Forums
Main Category
General (Technical,...
Incident with clear...
 
Notifications
Clear all

Incident with clear password PRINTED

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Andy 20 years ago
5 Posts
4 Users
0 Reactions
526 Views
RSS
 LonelyWolf
(@lonelywolf)
Eminent Member
Joined: 20 years ago
Posts: 31
Topic starter 29/04/2005 1:01 pm  

Hello,
strange things happens…

well, there is a network printer who receive and print a "justtofuck.ghost" file (i've searched for this file and obviously don't exist on the disk). It seems only garbage, but user and clear user and administrator password are printed.
In another "lostfuck.ghost" file printed, we can see what i recognize to be the content of the boot.ini file and many system error messages (in system file) like
couldn't initialize I/O
Couldn't allocate memory for TSS
Error GDT and IDT are not contiguos
..
HalGetBusData: KeFindConfigurationEntry Failed

and other wich seems sid/registry key…

well it seems that are printed some file/garbage that is in memory?
it's STRANGE, but is it possible that try to print pagefile?
otherwise, where on the system (live) can found clear password? (supposing that there is no keylogger or no saminside like)

how i can monitor printers request?

Thanks


   
Quote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
29/04/2005 1:11 pm  

What is the make and model of the printer?

How many Windows systems are connected to it and use it?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com


   
ReplyQuote
 LonelyWolf
(@lonelywolf)
Eminent Member
Joined: 20 years ago
Posts: 31
Topic starter 29/04/2005 3:08 pm  

The printer is Oce 8445 and just 3 or 4 windows xp (patched and updated) use it.

But it seems that print "only" data and user/pass (admin included) of a certain user.

how u suggest me to proceed?
how can identify at least "locally" which process ask or perform to use (network) printer?
if i'll use filemon, i suppose to see that file in spool directory will be created by win system file, due to the spooler subsystem…or not?
how can i trace from which application START print activity?

if i can found that app..MAYBE i can try to understand why and how print THAT data…

Thanks


   
ReplyQuote
 tmr5385
(@tmr5385)
New Member
Joined: 20 years ago
Posts: 1
02/05/2005 4:59 am  

I don't know if this will help or not:

.SPL and .SHD files are found on the workstation as well as the server. The .SHD file contains a lot of information about the file to include the username of the account that printed the file, the file name and sometime full logical path, the program used to print the file, and the type of printer. The corresponding .SPL file will contain the file name and the embedded image(s) of the print job.

XP default path is Windows\system32\spool\printers

Here is a noted Windows XP EMF file header that can be searched for in the pagefile/unallocated:
\x01\x00\x00\x00\x5C\x01

Also, don't forget to review log files, you may see something there to help locate the printer. I hope this helps some.


   
ReplyQuote
 Andy
(@andy)
Reputable Member
Joined: 21 years ago
Posts: 357
02/05/2005 9:58 am  

Is anyone using a PDA attached to the Windows XP machines to print to the network?

Andy


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: