Chapter 35 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band are at the bottom. Commit to an answer before you look — and for every option that sounds like "the model proved it," ask whether a model can ever prove anything, or only rank it.


Multiple choice

Q1. A triage classifier scores an image 0.94. What does that number actually mean? - A) There is a 94% chance the image is what the label says - B) A score that correlates with truth on data resembling the training set — a place to look, not a fact, and one that can degrade silently on data unlike that set - C) The image is 94% similar to a known catalogued file - D) The model is 94% finished training

Q2. In an AI-assisted examination, the only place a finding is created is: - A) Stage 1 — data reduction (known-file filtering) - B) Stage 2 — enrichment (classify, OCR, transcribe, extract) - C) Stage 3 — the prioritized review queue - D) Stage 4 — human review

Q3. Which hash stays nearly the same after an image is resized and re-saved at a different JPEG quality? - A) SHA-256 - B) MD5 - C) A perceptual hash (dHash / pHash / PhotoDNA) - D) A fuzzy hash of the file's raw bytes (ssdeep)

Q4. PhotoDNA-style robust-hash matching against a known-material list will: - A) Classify any new, never-before-seen image as contraband or not - B) Identify previously catalogued (known) material by distance threshold, but say nothing about an unknown image - C) Decrypt the image so it can be read - D) Prove who created the image

Q5. The 2020 Deepfake Detection Challenge is most often cited to show that: - A) Deepfakes are trivially easy to detect - B) Detectors that score in the low-80s on familiar fakes fall to roughly 65% on unseen generators — they generalize poorly - C) Every modern detector is over 99% accurate - D) rPPG is the only method that works

Q6. A video in your case carries no C2PA Content Credential. The correct interpretation is: - A) The video is therefore fake - B) The video is therefore authentic - C) Absence is silent — platforms routinely strip credentials, so it neither indicts nor exonerates - D) The video was therefore never edited

Q7. The liar's dividend is best answered in court by: - A) A single commercial deepfake detector's score - B) The authentication discipline of FRE 901 — chain of custody, hashes, metadata, provenance, corroboration, and the convergence of the detection battery with stated limits - C) Refusing to admit any video evidence at all - D) An rPPG "heartbeat" test on its own

Q8. Periodic, grid-like peaks in an image's 2-D frequency spectrum — absent in real camera photographs — are a fingerprint of: - A) The embedded EXIF thumbnail - B) GAN/transposed-convolution upsampling during synthesis - C) GPS metadata in the file - D) The Bayer color filter of a real sensor

Q9. Remote photoplethysmography (rPPG), the principle behind Intel's FakeCatcher, looks for: - A) The blend seam around a swapped face - B) The subtle skin-color shifts of a real heartbeat perfusing the face - C) The encoder fingerprint in the video container - D) Eye-blink rate, and nothing else

Q10. In an auto-generated entity / link-analysis graph, an edge between two people means: - A) The two people colluded - B) They co-occurred in the same document or thread — a lead telling you where to read the real evidence, not proof of any relationship - C) They are secretly the same person - D) One of them sent money to the other

True / False

Q11. A valid C2PA Content Credential proves that the event depicted in the media actually happened. (True / False)

Q12. A perceptual-hash non-match proves that an unknown image is not illegal material. (True / False)

Short answer

Q13. Name two reasons a black-box deep-learning classifier strains the Daubert/FRE 702 reliability factors, and state the one professional posture that resolves the tension.

Q14. In two or three sentences, explain the difference between PhotoDNA-style robust-hash matching and a CNN content classifier, and why confusing the two is dangerous in an examination.

---

Answer key

Q1 — B. A model emits a calibrated-or-not score that correlates with truth on training-like data and degrades — sometimes catastrophically and silently — on out-of-distribution data. It is a reason to look, never a thing to conclude. (A is the seductive misreading; "0.94" is not a 94% probability of truth.)

Q2 — D. Stages 1–3 produce ranked suggestions and nothing else; the human-review gate is the only place a finding is born. An examination that lets a model's output flow straight into a report has skipped the only step that makes the work forensic.

