Skip to content

Instantly share code, notes, and snippets.

@githubfoam

githubfoam/RGB Analysis in Forensics

Last active October 24, 2025 12:25
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save githubfoam/692de305d9901188b4e280f18aefc2a0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save githubfoam/692de305d9901188b4e280f18aefc2a0 to your computer and use it in GitHub Desktop.
Download ZIP
RGB Analysis in Forensics
Raw
RGB Analysis in Forensics
--------------------------------------------------------------------------------------------------------
1. What RGB Analysis Means in Forensics
RGB (Red, Green, Blue) analysis in forensics typically refers to:
Examining pixel-level color data in an image to detect inconsistencies (e.g., signs of image editing, splicing, or lighting anomalies).
Quantifying color intensity for forensic photography, e.g., analyzing bruises, stains, or fire patterns.
Validating image integrity by comparing histograms and metadata.
On the iPhone 15 Pro, you can perform preliminary RGB analysis directly or by exporting the data to forensic tools on a computer.
Using RAW Capture (Best for Forensics)
The iPhone 15 Pro supports Apple ProRAW (12-bit DNG).
Steps:
Go to Settings → Camera → Formats → Enable Apple ProRAW (48 MP).
Capture the image in RAW.
Export the .DNG file to a forensic workstation or Mac.
Then you can perform high-precision RGB histogram and pixel-level analysis using tools such as:
ExifTool (CLI, open-source)
Adobe Photoshop or Lightroom (Histogram view)
ImageJ (free scientific image analysis software)
Amped Authenticate or Forensically Beta (for forensic tamper analysis)
Workflow Example for Forensic RGB Analysis
Scenario: You are analyzing a bruise photo for color intensity over time.
| Step | Action | Tool |
| ---- | --------------------------------------------------------------------------- | -------------------------------- |
| 1 | Capture image using iPhone 15 Pro in **RAW mode** under controlled lighting | Camera app |
| 2 | Transfer `.DNG` via **AirDrop or Lightning cable** (no compression) | Finder or iTunes |
| 3 | Open in **ImageJ** on macOS or Windows | ImageJ |
| 4 | Use `Analyze → Color Histogram` | ImageJ |
| 5 | Export RGB histogram data | CSV / Excel |
| 6 | Compare RGB ratios across time or areas of interest | Statistical or forensic software |
Optional Advanced Method
Visit https://29a.ch/photo-forensics/
Upload the image (preferably RAW or high-quality JPEG).
Use:
Error Level Analysis (ELA)
Clone Detection
Noise / RGB Channel Analysis
Forensic Best Practices
Always preserve the original file hash (SHA256).
Use lossless export (no compression, no filters).
Record lighting conditions, device settings, and timestamp.
Document each processing step in a forensic log.
Example RGB Output (from ImageJ)
| Pixel | R | G | B |
| --------- | --- | -- | -- |
| (120, 85) | 112 | 90 | 85 |
| (121, 85) | 115 | 93 | 89 |
| (122, 85) | 118 | 96 | 91 |
This data can then be used for:
Comparing color tone consistency.
Detecting possible manipulation.
Quantifying physical evidence changes (e.g., bruise fading, heat exposure marks).
--------------------------------------------------------------------------------------------------------
checking the size of an image captured in RAW (Apple ProRAW) on an iPhone 15 Pro is an essential forensic and technical step, since it helps confirm that:
The file hasn’t been altered or recompressed,
The image is truly in RAW (DNG) format,
And you’re preserving evidence integrity for later analysis.
Make Sure You Captured in RAW (Apple ProRAW)
Before checking the size, confirm that the image is indeed RAW:
Steps:
Open the Camera app.
In the top control bar, tap “RAW” so it’s highlighted (white text on black background).
Take the photo.
Open Photos → your image → tap the “i” (Info) icon → look for “RAW” or “ProRAW” near the resolution (e.g., “48 MP • ProRAW”).
If it says JPEG or HEIF, it’s not RAW.
2. Check File Size in the Photos App (Basic Method)
Open Photos → find the image.
Tap the “i” (Info) button at the bottom.
Scroll — depending on iOS version, it may show file type and size (e.g., “Apple ProRAW • 48 MP • 82 MB”).
