Adrian have you searched on printer or copier forensics for file and format information ?
On Tue, Aug 25, 2009 at 6:03 PM, Adrian Crenshaw <[email protected]>wrote: > Ok, > I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes > has SPL files in it that contain EMF versions of what is being printed (I've > attached a sample). You can find a viewer here > http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx . These normaly > get deleted as soon as the print job finishes printing. I've tried using > tools that look in the MFT, but they don't see any deleted files that match > (working on the data carve as we speak), Other than having a app that sits > there that constantly polls for new files in the spool folder, can you think > of a way to have an event fire off that will copy these jobs as they are > printed? Lot's of sensitive stuff is printed, and this could be some useful > info for pentesters/forensics guys. > > Adrian > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
