Multifunction devic...
 
Notifications
Clear all

Multifunction device

23 Posts
11 Users
0 Likes
674 Views
ThePM
(@thepm)
Posts: 253
Reputable Member
Topic starter
 

I'm trying to perform an analysis of a multifunction device (printer + scanner + copier). I want to recover pictures of copied/scanned/faxed documents.

The device is a Canon imageRunner C3100. The drive was a 40 GB drive, which I imaged and added to my case in FTK 3.

On the drive, there are 9 partitions detected

Partition 1 Unrecognized File System [FAT32] - Content unknown
Partition 10 NONAME [FAT16] - Contains 3 folders (ADRSBOOK, FILTER, LDAPTEMP)
Partition 11 NONAME [FAT16] - Seems to contain some stuff related to the Web interface of the copier.
Partition 12 NONAME [FAT16] - Completely empty
Partition 5 Unrecognized File System [FAT32] - Unknown content with the following header "MM-*"
Partition 6 NONAME [FAT16] - Contains a bunch of folders named P** (where * is a char between 0-9 and A-F). These folders contain some files, but nothing of interest…
Partition 7 NONAME [FAT16] - this looks like the system partition with folders like ETC, NVMEM, VAR.
Partition 8 NONAME [FAT16] - This contains 2 folders SPOOL and SPOOLER. The SPOOL folder is empty, but the SPOOLER folder contains several TMP files that are marked as erased but they dont seem to be graphic files when looking at the file headers.
Partition 9 Unrecognized File System [FAT] - Unknown content - Partition header is "NadaFs_FntFstVctlTbl".

In a paper about forensic analysis of digital copiers (www.willassen.no/pub/copier-en.pdf), it is mentionned that the actual images of scanned documents should be on the last partition. But even after datacarving and metacarving the whole drive, I can't get access to the pictures I need.

Has anyone been able to perform a forensic analysis of a multifunction device and could help me with this?

Thanks!

 
Posted : 28/05/2010 1:36 am
darren_q
(@darren_q)
Posts: 48
Eminent Member
 

Canon have an ImageRunner Security Kit which can encrypt or erase data on the imagerunner copiers. Perhaps this is in use?

http//www.usa.canon.com/gmd/security.html

 
Posted : 28/05/2010 8:11 am
TonyC
(@tonyc)
Posts: 27
Eminent Member
 

Hitman,

If the Security Kit was installed on this device you are probably out of luck. The data is encrypted and there are features in the kit that wipe data after files are deleted.

I just looked at a Canon MFP (no security kit) that was being returned to the vendor. Off the top of my head I don't remember the model, sorry. My examination was not for a case but was prompted by the now infamous ABC story about personal data being found in spooled documents left behind.

I found spool files (not marked deleted) in at least a couple of folders. On the printer I looked at, the files had an extension of .spl. The file name was something like xx10343-0.spl xx10343-1.spl and xx10343-2.spl. There were sets of 3 files with the last digit before the extension always 1, 2 and 3. I used AccessData Imager hex viewer to determine that all of the files were PCL and/or PJL. In other words documents ready to be printed.

The only way to see the documents that I know of is to print them. To do that you need to bypass the printer driver and send the already rendered print job to the printer. You must bypass the driver or you will have an ugly printout of the PCL/PJL code (since it is binary you may get thousands of pages with a few characters per page)…but I digress.

In the old days you copy a file directly to the printer port on the PC like this

copy xx10343-1.spl lpt1 (if the printer is on parallel port 1)

I had access to a printer on an old Lexmark printer server. That print server (and some others) had ftp server capability built in. All I had to do was ftp the print jobs to the printer, deal with tray numbering differences, paper size etc. and voila I had documents that had been printed before the printer was powered off.

Yes, before I put the drive back in the printer I wiped it!!

Hope this helped.

TonyC

 
Posted : 29/05/2010 5:31 am
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

The only way to see the documents that I know of is to print them.

Just for the record
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5043
there exist PCL viewers, examples
http//jimg3216.users.sourceforge.net/
most are Commercial.

jaclaz

 
Posted : 29/05/2010 2:08 pm
TonyC
(@tonyc)
Posts: 27
Eminent Member
 

jaclaz,

Thanks. I wondered if such a product existed, I just had not taken the time to look.

