can any0ne assist m...
 
Notifications
Clear all

can any0ne assist me ?

12 Posts
8 Users
0 Reactions
555 Views
(@abdulcadir)
Trusted Member
Joined: 17 years ago
Posts: 68
Topic starter  

Hi All !

I am a new one in Computer Forensic, can any one assist me to how can I find a solution for this!

suspect is using a software to write a letter and get printing without saving ?

Abdulcadir


   
Quote
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
 

If the suspect is using Word then there is a chance that the system will create an autosave file. This is a temp file, often generated every 10 mins. When word is closed, the file is deleted. You would therefore need to search for deleted files. Being fairly small files, they can be overwritten very quickly by later disk use.

If the suspect is using Notepad, or Wordpad I don't think this option will work.

I cannot comment on if the print buffer gets written to the hard drive or if it all remains in memory. I hope someone else can supply the answer


   
ReplyQuote
(@rich2005)
Honorable Member
Joined: 19 years ago
Posts: 541
 

To identify artifacts for this i'd probably pick the longest/most unique word (or two) in the letter if you have any, and keyword search for that (in normal text and unicode - or whatever relevant charsets) across your drive(s), then review what results from that.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

If the system in question is Windows, and you have a copy of an image acquired from the system, I would check the contents of the user's UserAssist key to see which applications they've run recently.


   
ReplyQuote
(@gtorgersen)
Trusted Member
Joined: 17 years ago
Posts: 70
 

You can also try to carve out spool files from unallocated space and see if you can an image of the document that was printed.


   
ReplyQuote
(@abdulcadir)
Trusted Member
Joined: 17 years ago
Posts: 68
Topic starter  

You can also try to carve out spool files from unallocated space and see if you can an image of the document that was printed.

Thank you, I hope its a good Idea


   
ReplyQuote
(@brede)
Trusted Member
Joined: 20 years ago
Posts: 64
 

you may try to carve EMF pictures form that spool files if printer was printing in emf not raw format.


   
ReplyQuote
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
 

Can anyone answer my earlier question. Are print files always, sometimes or never written to the drive?

If it was a short document, and the printer was free, would the operation be entirely memory based?


   
ReplyQuote
(@trewmte)
Noble Member
Joined: 19 years ago
Posts: 1877
 

It has been a while, I admit, so I may have gotten this wrong, but I seem to recall using Ubuntu from cdrom at boot up leaves only small traces of activity on computer but no traces of letters and printing on hdd.
I think (said cautiously) there maybe remnants left in RAM (?)


   
ReplyQuote
(@farmerdude)
Estimable Member
Joined: 20 years ago
Posts: 242
 

Any search engine may be your friend )

Here is a read you might find of interest

http // www . undocprint . org/winspool/spool_files

Cheers!

farmerdude

www.forensicbootcd.com

www.onlineforensictraining.com


   
ReplyQuote
Page 1 / 2
Share: