Error Level Analysis Explained: Spotting Forged Document Images
Error level analysis (ELA) detects pixel-level manipulation in JPEG images. Learn how forensic teams use ELA to uncover forged payslips, IDs, and bank statements.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokError level analysis (ELA) identifies regions of a JPEG image that have been digitally altered by measuring compression inconsistencies at the pixel level. When a fraudster edits a payslip, bank statement, or identity document and saves the result as a JPEG, the modified areas retain a different compression signature from the surrounding original content โ and ELA makes that difference visible within seconds.
According to the ACFE 2024 Report to the Nations, only 37% of document frauds are caught through manual controls. Forensic image analysis, including ELA, fills the gap that visual inspection cannot close.
What Error Level Analysis Is
ELA is a forensic technique that reveals manipulation in JPEG images by exploiting JPEG's lossy compression algorithm. When a JPEG file is saved at a specific quality level, the encoder applies discrete cosine transforms (DCT) to 8ร8-pixel blocks across the entire image and discards detail below a set threshold. After this process, every block in the image reaches roughly the same residual error level โ the "floor" of compression artifacts at that quality setting.
When someone edits a JPEG โ replacing a salary figure, swapping a face photograph, or altering a date โ the edited region is introduced from a different source or generated at a different compression cycle. Re-saving the composite image creates a mismatch: the original unmodified pixels are compressed a second time and lose more detail, while the inserted region is often compressed for the first time and retains more detail, or vice versa.
ELA surfaces this mismatch visually. The standard procedure, formalized by security researcher Neal Krawetz at Black Hat USA 2007, is:
- Re-save the image at a known quality level (typically 95%).
- Compute the per-pixel absolute difference between the re-saved version and the original.
- Scale the differences for visibility and display the result as a heat map โ brighter areas indicate higher error levels and potential manipulation.
How ELA Detects Manipulation in Documents
A genuine, unaltered document photograph or scan shows relatively uniform brightness across the ELA map, aside from predictable edge effects at high-contrast boundaries such as printed text on white paper. Those edges are structurally expected and carry high error levels in any unmodified JPEG.
A forged document shows two characteristic patterns:
Unexpectedly bright patches in flat regions. Text, numbers, or graphics that have been inserted from an external source retain their original compression characteristics. Surrounding the insertion, the boundary between new and old content often glows brightly in the ELA map, even when the visual difference to the naked eye is imperceptible.
Anomalously dark patches where content has been erased. When a fraudster overwrites original content โ for example, painting over a salary figure and inserting a new one โ the overwritten area may show unusually low error levels compared to adjacent original text, because it has been flattened by additional compression cycles.
Both signatures are detectable even after a skilled edit using professional software, because the underlying compression mathematics cannot be masked simply by matching fonts or adjusting color values.
Document Types Where ELA Is Most Effective
ELA is most reliable on documents where the original is a JPEG scan or photograph. The technique is less useful for native PDFs or PNG files, which use lossless or different compression schemes.
| Document type | Typical manipulation | ELA signal |
|---|---|---|
| Payslips (scanned JPEG) | Salary, net pay, or period altered | Bright halo around edited numerals |
| Bank statements (photograph) | Balance or transaction amount changed | Inconsistent error floor in number columns |
| Identity cards (photograph) | Name, date of birth, or photo substituted | Boundary artifacts around inserted elements |
| Invoices (scanned JPEG) | Total amount or VAT number replaced | Flat patch where original data was erased |
| Tenancy agreements (scanned) | Signatory name altered | Visible re-compression edge around text block |
Payslip fraud is one of the most common applications. Lenders and landlords routinely receive scanned payslips with inflated salary figures; ELA, combined with PDF metadata analysis, provides a two-layer check that catches most crude alterations.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotRunning an ELA Check: Tools and Process
The most widely used public tool is FotoForensics, which implements Krawetz's original algorithm. Forensic platforms and commercial document verification systems typically integrate ELA as part of a broader image forensics pipeline.
A practical workflow for compliance teams:
- Extract the image from the document. Convert scanned PDFs to per-page JPEG exports at the original resolution. Do not re-compress during extraction.
- Run ELA at a fixed quality setting. Quality 75 is a standard reference point; quality 95 emphasizes subtle alterations.
- Inspect flat regions and text areas. Flag any area where the error level distribution breaks from the surrounding baseline.
- Cross-reference with metadata. Creation date, software producer, and XMP revision history should be consistent with the declared document origin.
- Compare against a reference sample. When possible, request a second document of the same type from the same issuer to compare baseline compression signatures.
No single tool produces a definitive forgery verdict. ELA results are indicators for further investigation, not standalone proof.
