Forums
Main Category
General (Technical,...
Gambling investigat...
 
Notifications
Clear all

Gambling investigation

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by gmarshall139 15 years ago
7 Posts
5 Users
0 Reactions
453 Views
RSS
 Lahamt
(@lahamt)
Active Member
Joined: 15 years ago
Posts: 5
Topic starter 23/03/2010 8:31 pm  

Hi all,
Thank you all for the Skype support. It all worked out and the tools were very helpful.

I now have a Gambling investigation where the suspects used a laptop to put bets in from overseas and print up slips for their customers.

Is there anywhere in particular i should be concentrating on in recovering the printer spool and any particular sites or servers they were linked to place the bets?

Thank you


   
Quote
 paulo111
(@paulo111)
Eminent Member
Joined: 17 years ago
Posts: 36
27/03/2010 11:17 pm  

Is there anywhere in particular i should be concentrating on in recovering the printer spool and any particular sites or servers they were linked to place the bets?

Lahamt,

I may have mis-read your request, however, dependant on OS and version (you’ve not mentioned what’s in use), in Windows XP (which is predominantly what we get in), they “apparently” live in \system32\spool\printers. You might also find SHD file that tells you which printer used which may come in handy for you.

I say “apparently”, as I have never had much luck in tracking down printer spools on NTFS file systems, but others may have some pointers for you.

As for the latter part of your query, are you asking for gambling Websites they accessed? Tracking the suspects Web Access? Again, you have not mentioned what OS, Web Browser is in use here. Assuming they used IE on Windows, and making some assumptions on current version of both the aforementioned, these areas may be of interest to you

•C\Documents and Settings\<username>\Cookies\index.dat
•C\Documents and Settings\<username>\Local Settings\History\History.IE5\index.dat
•C\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\index.dat
•C\Documents and Settings\<username>\UserData\index.dat

I can suggest a tool called Pasco to help with this analysis, others may use something different.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
28/03/2010 7:39 pm  

There is a thread about print spoolers, right here
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5565

jaclaz


   
ReplyQuote
 Lahamt
(@lahamt)
Active Member
Joined: 15 years ago
Posts: 5
Topic starter 17/05/2010 9:49 pm  

Thank you. I check printer spools, also the OS is Vista. I believe the person on the computer was using a program (ICA Client) from Citrix. I can't find any logs or other items that point to the gambling. First time I've ever seen this. I also tried starting a virtual machine, but was unsucessful. It's a mystery to me.


   
ReplyQuote
CFEx
 CFEx
(@cfex)
Trusted Member
Joined: 16 years ago
Posts: 69
17/05/2010 11:40 pm  

Depending on the printer used, if it was a printer/copy machine, that could actually be the source of printed documents

http//www.wimp.com/copymachines


   
ReplyQuote
CFEx
 CFEx
(@cfex)
Trusted Member
Joined: 16 years ago
Posts: 69
18/05/2010 1:58 am  

Lahamt, the question is whether you have access to the printer(s) where the subject allegedly printed those documents.


   
ReplyQuote
 gmarshall139
(@gmarshall139)
Reputable Member
Joined: 21 years ago
Posts: 378
20/05/2010 9:04 pm  

Newer OS' (XP onward) are much more efficient in handling the print spool than they used to be. The odds of you finding spool files is very slim.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: