After running a leak investigation, you'll be presented with a leak report. The leak report gives a high level match result (see match result types below) as well as detailing the results of each detector that was run against the leaked artifact.
Although documents can use multiple marking methods and there is a corresponding detector for each marking method, not every leaked artifact can be used to detect every mark type. E.G. if you submitted an image, we can run the invisible watermark detector, but if you submitted a PDF, EchoMark can run both the invisible watermark detector and the Digital Stamp detectors.
You can read summaries below and see a complete breakdown of the leak report below.
Match Result Types
Exact matches are found if the leaked artifact is a marked file with the Digital Stamp intact. In the case of an exact match, EchoMark is 100% confident that the leaked file matches a particular marked copy because it means that the detector was able to find our unguessable forensic key.
High confidence match
High confidence matches occur when an artifact is uploaded for the leak investigation and our detection system finds that it matches a marked copy with a very high level of precision and accuracy.
Sometimes our computer vision detection system is not confident in determining a clear match. This might be due to a number of factors (some of which can be addressed using a second modified leak investigation) which are detailed in our troubleshooting guide. Also, we are excessively careful about showing results with low confidence, but we can sometimes share more detail on tricky investigations - please contact us if you get consistent inconclusive results.
A "No match" can result if the source document or message was selected, if the leaked artifact is too small or distorted, or if the marked copy that was shared was not sufficiently watermarked. See our troubleshooting guide for more information on how to get a match, and reach out to our support team if you're unsuccessful - we are excessively careful about showing results with low confidence, but we can sometimes share more detail on tricky investigations.
If you receive an error in your leak outcome, please contact our support team.
Chance of error
Each detector result comes with an associated chance of error. The chance of error measures EchoMark’s confidence in the accuracy of the results. It uses a combination of statistical analysis and extensive offline simulation to ensure trust in the results.
The chance of error is a measure of statistical significance called a p-value, which is a statistical tool to evaluate whether differences between noisy measurements are attributable to random chance. EchoMark measures the spatial correlation of marks in a leaked artifact against the marks we know we introduced into the email. We use a statistical test called the chi-squared test to determine whether the difference in correlation between the top-ranked and second-ranked copies is statistically significant. In layperson terms, the confidence score is a defense against distortions in the artifact, i.e., whether the marks that we were unable to detect could change the results of the investigation.
The meaning of a result
It is important to note that while an investigation result can be used to determine that the likely source of the leaked content was from the copy originally sent to the recipient indicated in the results, EchoMark cannot determine the ultimate path it took to getting leaked. It's possible that the leak was not the fault of that email account holder. Some non-exhaustive possible explanations include (in non-ranked order):
- The email account owner leaked the content directly
- Someone else who had permissible or compromised access to the account owner's computer(s) or account leaked the content.
- A copy of the marked content was shared with someone else (outside of the email system) who ultimately leaked the content.
A proper investigation should be run including the gathering of additional forensics information to help validate or rule out various possible explanations for your result.
The Leak report is broken down into three parts: A) a result summary at the top, B) a detector or list of detectors that were used to arrive at the result, and C) metadata on the files that were used in the investigation. Read on for a breakdown of each of those sections below.
1. Result summary
The outcome of the leak analysis is summarized here at a glance.
2. Digital stamp detector results
The digital stamp is an unguessable key embedded within the metadata of the marked file. If the marked file leaks and the file has not been tampered with, this detector should be able to find a match with very high confidence. Investigations run screenshots or photos will not leverage a digital stamp detector.
3. Invisible watermark or textual watermark detector results
Our technology finds the formatting marks that EchoMark embedded in the content using either text detection or computer vision for images. The invisible watermark detector compares the marks it finds to the marks in each marked version of the content to find the best match.
The matching marks are shown in a bar graph to the right of the chance of error and possibility of impersonation.
An N/A score indicates that the EchoMark system was not able to sufficiently align marks in the recipient's copy to accurately score it.
Depending on the image quality, EchoMark's computer vision may not be able to detect all embedded marks - if there are too few found, EchoMark returns a "no match" or "inconclusive." Our team can still often help you refine the investigation in these cases.
4. Phrasing detector results
If AI rephrasing was used in your marked copy, EchoMark will analyze the phrases to determine which marked copy contains the specific combination of phrasings contained in the leak. If few phrases are marked, it's possible that this detector will return multiple, high-confidence results that all contain the phrases used in the leak. In these cases, the invisible watermark detector can help further identify the leak source if the leak also contains the invisible marks.
5. Leaked file
Information about the leaked file used for the investigation is displayed here, include the capture device and capture date.
6. Original file
This indicates the user-selected original file or email that was compared against for the leak investigation.
Note: In the case of an email sent from the EchoMark web app, you may notice that the number of marked copies is one greater than the number of emails that were sent. This happens because the "sample" message that the app generated at the "review and send" phase counts as a marked copy for the purposes of a leak investigation.