by | |

A joint post by Catherine Dill, Jeffrey Lewis, Melissa Hanham and David Schmerler

Two years ago, on 17 July 2014, someone shot down Malaysia Airlines Flight Number 17 (MH17) over an area of Ukraine held by Russian-backed separatists, killing all 298 persons aboard. The Dutch Safety Board has now concluded that the aircraft was shot down by a surface-to-air missile fired from a Buk surface-to-air missile system. Now, a Joint Investigation Team, coordinated by the public prosecutor from the Netherlands, is conducting an investigation in an effort to bring the perpetrators to justice. But who did it?

On 21 July 2014, the Russian Ministry of Defense provided a briefing asserting that Ukrainian military forces, rather than Russian-backed separatists, shot down a civilian airliner en route from Amsterdam to Kuala Lumpur. This briefing contained a number of satellite images that, according to Russian officials, show Ukrainian surface-to-air missile launchers were in position to shoot down the airliner.

Lieutenant-General A.V. Kartapolov, Deputy Chief of the General Staff of the Armed Forces of the Russian Federation, gave a briefing that purportedly implicated Ukrainian military forces in the shoot-down. This briefing contained slides that have been subsequently posted on the Russian Ministry of Defense and Ministry of Foreign Affairs websites. Russia released additional images as part of an analysis published on 1 August 2014.

We analyzed these slides using Tungstène, a suite of forensic software tools to detect alterations to images. In particular, we focused on two slides, hosted on the Russian Foreign and Defense Ministry websites – the “Cloud” slide and the “Two Buks” slide.

The stakes in this case are extraordinarily important, as they relate to the deaths of 298 persons. The image files are very poor quality. We are very disappointed that the Russian Federation, in such an important matter, would release such low quality images as evidence. If Russia’s claims are true, then the original, unaltered images would help demonstrate them. By contrast, Russian officials must know that releasing images in such a format makes it more difficult to verify the integrity of the images and is often a tactic to hide manipulations.

Despite the poor quality of the images, however, it is clear that the images have been significantly modified or altered. These alterations are not limited to the addition of labels, callouts, and other explanatory features, but include changes to the underlying satellite images themselves including the clouds and vehicles. These are important details in the images. If these clouds and vehicles were, for example, added, then this would cast doubt on the truthfulness of General Kartapolov’s briefing.

The “Cloud” Slide: In terms of the image purporting to show a Ukrainian Buk surface-to-air missile launcher absent from a Ukrainian military base on the day of the shoot-down, someone appears to have modified or even added the cloud cover. Others have argued that Russia has provided a false date for the image and altered the clouds to obscure terrain features that might correctly date the image. We agree that the clouds have been altered. We cannot think of another motive for adding a cloud to this satellite image.

The “Two Buks” Slide: In terms of the image purporting to show two Ukrainian Buk surface-to-air missile launchers, the launchers appear to have been modified or altered in the underlying satellite image. The changes could range from attempting to sharpen the launchers to digitally adding them. The presence of the two launchers is the central fact of the image; the signs of overt manipulation to this portion of the image renders it totally unreliable as evidence.

In the 1 August analysis posted on its website, the Russian Ministry of Defense accused the Ukrainian SBU of “presenting hastily doctored evidence to the international community” regarding who was responsible for shooting down MH17. Yet it is the Russian evidence presented to the international community that appears to have been surgically enhanced.

UN Security Council Resolution 2166 calls on states to “provide any requested assistance to civil and criminal investigations.” Russia provided at least one of these slides, in some form, to the Dutch Safety Board as part of its investigation into the crash. We believe Russia should provide the original, underlying images in an unaltered form to the Joint Investigative Team to allow independent experts to verify their claims. Anything short of the original and unaltered images, given the manipulations evident in the slides released online, will naturally give rise to concerns Russia deliberately fabricated evidence to evade legal responsibility for the killing of 298 persons.

Analysis of the “Cloud” and “Two Buks” Slides

What follows is a summary of the most important indications that the underlying images in presented in Kartapolov’s 21 July briefing have been significantly altered. The section after this contains a more detailed filter-by-filter analysis that may be of use to Tungstène users who wish to replicate the results.

The “Cloud” Slide



One image hosted on the Russian Foreign Ministry website purports to show that a surface-to-air missile system at a Ukrainian military base is “absent” on 17 July, the day the aircraft was shot-down. Others have suggested that the image was actually taken between 1 June 2014 and 18 June 2014 – and that clouds may have been digitally added to the image to obscure terrain features that would correctly identify the date of the image.

