That would make more sense than hacking individual machines. Anybody with programming knowledge know how a person would detect such a scheme if it happened?
One exploratory level would be to examine whether the earlier code (on a different, not-updated Xerox7655) does the same layering and resolution changes. If that machine doesn't do the layering claimed or even demonstrated on either the White House machine, or a machine that has updated driver software, you've exposed the lie. If someone were to examine the "nuts and bolts" of the actual code (object, or better yet, source), one might find the unique conditions where such an anomaly occurs, e.g., 'FaxID=White House' and 'greensecuritypaper=true'.
A likely, potentially troublesome aspect would be that a Xerox or Adobe coder may have backdated an update module, such that loading a driver that was supposedly current at the time of the forgery from a Xerox or Adobe website for the Xerox7655 might exhibit the same anomaly as the most current version. Finding a Xerox 7655 that hasn't been updated more recently than the forgery date and observing its behavior will be very helpful toward exposing the truth.
HF