You may also consider attempting to carve the SPL file out of unallocated or the pagefile.sys. I don't recall what the file header or footer is but it may be worth investigating. It's also been my experience that these SPL don't hang around for long on the drive but it's always worth a quick check.
-Joel "The path to hell is paved with good intentions." On Tue, Aug 25, 2009 at 7:03 PM, Adrian Crenshaw <[email protected]>wrote: > Ok, > I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes > has SPL files in it that contain EMF versions of what is being printed (I've > attached a sample). You can find a viewer here > http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx . These normaly > get deleted as soon as the print job finishes printing. I've tried using > tools that look in the MFT, but they don't see any deleted files that match > (working on the data carve as we speak), Other than having a app that sits > there that constantly polls for new files in the spool folder, can you think > of a way to have an event fire off that will copy these jobs as they are > printed? Lot's of sensitive stuff is printed, and this could be some useful > info for pentesters/forensics guys. > > Adrian > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
