JPEG Comment

Status Strong

The WH LFBC PDF contains an easily detectable JPEG comment in one of its Objects. The comment, found after Hex Marker 0xFF 0xFE states ‘YCbCr’ and in case of the White House tax form, which is in gray scale, ‘lineargray’. This is a ‘useless’ comment added by the software for one reason or another. The same comment has been found in other Xerox WorkCentre created documents on both a 7535 and a 7655 WorkCentre.

Objection Raised

I cannot find the comment in the raw Xerox file.


The Xerox only workflow adds a /FlateDecode step after it created the JPEG /DCTDecode stream, which is like zipping up a file and then trying to find content in the zip file without unzipping it. There are several simple ways to extract the stream, run it through a deflate step which creates the jpeg and opening the JPEG up in a Hex Editor for further scrutiny

Objection Raised

The comment was forged


So far this seems to be based on a confusion with tool sets and offsets. Since I have provided the raw and preview saved documents, anyone can repeat my steps and observe. Since others have indeed been able to repeat my process, I have to reject this as user error.

Objection Raised

The screenshot does not match with the text


Hermitian did not understand that there are different text encodings used and that when properly matching the Hex values shown, the strings did match.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s