The Xerox ‘forger’

Gorefan provided a link to an article showing how a Xerox WorkCentre can actually become a ‘forger’. The issue is the use of JBIG2 compression which takes shapes that look similar and stores them as a single image, leading to identical shapes. If JBIG2 is too aggressive, it may replace letters, or in this case numbers, with the wrong shape.

In other words, a Xerox WorkCentre can actually be a ‘forger’

16 thoughts on “The Xerox ‘forger’

  1. NBC

    “The Xerox ‘forger’

    “Posted on August 6, 2013 by NBC

    “Gorefan provided a link to an article showing how a Xerox WorkCentre can actually become a ‘forger’. The issue is the use of JBIG2 compression which takes shapes that look similar and stores them as a single image, leading to identical shapes. If JBIG2 is too aggressive, it may replace letters, or in this case numbers, with the wrong shape.

    “In other words, a Xerox WorkCentre can actually be a ‘forger’”

    Then it’s a good thing that there is absolutely zero evidence that JBIG2 ever touched the Green basket-weave background WH LFCOLB PDF image.

  2. Hermitian: Then it’s a good thing that there is absolutely zero evidence that JBIG2 ever touched the Green basket-weave background WH LFCOLB PDF image.

    That is not correct:

    1. JBIG2 is turned on by default on Xerox Work Centre scanners
    2. We have a high confidence that such a scanner was used
    3. The appearance of bit identical shapes confirms the hypothesis

    Investigative reasoning… To claim that there is ‘zero evidence’ avoid having to deal with the data…

  3. …other than all the evidence that JBIG2 compression was used on the monochrome text layers, producing letters that were identical to the pixel.

  4. …other than all the evidence that JBIG2 compression was used on the monochrome text layers, producing letters that were identical to the pixel.

    Exactly, all the evidence supports the Xerox workflow which includes JBIG2 as an intermediate step.

    Once you understand why the encoding was removed by Preview, it all becomes so straightforward.

    Of course, one could also propose a mythical forger who does exactly what the Xerox/preview workflow is doing. At the same time the forger is incompetent and extremely competent and of course no attempts have been made to repeat the steps this ‘forger’ must have taken other than by mimicking in some ‘handwaving’ fashion, a Xerox workcentre.

    Hermitian has been extremely effective in making the case for a Xerox work centre/Preview workflow being the ‘creator’ of the WH LFBC PDF’s artifacts.

  5. As I understand it, if you use the Normal setting the WorkCentre uses the JBIG2 compression but if you use the High or Higher setting it uses a different compression algorithm. Xerox says that the factory default is High. But it has a note that says the Normal setting produces smaller files and smaller files are “better for file sharing and transmitting over the network”.

    http://www.dkriesel.com/en/blog/2013/0806_work_around_for_character_substitutions_in_xerox_machines

    Time for more tests?

  6. NBC says:

    August 6, 2013 at 17:27

    “”Hermitian: Then it’s a good thing that there is absolutely zero evidence that JBIG2 ever touched the Green basket-weave background WH LFCOLB PDF image.””

    “That is not correct: ”

    HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
    Tis so !
    Please post from the lines of code (from the following file) that JBIG2 compression was ever applied to this PDF image:

    http://web.archive.org/web/20110427171111/http://www.whitehouse.gov/sites/default/files/rss_viewer/birth-certificate-long-form.pdf

    I carefully explained to you that you don’t have the right stuff unless the Preview print to PDF file matches exactly the above archived copy of the Obama LFCOLB at the PDF code level.

    That includes the three levels in the WH LFCOLB layer tree rather than your two.

    It also requires complete compliance with PDFReferenceXX.pdf.

    HHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
    1. JBIG2 is turned on by default on Xerox Work Centre scanners
    2. We have a high confidence that such a scanner was used
    3. The appearance of bit identical shapes confirms the hypothesis
    HHHHHHHHHHHHHHHHHHHHHHHHHHHHH
    Too bad it’s the default because all of the 1 Bit layers were compressed using FlateDecode. And I seem to remember that weeks ago you posted that some of your freetoy PDF tools that you have been using to create all of your Xerox Forger files don’t support either JBIG2 or FlateDecode.

