±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36324
New Yesterday: 2 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Printer spool recovery and pdf files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

gmarshall139
Senior Member
 

Printer spool recovery and pdf files

Post Posted: Apr 06, 05 14:52

I got involved in an interesting case some time ago. The suspect allegedly steals several big ticket items (about 250k worth). To cover himself he produces a bill of sale and states that he had no way of knowing the goods were stolen. The bill of sale is dated a couple of years after the theft and about a year before we served the search warrant. We think he printed it himself (and probably very recently), and what better evidence of that than finding it in the printer spool. We found business legal forms software in his house. On it is a bill of sale that is word for word for the one he gave us. The forms are .pdf format. I found a document in the spool that by looking at the formatting, page layout, etc., was identical to the bill of sale he provided us. However the characters were unrecognizable. Apparently random characters and symbols. It was almost certainly the same document, each word even had the same number of characters in it as the bill of sale. Due to other circumstances in this case it quickly became irrelevant. I've seen it since then and have been curious about it. Has anyone else experienced it, and if so, is there any way to convert it to readable text? I tried everything I could think of including printing the emf file directly in dos, but it only printed it as I saw it on the screen.

Thanks for your ideas,
_________________
Greg Marshall, EnCE 
 
  

blivet
Newbie
 

Re: Printer spool recovery and pdf files

Post Posted: Apr 07, 05 04:27

Greg,

It sounds like he may have printed it to an odd printer driver. May a default printer he had set up that was not attached to his computer anymore. That would explain why the spool file was there in the first place, because windows deletes those files right after printing them. If there is an error, it does not get deleted.

My guess would be to try to see what printer the file was directed too and maybe load the same drivers and see what happens.  
 
  

gmarshall139
Senior Member
 

Re: Printer spool recovery and pdf files

Post Posted: Apr 07, 05 14:05

I never thought about printer drivers. Of course I found other spool files I could see fine, just the .pdf was encoded. I've also seen this at least once since then.

It was a windows 98 machine which was a lot better about saving (or not deleting so well) printer spool files as compared to a 2000 or xp machine. The file was deleted, but not overwritten, so I was able to get it. Best I can recall the emf file was about 4 months old at the time, so it was probably a miracle that it was still there. But I had the .spl, the .shd, and the emf file.
_________________
Greg Marshall, EnCE 
 

Page 1 of 1