Limitations of Error Level Analysis
Understanding where ELA fails is as important as knowing where it succeeds. As of 2026, the following scenarios reduce ELA reliability:
Multiple compression cycles. A document that has been printed and rescanned, or passed through several JPEG encoding stages, will have a flattened and homogeneous error map that hides prior edits. Professional forgers exploit this by re-exporting images several times before submission.
High-quality editing software. Tools that natively handle JPEG encoding โ including Adobe Photoshop's "Save for Web" in maximum-quality mode โ can reduce the mismatch between edited and original regions, particularly at quality settings above 90.
Lossless formats. ELA does not apply to PNG, TIFF, or PDF files generated directly from a word processor. For these, metadata analysis and structural inspection are primary detection methods.
Native ELA artifacts at edges. High-contrast boundaries between text and background always show elevated error levels. Interpreting these as forgery indicators without looking at the surrounding context produces false positives.
AI-generated document images. Documents produced by generative models are not assembled from a JPEG source and therefore show no detectable ELA mismatch. They require a different detection layer focused on generation artifacts and model signatures. CheckFile's AI generation detection addresses this class of forgery separately.
According to the ENISA Threat Landscape 2024, the sophistication of document forgery tools available to non-technical actors is increasing. This means ELA should be treated as one layer in a defense-in-depth approach rather than a sole gatekeeper.
Combining ELA with Other Forensic Techniques
A multi-layer analytical approach combining ELA, metadata inspection, and cross-document consistency checks represents the most reliable methodology for identifying manipulated document images. No single technique catches every attack vector.
Metadata forensics examines the digital fingerprint embedded in the file: creation date, PDF producer software, XMP revision history, and EXIF data for photographs. A payslip whose EXIF timestamp shows modification three hours after the stated pay date is a straightforward red flag.
File structure analysis inspects the internal byte structure of PDFs and images for anomalies: duplicate object streams, orphaned data blocks, or mismatched cross-reference tables that indicate content injection.
Cross-document consistency validates that two documents from the same entity (for example, multiple payslips from the same employer) share the same fonts, layout metrics, and embedded object structure. Inconsistencies surface when one document in a set has been produced from a different template.
AI-generation signal detection identifies patterns unique to synthetic documents created by large language models or image generators. This is covered in more detail in our review of document forensics tools and AI comparison.
Together, these techniques provide overlapping coverage: when a forger defeats one check โ for example, by using a lossless intermediary to flatten ELA signals โ the other layers typically surface different anomalies.
Regulatory Context in the United Kingdom
As of June 2026, UK-regulated entities under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) are required to apply customer due diligence proportionate to the risk presented. The FCA's Financial Crime Guide (FCG) does not mandate specific technical methods for document verification, but it explicitly requires firms to have "robust systems and controls" to detect false or altered documents in both onboarding and ongoing monitoring contexts.
ELA, as part of a documented forensic workflow, satisfies the "appropriate and risk-sensitive" standard when applied systematically and when results are recorded in the customer risk file. Firms should ensure that ELA outputs are logged alongside the decision rationale to support audit trails.
For a broader overview of document verification practices, see our document verification guide.
Frequently Asked Questions
What does error level analysis actually show?
ELA shows where an image's compression pattern deviates from what would be expected if the image had never been altered. Brighter areas in the ELA output indicate regions that have undergone additional compression cycles or were introduced from a different source, both of which suggest post-capture editing.
Can ELA detect all types of document forgery?
No. ELA is effective on unaltered JPEG documents that have not been through multiple re-compression cycles. It does not detect alterations in lossless formats (PNG, native PDF) or in AI-generated documents, which have no original JPEG compression pattern to deviate from.
Is ELA admissible as evidence?
ELA results can support forensic reports prepared by qualified examiners, but ELA output alone is not a standalone proof of forgery in UK courts. It is used as a preliminary indicator that triggers more detailed investigation. Admissibility depends on the examiner's methodology, chain of custody, and how the analysis is documented.
What free tools can I use for ELA?
FotoForensics (fotoforensics.com) is the most widely used free online implementation of Neal Krawetz's algorithm. It accepts JPEG and PNG uploads and returns an annotated ELA map. For production-scale document verification, commercial platforms integrate ELA as part of a broader automated pipeline.
How does ELA differ from metadata analysis for document fraud detection?
ELA analyzes the pixel-level compression pattern of an image to detect where visual content may have been altered. Metadata analysis examines the non-visible embedded data (creation dates, software, revision history) to detect when a document was modified. They are complementary: ELA finds WHERE in the image an edit occurred; metadata analysis finds WHEN and HOW the file was changed.
For where this fits in the CheckFile offering, see our AI and deepfake detection approach.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.