Q3 — C. Perceptual (robust) hashes hash what an image looks like, surviving resizing, recompression, and format conversion. SHA-256/MD5 change completely with one bit; ssdeep tracks byte similarity, which recompression destroys.

Q4 — B. Robust hashing finds known catalogued material by distance threshold. A non-match says nothing about an unknown image, and novel/AI-generated material will not match a known-hash list at all. New material requires human determination under legal authority.

Q5 — B. Top DFDC models scored roughly low-80s on the public test set and about 65% on the held-out black-box set of unfamiliar fakes — the canonical evidence that detectors generalize poorly to new synthesis. (A coin flip is 50%.)

Q6 — C. Most platforms still strip Content Credentials on upload, exactly as they strip EXIF, so absence is silent. Only a valid credential (corroborates provenance) or a failed validation (indicates tampering after signing) carries weight — and even a valid one attests to history, not to the truth of what is depicted.

Q7 — B. Detection is losing an arms race; the durable answer is authentication under FRE 901 — provenance, chain of custody, hashes, metadata, corroborating artifacts, and convergence with stated limits. A recording pulled from a hashed extraction with consistent metadata is authenticated; bare "it could be a deepfake" is not evidence.

Q8 — B. Upsampling operations (transposed convolutions) inside GANs imprint periodic, grid-like peaks in the frequency domain that no camera optics produce — a fingerprint used to detect and even attribute synthesis. (Compare the JPEG double-compression comb of Ch. 20.)

Q9 — B. rPPG detects the minute skin-color changes of blood perfusing a real face with each heartbeat; synthetic faces typically lack a physically coherent pulse or show inconsistent rPPG across face regions. (Eye-blink rate was an earlier, separate tell that later models fixed.)

Q10 — B. An edge is co-occurrence — a lead that tells you where to read the actual messages. NER mislabels, co-occurrence is not collusion, and the absence of an edge is not proof of no relationship; the messages, corroborated, are the evidence.

Q11 — False. A credential attests to the file's history (capture device, edits, AI involvement), not to the reality of what it portrays. A valid credential can sit on a truthful provenance record of a staged or misleading scene. Never let "valid credential" become "therefore the depicted event is true."

Q12 — False. A non-match says nothing about an unknown image; robust hashing finds known material only, and novel or AI-generated material will not match a known-hash list at all. A non-match is not a clean bill of health.

Q13. Any two of: error rate is often unknown and far worse on out-of-distribution inputs than the published lab figure (the sharpest factor); explainability — many models are black boxes that cannot say why they scored an input, and post-hoc tools (SHAP, LIME, Grad-CAM) are approximations, not the model's reasoning; bias — training-data skew produces documented demographic disparities (NISTIR 8280); reproducibility — nondeterminism and silent vendor updates mean last month's result may not reproduce; access — trade-secret weights and data block inspection by both experts. The resolving posture: AI output is a lead; the human examiner is the accountable author of every finding — you validate, version, and document your tools, and never present a score you cannot explain as proof.

Q14. Robust-hash matching (PhotoDNA) identifies previously catalogued, known images by a distance threshold — it recognizes a specific known picture even after resizing or recompression, and matches nothing it has not seen before. A CNN content classifier predicts a category ("face," "currency," "weapon") for any image as a probability score. Confusing them is dangerous because it leads either to thinking a hash list can flag new or AI-generated material (it cannot) or to treating a classifier's category score as a positive identification (it is only a lead). Both outputs require human determination under authority.

Scoring: 13–14 — courtroom-ready; you treat every machine output as a lead and can defend the line between ranking and finding under cross. 10–12 — solid; revisit the hashing spectrum and the C2PA "pass / fail / absence" trio before you testify to provenance. 7–9 — re-read "Triage at scale," "Detecting visual deepfakes," and "Reliability, bias, and explainability," then redo Groups B, D, and F in the exercises. Below 7 — re-read the chapter index and rebuild the contested-video authentication table from the worked example before moving on.