3. Use the Files App (Reliable Method)
In Photos, select the RAW image → tap Share → Save to Files.
Choose a folder in Files (e.g., On My iPhone → ForensicImages).
Open the Files app → navigate to that folder.
Long-press the image file (e.g., IMG_1234.DNG) → tap Info (i).
You’ll see details including:
File Size: e.g., 81.6 MB
File Type: DNG
Created/Modified Date (useful for forensic chain of custody)
Typical Apple ProRAW images on iPhone 15 Pro (48 MP) are between 70 MB–100 MB each, depending on lighting and detail.
Forensic Recommendation
For digital forensics:
Record file size as part of evidence metadata.
Calculate a hash (SHA-256) after capture:
Export .DNG → open in Files → Share → “Save to Files”.
Use a hash app like iVerify or calculate on Mac (shasum -a 256 IMG_1234.DNG).
Log both file size and hash in your forensic chain-of-custody form.
Example Forensic Record Entry
| Attribute | Example Value |
| ------------- | -------------------------------------- |
| File Name | IMG_1457.DNG |
| Device | iPhone 15 Pro |
| Resolution | 8064 × 6048 |
| File Type | Apple ProRAW (DNG) |
| File Size | 84.1 MB |
| Hash (SHA256) | `9e72f3c6d4e5a3d8b4c1f8...` |
| Capture Date | 2025-10-22 13:04:11 +03:00 |
| Location | Enabled |
| Notes | Scene photographed under natural light |
--------------------------------------------------------------------------------------------------------
step-by-step on how to get a RAW (ProRAW / DNG) image from your iPhone 15 Pro and perform RGB analysis with ImageJ on Windows 11
Capture an Apple ProRAW image on iPhone 15 Pro.
Transfer it without compression to your Windows 11 laptop.
Open it in ImageJ.
Perform RGB histogram / pixel analysis.
Optionally, export quantitative color data for forensic documentation.
STEP 1 – Capture the RAW Image on iPhone 15 Pro
Open Camera → top control bar → ensure “RAW” is ON (white text).
Take the photo.
Confirm: open the image in Photos → tap “i” → should say “ProRAW (48 MP)”.
You’ll get a .DNG file (Digital Negative).
STEP 2 – Transfer the RAW Image to Windows 11
You must avoid compression (AirDrop to Windows substitutes HEIC or JPEG). Use one of these lossless methods:
Option A: iCloud Drive (recommended)
On iPhone: Settings → Photos → iCloud Photos → ON
On Windows: install iCloud for Windows from Microsoft Store.
Open File Explorer → iCloud Photos → Downloads folder.
Find your .DNG file (large ~80MB).
Option B: USB Cable (manual)
Connect iPhone → Unlock → “Trust this computer”.
Open File Explorer → “Apple iPhone” → Internal Storage → DCIM.
Locate your .DNG image (may be in 100APPLE or 101APPLE).
Copy it to a forensic workspace on your laptop (e.g., D:\Forensics\Evidence\RAW_Images\).
There are two main “flavors” of ImageJ:
| Version | Description |
| -------------------------------- | -------------------------------------------------------------------------------------------------------- |
| **ImageJ (NIH)** | Minimal core package — no extra importers or scientific plugins. |
| **Fiji (“Fiji Is Just ImageJ”)** | Pre-configured distribution that includes **Bio-Formats**, color tools, and forensic/scientific plugins. |
Option 1 – Install Fiji (Recommended and Easiest)
This is the standard workflow used in digital forensics and scientific imaging.
🔹 Steps
Go to the official Fiji site:
https://fiji.sc/
Click “Download” → “Windows (64-bit)”.
You’ll get a file named something like:
Fiji-win64.zip
Extract the ZIP (right-click → Extract All…) to:
C:\Program Files\Fiji\
Open Fiji.app → double-click ImageJ-win64.exe.
After launch, verify plugin is installed:
Menu → Plugins → Bio-Formats → Bio-Formats Importer
Now you can open your Apple ProRAW .DNG using:
Plugins → Bio-Formats → Bio-Formats Importer → Select your file
Quick Verification
Image → Show Info
You should see details such as:
Dimensions: 8064 x 6048 pixels
Pixel type: 16-bit RGB
File: IMG_1234.DNG
Then you can proceed with:
Image → Color → Split Channels
Analyze → Histogram
Analyze → Measure
--------------------------------------------------------------------------------------------------------
the RGB forensic analysis in Fiji (ImageJ) step by step
Open a RAW image (.DNG) correctly.
