Only a little, but the hex values I found for a data carve did not seem to help. If you encounter a better source, I'd love to see it. :)
Thanks, Adrian On Thu, Aug 27, 2009 at 1:40 PM, subzer0girl <[email protected]> wrote: > Adrian > > have you searched on printer or copier forensics for file and format > information ? > > > > On Tue, Aug 25, 2009 at 6:03 PM, Adrian Crenshaw <[email protected]>wrote: > >> Ok, >> I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes >> has SPL files in it that contain EMF versions of what is being printed (I've >> attached a sample). You can find a viewer here >> http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx . These >> normaly get deleted as soon as the print job finishes printing. I've tried >> using tools that look in the MFT, but they don't see any deleted files that >> match (working on the data carve as we speak), Other than having a app that >> sits there that constantly polls for new files in the spool folder, can you >> think of a way to have an event fire off that will copy these jobs as they >> are printed? Lot's of sensitive stuff is printed, and this could be some >> useful info for pentesters/forensics guys. >> >> Adrian >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