Bellingcat conducted a simple error level analysis (ELA) exercise using an online tool, Foto Forensics. Others have criticized Bellingcat, suggesting that a proper analysis should use more sophisticated software available to police and intelligence agencies. The James Martin Center for Nonproliferation Studies at the Middlebury Institute of International Studies at Monterey has a license for one example of such software, called Tungstène, and conducted an analysis using a suite of filters in the program.

The image is a slide from a presentation, so it has naturally been altered to some degree. The alterations, such as labels and callouts, are clearly visible in the filters. But the filters also show extreme alterations to the underlying image, particularly with regard to the cloud on the left-hand site of the image. This includes the possibility that the cloud was added in its entirety.

The same three regions in the ELA analysis conducted by Bellingcat are evident across multiple filters in Tungstène that show differences in quantization, compression, and noise. In an unaltered image, the central region of the image is unlikely to appear starkly different from the clouds. The cloud on the left side of the image is almost certainly digitally altered or added; the cloud on the right is more than likely altered. Below are three filters that show differences quantization, compression and noise.

☟Filter Showing Differences in Quantization (Q3)

☟Filter Showing Differences in Compression (Cobalt)

☟ Filter Showing Differences in Noise (Chrome)

Even with the low quality of the image, we can assess this image to have been so heavily manipulated that it lacks any credibility as evidence. These modifications involve the alteration or addition of one, and possibly both, clouds. Russia should provide the original, unaltered image to the Joint Investigation Team for examination.

The “Two Buks” Slide



A second image, hosted on the Russian Defense Ministry website, is purportedly a satellite image of a pair of Ukrainian Buk surface-to-air missile launchers in position (49 59 00, 38 27 05) to shoot-down MH17 on 17 June 2014 at 11:32 am. This image, in some form, was provided to the Dutch Safety Board as part of its investigation into the crash and it is central to the case that Ukraine, not Russia and its proxies, bears responsibility for the deaths of those aboard the airliner.

Again, we know the labels have been added and, according to the Russian Ministry of Defense, the field has also been blurred to hide the resolution of the satellite.

But the image shows other signs of manipulation that call into question its integrity. These manipulations include signs that the two Buk launchers do not match the underlying image, suggesting that they have been enhanced or added digitally from another image. Two filters show obvious signs of tampering – artifacts left by software such as Photoshop.

The Chrome filter highlights differences in photographic noise that are not visible to the naked eye. As we can see in this image of the filter, all the boxes, labels and callouts that were added to the image in processing appear dark red.

What is notable about this filter, which so clearly shows artifacts added to the original image, is that the surface-to-air missiles launchers and another vehicle that Russia asserts were present on 17 July appear much more like the labels and other digital artifacts than they do the rest of the underlying image. This filter strongly suggests that the vehicles were altered in some form, possibly having been added just as the labels and boxes were. It is extremely suspicious to see signs of alterations to the most important element of the image, ie the two launchers. Here is a close up of the areas showing the vehicles.

Furthermore, an interesting inconsistency appears between the underlying image and the larger “blowup” boxes that purport to show enlarged images of the areas marked “A” and “B” in the Russian slide. In these blow-up boxes, the Buk surface-to-air missile launchers do not appear to have been altered. This is quite surprising. Why?

We ran second filter on the blow up boxes, called Clone that matches similar pixels. This filter found unusual similarities in the field around the Buk surface-to-air missile launcher – but not the launchers themselves. There are a number of explanations for how digital alterations might produce such a pattern, including copying and pasting the areas. However, one should keep in mind that this is an analysis performed on a small portion of a very low resolution image.

There are a range of explanations for why the Buk surface-to-air missile launchers might have been altered. It is possible that they were digitally manipulated in order to look better. It is also possible that someone took a real image of two Buk surface-to-air missile launchers from some other image and pasted it into the satellite image dated 17 July 2014, presumably for the purpose of incriminating Ukraine in the shootdown of MH17. In this case, the persons may have used a real image of a pair of Buk surface-to-air missile launchers in the “blowup” box, but altered the nearby field to better match the satellite image.

Even with the low quality of the image, we can assess this image to have been so heavily manipulated that it lacks any credibility as evidence. These modifications involve the alteration or addition of the two alleged Buk surface-to-air missile launchers that Russia asserts were present on the day of the shoot-down. It is more difficult to determine precisely what was done to the image because the Russian Defense Ministry has provided only a low-resolution copy of the slide from the presentation. Russia should provide the original, unaltered image to the Joint Investigation Team for examination.