Understand what you’re seeing.
Extract RGB color values and histograms.
Save those results for your forensic report.
STEP 1 — Open the Image
In Fiji’s top menu bar, click:
Plugins → Bio-Formats → Bio-Formats Importer
Browse to your file, for example:
D:\Forensics\Evidence\RAW_Images\IMG_1234.DNG
Select it and click Open.
You’ll see a dialog titled Bio-Formats Import Options:
Autoscale → tick this (it adjusts brightness for easier viewing)
Split Channels → tick this (creates separate Red, Green, Blue images)
Then click OK
Fiji will open three grayscale images:
IMG_1234_Red
IMG_1234_Green
IMG_1234_Blue
Fiji’s title bar messages:
IMG_2208.DNG - C=0 (12.5%) c:1/3 - IMG_2208"; 8064x6048 pixels; 8-bit; 47MB
IMG_2208.DNG - C=1 (12.5%) c:2/3 - IMG_2208"; 8064x6048 pixels; 8-bit; 47MB
IMG_2208.DNG - C=2 (12.5%) c:3/3 - IMG_2208"; 8064x6048 pixels; 8-bit; 47MB
| Label | Meaning |
| ------------------------- | --------------------------------------------------------- |
| **C=0**, **C=1**, **C=2** | Channel number (0 = Red, 1 = Green, 2 = Blue) |
| **(12.5%)** | Current zoom level (you’re viewing at 12.5% of full size) |
| **8064x6048 pixels** | Image resolution (iPhone 15 Pro’s full 48MP ProRAW size) |
| **8-bit** | Bit depth per channel (values from 0–255 for each pixel) |
| **47MB** | Memory size for that channel in Fiji |
So, you now have three separate grayscale images, each corresponding to one color channel.
They’re not labeled “Red”, “Green”, “Blue” explicitly — but we can match them:
C=0 → Red
C=1 → Green
C=2 → Blue
Rename them for clarity:
Image → Rename
IMG_2208_Red
IMG_2208_Green
IMG_2208_Blue
STEP 2 — Understand What You’re Looking At
Each grayscale image corresponds to one of the RGB channels:
Red channel → how much red light each pixel recorded.
Green channel → mid-tone intensity (usually dominant).
Blue channel → how much blue light each pixel recorded.
Bright areas mean stronger intensity in that channel.
Dark areas mean weaker intensity.
Example: if an area looks bright in the red channel but dark in blue, the object there is reddish.
STEP 3 — Measure RGB Values at a Pixel or Area
Now you’ll extract actual color numbers.
A. Individual Pixel
Activate the Color Picker Tool (the eyedropper icon on the toolbar).
Click any point in one of the channel images (e.g., Red).
At the bottom of the Fiji window, you’ll see:
X=245 Y=320 value=125
That means at pixel (245, 320), red intensity = 125 (0–255 range for 8-bit images, or up to 65535 for 16-bit).
Repeat this on the Green and Blue channel windows — now you have full RGB data for one pixel:
R=125, G=103, B=97
B. Region of Interest (ROI)
If you want the average RGB value over an area (for example, a bruise region or color patch):
Click the Rectangle Tool on the toolbar.
Drag over the area of interest.
Go to:
Analyze → Measure
or press Ctrl+M.
A “Results” window opens showing:
Mean Min Max StdDev
That “Mean” value = average intensity of that channel in your selected area.
Do this for each color channel image and record:
Region A: R=122.3, G=104.7, B=96.5
Tip: Use consistent ROI sizes and positions for comparison between images.
You can measure average intensity in a specific area (forensic region of interest).
Select the Rectangle tool from the toolbar.
Drag over an area you want to analyze (e.g., a suspect mark, surface, or color reference).
Go to Analyze → Measure.
Record the “Mean” value for that channel.
