AI-Generated Image Detection and Provenance

In traditional digital camera forensics, PRNU is a reliable way to link a photograph to a specific device. The per-pixel sensitivity variation of a camera sensor is stable across photographs and can be extracted by averaging many images and subtracting the low-frequency content. Marra et al. (2019) demonstrated that GAN generators have an analogue: each trained model's weights imprint a periodic fingerprint on every image it generates. The fingerprint is model-specific, not architecture-specific. Two ProGAN models trained with different random seeds produce detectable, distinguishable fingerprints.

The practical forensic workflow mirrors PRNU attribution. A reference fingerprint is extracted from a set of known images from the model under investigation, typically by averaging the high-pass residuals of hundreds of generated samples. The fingerprint is then correlated with the residual of the query image. High correlation indicates the query was generated by that model; low correlation rules it out. This approach can attribute a specific generated image to a specific model instance, which is potentially useful for source tracing in disinformation investigations.

Diffusion models generate images through a denoising process that operates in latent space and decodes to pixel space via a VAE (variational autoencoder) decoder. The decoder's upsampling layers introduce spectral periodicity, similar to but distinct from the GAN checkerboard. More forensically significant is the absence of properties that all genuine photographs carry: camera sensor noise (photon shot noise, dark current), optical vignetting, chromatic aberration, and the spatial correlation structure of natural image statistics in the very high-frequency band.

Corvi et al. (2023) published a systematic study of diffusion model artefacts across Stable Diffusion, DALL-E 2, and several other systems, finding that detectors trained on GAN output performed significantly worse on diffusion output. They proposed features specific to the diffusion denoising residual that improved cross-family generalisation, but noted that performance on novel, unseen diffusion model checkpoints was still substantially lower than on held-out test sets from known models.

The Coalition for Content Provenance and Authenticity (C2PA) was formed in 2021 by Adobe, Microsoft, BBC, Intel, and Truepic, with the stated aim of building an open technical standard for media provenance. The core concept is a manifest: a structured record attached to a media file that describes its creation history, with each step signed by the tool or actor responsible for it. A photograph taken with a C2PA-enabled camera gets a manifest signed with the camera's hardware key. Each edit in C2PA-aware software adds a signed update. If the image was generated by an AI tool, that tool records its contribution.

1. Capture or generation
   A C2PA-enabled camera or AI tool creates the initial manifest, signed with a hardware or software key. The manifest records the device, timestamp, GPS if enabled, and for AI tools, the model version and prompt hash.
2. Editing
   Each editing application that participates in C2PA adds a signed entry to the manifest recording which operations were applied. Cropping, colour correction, and AI-assisted editing tools each leave a record.
3. Publishing
   The publishing platform can add its own signed entry attesting to when and how it received the file. The full chain from capture to publication is readable by anyone with the public keys of the signing parties.
4. Verification
   A viewer or forensic analyst runs the manifest through a C2PA-compatible verifier. Any broken signature in the chain, from tampering with the image content or the manifest itself, is flagged. The verifier reports what it can confirm and what is unverifiable.

C2PA does not make forgery impossible. An attacker who controls the signing keys, or who captures a screen-grab of an authentic image to strip the original manifest, circumvents the chain entirely. What C2PA provides is a positive claim: when the chain is intact, the creation history it describes can be verified. When the chain is absent, the image makes no authenticated provenance claim, which is itself information. As of 2024, Leica, Sony, and Nikon have released or announced C2PA-enabled camera firmware, and Adobe Photoshop generates C2PA manifests for exported files.

Invisible watermarking proposes embedding a signal in generated images during model inference, before any post-processing, so that all output from a cooperating generator is marked as synthetic. Several technically distinct approaches exist. Spectral watermarking places a low-amplitude pattern at specific spatial frequencies chosen to survive moderate JPEG compression. Latent-space watermarking applies a fixed perturbation to the latent representation before decoding, so the mark appears in every generated image from that model. Semantic watermarking trains the model to include a specific detectable pattern in generated textures without visible distortion.

• Meta's Stable Signature (Fernandez et al., 2023): a watermark finetuned into the VAE decoder of a latent diffusion model so that every decoded image carries an imperceptible but persistent mark. Demonstrated survival through JPEG compression and mild geometric transforms.
• Google DeepMind SynthID: applies a learned watermark to images and audio generated by Gemini and Imagen models. Released publicly for text-to-image and text-to-audio use cases. Claims the mark survives common social media re-compression.
• Watermark removal attacks: multiple published works have shown that existing watermarking schemes are vulnerable to adversarial removal via small noise perturbations or diffusion-based regeneration, which reconstructs the semantic content of an image while replacing the frequency-domain signature.

The core limitation of binary AI-vs-real classifiers is the same as for deepfake video detectors: they learn the artefact signature of the generators in their training set. When a novel generator with a different architecture is released, the classifier's features may not activate on the new output, causing accuracy to collapse. Wang et al. (2020) demonstrated this with CNNDetect, showing that a ResNet-50 classifier trained on ProGAN output achieved near-perfect accuracy on ProGAN test images but dropped to chance-level accuracy on several other GAN architectures when trained only on ProGAN.

Proposed mitigations include training on augmented data that mimics a wide range of post-processing operations, so the classifier learns to detect features that survive processing rather than artefacts specific to one generator; using frequency-domain features that are more architecture-agnostic; and ensemble approaches that combine signals from multiple detection methods. None fully solves the OOD problem, particularly against diffusion models, which have different spectral properties from the GANs used in most published training sets as of 2022-2023.

The photographic truth claim, the implicit assertion that a photograph depicts a real event, has been legally and socially significant since the 19th century. Courts in common-law and civil-law jurisdictions have developed evidentiary standards for photographic evidence that presume an authentic capture chain unless challenged. Digital image forensics inherited and extended this framework, developing tools to detect manipulation of genuine photographs.

AI-generated images introduce a qualitatively different challenge. The question is no longer whether a genuine photograph was altered but whether any camera-capture event occurred at all. A fully synthetic image has no original: it was never a photograph. The forensic and evidentiary consequence is that authentication cannot proceed by establishing chain-of-custody back to a capture device, because no capture device exists. Instead, the burden falls on detection of synthesis artefacts, provenance manifest verification, or contextual and OSINT corroboration of the depicted events.