    You could save us all a lot of time if you would post a complete list of the tools that you have been using and indicate which ones have this recognized deficiency. And we all remember that the guy who wrote the code for your tools described them as “quick and dirty”.


    Investigative reasoning… To claim that there is ‘zero evidence’ avoid having to deal with the data…

    Facts are as hard as diamonds my man. So until you can roll up the line of code (including line number) that proves that JBIG2 was used on the above archive copy of the WH LFCOLB PDF then it’s all just theoretical.

  7. NBC

    And while you are at it also list all of the image file formats that your freetoy extractor tool supports.

  8. carefully explained to you that you don’t have the right stuff unless the Preview print to PDF file matches exactly the above archived copy of the Obama LFCOLB at the PDF code level.

    I created:

    1. The embedded JPEG comment
    2. The matching quantization matrices
    3. The single bitmap layers
    4. The 150/300 resolution
    5. The white background with ghosting
    6. The alignment of the layers
    7. The masking layer
    8. The right rotation of the images

    And the fact that several of the bitmaps show evidence of JBIG2 is fully consistent with the workflow.

    You have nothing… You appear to have quite a limited understanding when it comes to testing hypotheses… While I cannot prove that JBIG2 was used, I can show that using Xerox creates JBIG2 which after being saved by Preview looks like flatedecode but with several characters matching.

    A fully consistent explanation with no need for ad hoc reasoning…

  9. And while you are at it also list all of the image file formats that your freetoy extractor tool supports.

    Which one of the tools? There are various ways to the same result. A good researcher tries them all.

    For instance qpdf, pdfimages, pdf-parser.py, hex fiend, are all tools I use to verify my findings.

    pdfimages will extract bitmap and jpeg, qpdf will extract objects, same for pdf-parser, hex fiend allows you to extract DCTDecoded segments. Oh and I forgot, exiftool to extract thumbnails and metadata and deflate.py to ‘deflate’ flatedecoded objects.

    Free does not mean that it is of poor quality. Look, people pay good money for illustrator but miss all the data present in the raw PDF…

  10. NBC

    “”And while you are at it also list all of the image file formats that your freetoy extractor tool supports.””

    “Which one of the tools? There are various ways to the same result. A good researcher tries them all.”

    HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
    Yep! I reminded you of that one. It’s especially true in the case of Engineers. That’s why all the buildings and bridges don’t fall down. But if your JBIG2 compression randomly changes numbers then maybe they will.
    HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

    For instance qpdf, pdfimages, pdf-parser.py, hex fiend, are all tools I use to verify my findings.

    pdfimages will extract bitmap and jpeg, qpdf will extract objects, same for pdf-parser, hex fiend allows you to extract DCTDecoded segments. Oh and I forgot, exiftool to extract thumbnails and metadata and deflate.py to ‘deflate’ flatedecoded objects.

    Free does not mean that it is of poor quality. Look, people pay good money for illustrator but miss all the data present in the raw PDF…

    HHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
    So which of these tools do not support JBIG2 and FLateDecode?

    It’s really a very simple question.

  11. I carefully explained to you that you don’t have the right stuff unless the Preview print to PDF file matches exactly the above archived copy of the Obama LFCOLB at the PDF code level.

    Such a thing is impossible. I just put a one-page document on my HP scanner (on the glass, not the feeder) and scanned it twice. The two files are not identical, even though I changed nothing but the time I pushed the Scan button.

    Then again, Hermie believes you can print a 150dpi image at 600dpi and somehow regain the lost resolution.

  12. Almost as hilarious as the so-called FBI trying their best to ignore it. How did I do on the “fake” FBI answering machine? Do you think I could get a felony arrest and conviction for impersonating an FBI agency and then posting it on YouTube? How dumb would THAT be? I forged the paper version in 1985 and they have my affidavit. Unless, of course, they just tossed it into the garbage like they do everything else. “Owens family from Clewiston, Florida? Never heard of them.”

Comments are closed.