Do this for all three channel windows and combine results:
| ROI | R Mean | G Mean | B Mean |
| ----- | ------ | ------ | ------ |
| ROI_1 | 142.3 | 127.8 | 115.6 |
That gives you a quantitative RGB profile for that region.
STEP 4 — Generate RGB Histograms
Histograms show how color intensities are distributed across the image.
For each channel window:
Go to:
Analyze → Histogram
Choose “Analyze → Histogram” for each channel.
You’ll get three histograms — each showing pixel intensity distribution (0–255).
This tells you how bright or dark that color is across the image.
You’ll see a graph where the x-axis = color intensity (0–255), and y-axis = number of pixels.
You can save this data:
Click List → shows pixel count per intensity.
Click Copy → paste into Excel or CSV for your report.
Histograms are useful for detecting anomalies — e.g., a manipulated image may show irregular distribution spikes.
Note:
Left side = dark pixels (low intensity)
Right side = bright pixels (high intensity)
STEP 5 — Combine Channel Information
Once you’ve analyzed each channel:
The Red channel highlights warm tones.
The Green channel highlights midtones and balance.
The Blue channel highlights shadows and cooler areas.
In forensic RGB analysis:
Compare histograms or average values across regions.
Look for sudden changes between neighboring areas (could indicate digital manipulation or material differences).
You can also visually compare by merging channels:
Image → Color → Merge Channels
In the dialog:
Red: IMG_2208_Red
Green: IMG_2208_Green
Blue: IMG_2208_Blue
Click OK
Select the three R, G, and B grayscale windows → click OK.
You’ll now see a full-color composite, which visually confirms what you’ve measured numerically.
You’ll see the full-color reconstruction.
STEP 6 — Save Your Results
Save your annotated or processed images:
File → Save As → Tiff...
(TIFF preserves pixel data without compression.)
Save numeric results:
“Results” window → File → Save As → CSV
“Histogram” → Copy → paste to Excel
Note metadata in your forensic log:
Original file: IMG_2208.DNG
Device: iPhone 15 Pro
Channels analyzed: R, G, B
ROI coordinates: (x1,y1)-(x2,y2)
Mean RGB: 142.3 / 127.8 / 115.6
Software: Fiji 2.15.0 (ImageJ 1.54)
Record metadata in your forensic log:
| Field | Example |
| ----------------- | ------------------------ |
| Image name | IMG_1234.DNG |
| Tool | Fiji/ImageJ 2.15.0 |
| Channels analyzed | R, G, B |
| ROI coordinates | (200, 300) to (350, 450) |
| Mean RGB | 122.3 / 104.7 / 96.5 |
| File Hash | SHA256: `e91a23...` |
STEP 7 — Interpret the Data (Basic Forensic Insight)
| Pattern | Interpretation |
| -------------------------------------- | ----------------------------------------------------------------------------- |
| One channel’s histogram shifted right | Image dominated by that color (e.g., red tones in blood, rust, or heat marks) |
| One region shows different RGB ratio | Possible foreign object, lighting difference, or manipulation |
| All channels have uniform distribution | Even lighting, likely unaltered capture |
Forensic Interpretation
| Observation | Possible Meaning |
| ------------------------- | ----------------------------------------------- |
| Red mean >> Blue mean | Warm/red object or illumination |
| Blue mean >> Red mean | Cool object, possible reflective surface |
| Uneven channel histograms | Manipulation, filter use, or lighting variation |
In Practice (Example Scenario)
Case: An investigator photographs a suspect’s hand to analyze bruising.
ROI 1 (bruised area): R=85, G=60, B=90
ROI 2 (healthy skin): R=140, G=115, B=105
Interpretation: The bruise area shows lower red and green intensity, higher blue, indicating deeper subdermal discoloration.
This kind of RGB quantification can be used in forensic medicine, digital evidence validation, or image authenticity checks.
| Task | Fiji Menu Path |
| --------------- | ------------------------------ |
| Open RAW | Plugins → Bio-Formats → Import |
| Split Channels | Image → Color → Split Channels |
| Rename Channels | Image → Rename |
| Measure ROI | Analyze → Measure |
| View Histogram | Analyze → Histogram |
| Merge for RGB | Image → Color → Merge Channels |
| Save Evidence | File → Save As → TIFF/CSV |
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment