I have a forgery/harassment case where an individual is suspectd to have ptrinted two text documents. Unknown if he saved either file although I do have a date range in which the doc's were likely created/printed. All of the PC's being examined are running XP and don't appear to have been networked. So far I'm having no luck and am looking for some more ideas. In addition to searching the usualy places for saved documents, here is what I have done so far using FTK
-Live searches for specific words in each document, mainly misspelled words.
-Carved and searched through any .shd .emf .doc and .svd filed
-Looked in C/Program files/Office/1033 for any temp files
-Looked in C/Windows/system32/spool/printer, empty as usual
-Registry keys for RecentDocs and Usser Assist keys
I would like to carve for .spl files since not much time has passed since the files were created, but really don't know what the header/footer is for the elusive little files.
Anybody have any other ideas on what/where to look?
Anybody have any other ideas on what/where to look?
It seems obvious, so you've probably already searched for keywords from the document text in unallocated blocks etc. (is that what you mean by 'live search'?)
You should probably also check what printers have been physically connected to the systems, as well as logically (i.e. what printers appeared in the Control panel). If no logical printers (and no trace of deleted printers), a document could have been saved in an encrypted or obfuscated format (print to file, say, on a USB stick, and then printed on a different printer).
But if there are physical printers, and they leave tracking marks on the pages, those should be on the printed pages as well (see www dot eff dot org /pages/list-printers-which-do-or-do-not-display-tracking-dots.)
You can find some notes on the SPL file format at www dot undocprinting dot org.
-Carved and searched through any .shd .emf .doc and .svd filed
via GREP searches? EnCase has a EnScript. Might be worth taking a second pass with another program to verify findings.
.spl files are a myth.
No one ever finds them in a real case.
If it's understood how a .spl file is made then it's understandable why they aren't found.
Here is some documentation and links about .spl spooler files
http//
If the format is RAW (and PCL) a PCL viewer may come handy.
jaclaz