Hi All !
I am a new one in Computer Forensic, can any one assist me to how can I find a solution for this!
suspect is using a software to write a letter and get printing without saving ?
Abdulcadir
If the suspect is using Word then there is a chance that the system will create an autosave file. This is a temp file, often generated every 10 mins. When word is closed, the file is deleted. You would therefore need to search for deleted files. Being fairly small files, they can be overwritten very quickly by later disk use.
If the suspect is using Notepad, or Wordpad I don't think this option will work.
I cannot comment on if the print buffer gets written to the hard drive or if it all remains in memory. I hope someone else can supply the answer
To identify artifacts for this i'd probably pick the longest/most unique word (or two) in the letter if you have any, and keyword search for that (in normal text and unicode - or whatever relevant charsets) across your drive(s), then review what results from that.
If the system in question is Windows, and you have a copy of an image acquired from the system, I would check the contents of the user's UserAssist key to see which applications they've run recently.
You can also try to carve out spool files from unallocated space and see if you can an image of the document that was printed.
You can also try to carve out spool files from unallocated space and see if you can an image of the document that was printed.
Thank you, I hope its a good Idea
you may try to carve EMF pictures form that spool files if printer was printing in emf not raw format.
Can anyone answer my earlier question. Are print files always, sometimes or never written to the drive?
If it was a short document, and the printer was free, would the operation be entirely memory based?
It has been a while, I admit, so I may have gotten this wrong, but I seem to recall using Ubuntu from cdrom at boot up leaves only small traces of activity on computer but no traces of letters and printing on hdd.
I think (said cautiously) there maybe remnants left in RAM (?)
Any search engine may be your friend )
Here is a read you might find of interest
http // www . undocprint . org/winspool/spool_files
Cheers!
farmerdude