than the surrounding image. ELA alone cannot establish whether this difference results from deliberate manipulation, innocent re-encoding, or a camera-specific compression artefact. The ELA result is treated as one indicator requiring corroboration from additional analysis.'

Deepfake detectors are machine-learning classifiers, not measuring instruments. They return a probability score representing the model's confidence that the input belongs to the synthetic class, given the training data and architecture that model was built on. That score is not the probability that the exhibit is a deepfake; it is the model's output conditional on its training distribution. A score of 94% synthetic from one tool may correspond to a score of 61% synthetic from a different tool examining the same file, because the two models were trained on different synthetic media datasets.

The report must state: the tool name and version, the score returned, the published or empirically established false-positive rate for that tool on a relevant test set, and a qualified conclusion. Where the tool was trained on a specific generation of deepfake technology (for example, FaceSwap or first-generation diffusion models) and the exhibit may involve a newer method, the report must note that the detector's published performance figures may not apply to the exhibit.

Where multiple detectors are applied, the report should present each result separately, note whether they are concordant, and explain any discordance before drawing an aggregate conclusion. Averaging scores from different models with different architectures is not a valid analytical step and should not appear in a report.

EXIF metadata, file system timestamps, and C2PA manifests each tell a different part of the provenance story, and each has its own failure modes. The report must describe what was found, what was absent, and what the absence means.

EXIF metadata can be stripped, altered, or injected using widely available tools. A missing EXIF block is consistent with both deliberate removal and routine social-media processing. An intact EXIF block with plausible values is consistent with authenticity but does not confirm it. The report should state whether the EXIF data is present, whether it is internally consistent (date, GPS data, camera model, and focal length should be plausible in combination), and whether the camera model cited in the EXIF data matches the noise characteristics found in PRNU analysis if that was conducted.

A C2PA manifest, when present and verified, provides a cryptographically signed record of the file's creation and editing history. The report should state whether a manifest was present, whether the cryptographic signature verified against the issuing certificate, and what the manifest asserts about the file's origin. A broken or absent manifest is not proof of tampering; it means the cryptographic provenance chain is unavailable. This distinction must be stated clearly. See image file format integrity checks for the full range of file-level integrity indicators.

The conclusion section answers the examination question. It should be a single, direct statement followed by the qualified basis for it. The statement must not claim more certainty than the aggregate findings support, and it must not be so heavily hedged that it fails to answer the question. 'The examination is inconclusive' is a valid conclusion when the evidence genuinely does not resolve the question; it is not a safe default to avoid commitment.

Admissibility requirements vary. Under Federal Rule of Evidence 702 in the United States, the court acts as gatekeeper, assessing whether the method is based on sufficient facts, is the product of reliable principles and methods, and has been reliably applied. The Daubert framework explicitly requires consideration of error rates and peer review. In England and Wales, the Criminal Practice Directions require expert reports to state the range of opinion on the topic, any literature relied upon, and a summary of the conclusions. The Law Commission's 2023 report on expert evidence proposed a reliability test that mirrors Daubert more closely and is expected to influence future case law.

In India, the Bharatiya Sakshya Adhiniyam 2023 governs expert opinion evidence (replacing the Indian Evidence Act 1872). Section 39 of the Act addresses opinions of experts, and courts have increasingly scrutinised the methodology behind digital forensic conclusions. The Bharatiya Nagarik Suraksha Sanhita 2023 governs procedural requirements for evidence submission in criminal proceedings. In the EU, national procedural rules apply, but the European Digital Media Observatory has published guidance on forensic standards for digital media in legal proceedings. Across all these systems, a report that discloses its methods, error rates, and limitations is far better positioned for admissibility than one that presents tool outputs as self-evidently conclusive.