Detailed description

This section contains a detailed filter-by-filter analysis that will be useful to other users of Tungstène who may wish to replicate the results.

The “Cloud” Image

sQ: The sQ filter indicates whether someone has attempted to save the image at a higher quality than the underlying image. It shows gray, rather than red or green, indicating that it is not working. This is a characteristic of the other lower resolution images at Ministry of Foreign Affairs website that we examined.

X (Exif data): This file, like all the other images on the Russian Foreign Ministry website, has less metadata than the image that appeared on the Defense Ministry Website. The Exif data shows RGB values, although the image is gray-scale.

Q2: This filter is a histogram showing the quantization effect on frequencies within the image. The filter also shows the results of a Fourier transformation on the frequency distribution. The histograms show a heavy loss of data during from multiple attempts to save the file. The information loss appears greater than that in the larger MOD image, suggesting that it is closer to the original.

Q3: This filter is visualization of the Q2 histogram. This filter shows three distinct regions of frequency distribution, as well as the labels added to the image. The solid color of the cloud region on the left suggests it is a digital artifact. The cloud on the right side is also distinct from the remainder of the image, although this alone would not be enough to conclude the cloud has been altered.

Cobalt: This filter shows differences in compression through information loss (or quantization), similar to error level analysis. There are significant differences between the Tungstène filter compared to the online ELA tools. This filter strongly suggests that the cloud on the left was altered or added digitally.

Chrome: This filter maps the photographic noise in the image. It demonstrates that there are significant differences among the regions of the image. Again, the cloud on the left appears deeply unlike the remainder of the image. The cloud on the right is also quite distinct.

Clone: This filter looks for pixels that are identical to one another (clones). The cloud on the right shows many identical pixels, suggesting they were digitally altered. The striping, too, appears to suggest human alteration. While normally Clone is used to look for cutting and pasting, in this case it may simply be that the pixels created digitally are so white and other alike that they show strong matches. In any event, we would not expect a result like this in an unaltered image.

The “Two Buks” Image

sQ: The sQ filter indicates whether someone has attempted to save the image at a higher quality than the underlying image. sQ is green, indicating that there is no forced quality.

X (Exif data): Much of the metadata has been removed. The photo-processing software that has been used to add the labels and blur the image is unknown, although it shows some similarities to the GNU Image Manipulation Program (GIMP) software. The Exif data shows RGB values, although the image is gray-scale.

Q2: This filter is a histogram showing the quantization effect on frequencies within the image. The filter also shows the results of a Fourier transformation on the frequency distribution. The histograms show a heavy loss of data during compression. Although this could be partly explained by addition of labels and blurring, given the stakes we would have expected Russia to make available higher quality images for examination. The decision to provide only heavily altered images naturally raises questions about the integrity of the underlying images.

Q3: This filter is visualization of the Q2 histogram. As expected, the labels and the callouts differ in quantization from the rest of the image as they have been added to the image.

Cobalt: This filter shows differences in compression through information loss (or quantization), similar to error level analysis. As expected, the results are similar to Q3 identifying those artifacts added in processing, ie the labels, callouts and blowups.

Mosaic: This filter measures the strength of the relationship between adjacent pixels. The vehicles in the underlying satellite image stand out more than, for example, they do in the blowup boxes. This suggests that something is amiss in the image.

Chrome: This filter maps the noise patterns of the image. In this filter, the labels, callouts and blowups in the image are apparent. The vehicles, including the surface-to-air missile launchers in the box marked “A”, look more like the other objects added in processing. The images of the Buk in the “blowup” box, however, appear to be unaltered.

Clone: This filter looks for pixels that are identical to one another (clones). Running clone on the image of the two Buk surface-to-air missile launchers reveals unusual similarities in the ground around them. It is possible that this is an authentic image of two Buk surface-to-air missile launchers side-by-side, but that the field around them has been copy-and-pasted. The image is so low resolution, however, that it is difficult to make any firm conclusions based on this filter alone. However, it provides interesting insight into other manipulations and alterations that are obvious in other filters.

Focus: This filter detects the sharpest aspects of an image. For ground image, it can reveal where a photographer focused his or her lens, or areas that are unusually sharp compared to the rest of the image. In the case of a satellite image, the filter reveals areas of higher frequencies. It is unusual to see that the vehicles in the underlying image are sharper than the rest of the image.