TonyC

 
Posted : 30/05/2010 8:23 am
ThePM
(@thepm)
Posts: 253
Reputable Member
Topic starter
 

Thanks for the valuable information everyone.

@TonyC do you know if there is a way by looking into the filesystem to check if the printer is using the security kit? In FTK, I performed all the data carving that was available to me but it hasn't found any SPL files.

BTW, the ABC story about printers hard drives has also stirred up a lot of things here in Canada (at least in our offices)…

 
Posted : 31/05/2010 6:40 pm
TonyC
(@tonyc)
Posts: 27
Eminent Member
 

Hitman,

I don't know if there is a way to detect the Security Kit.

I wish I had 2 machines, one with the Security Kit and one without, to test with but I believe all of our Canon systems did not have it and are being replaced.

Sorry I can't be more helpful.

TonyC

 
Posted : 01/06/2010 9:47 am
douglasbrush
(@douglasbrush)
Posts: 812
Prominent Member
 

BTW, the ABC story about printers hard drives has also stirred up a lot of things here in Canada (at least in our offices)…

Yeah we saw it here (US) as well. Tip of the iceberg I think. More imaging devices are coming out that have non-volotile memory and proprietary software, OS's and file systems.

 
Posted : 01/06/2010 7:44 pm
ThePM
(@thepm)
Posts: 253
Reputable Member
Topic starter
 

OK, after spending lots of time searching for information about retreiving data off a Canon imageRunner HDD, I found some interesting stuff on the Center for Information Assurance & Cybersecurity website.

According to them and Canon, there are security measures that come "standard" with any imageRunner copier

First, when copying/scanning/faxing a document, an image representing the document is indeed stored on the HDD. The problem for us is that it is stored in a Canon proprietary image format…

Second, the directory information of the partition where those images are stored is located on a sytem board on the copier. So, if you remove the drive from the copier, you won't see the directory structure. (I don't think this is a very serious issue for us, because we can always try data carving to try and retrieve those "lost" files.)

Third, all temporary and permanent data written to the hard drive is written in random, non-contiguous locations on the hard disk drive. This, IMO complicated things A LOT for us. This means that even if we were able to discover the proprietary file image format with some reverse-engineering, we still won't know where are located the fragments of the files.

On top of that, as other members mentionned in the thread, you can also buy a security kit that can encrypt and wipe all data on the drive.

Well, I guess I should forget about retreiving anything from the Canon copier I was working on… (and possibly any imageRunner copier…)

Here are the links to the documents on the CIAC website

http//www.iawire.org/resources/MFD_Security_Awareness.pdf
http//www.iawire.org/resources/copier_ir_bulletin_4_security_hdd.pdf

 
Posted : 01/06/2010 8:40 pm
douglasbrush
(@douglasbrush)
Posts: 812
Prominent Member
 

Nice work Hitman - thanks for sharing the research on the topic!

Recently had a very similar situation with a HDD from a security DVR system. Nothing but random data in unallocated clusters and no file system. Had to create a VM of the native OS (XP in this case) and install the proprietary DVR software to read the image mounted in MIP. Luckily on that everything was very software based and discernible.
Wonder if there is a way to create some sort of software to emulate the system board….do the lawyers in the office next door really need their ImageRunner for the rest of the week…?

 
Posted : 01/06/2010 9:08 pm
ThePM
(@thepm)
Posts: 253
Reputable Member
Topic starter
 

It would be interesting to be able to perform live forensic on a copier…

 
Posted : 01/06/2010 9:15 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
 

It would be interesting to be able to perform live forensic on a copier…

If you do, don't forget to wear sunglasses 8) those lamps can be really bright lol

Paul

 
Posted : 02/06/2010 12:53 am
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

It would be interesting to be able to perform live forensic on a copier…

How long has it been since many network devices come with a web interface? * years maybe.

1. Most of these multifunction devices have port 80 active.
2. You can access the interface unless it has been disabled.
3. Most of the times, I run into these multifunction devices with no administrative password.
4. You can change the configuration of the device if no password, or depending on the model and default settings, view the last several documents printed.

It wouldn't be "live forensics" but I can tell you from experience that you can view some of the documents printed using the web interface to the multifunction device.

 
Posted : 02/06/2010 3:28 am
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

* years was supposed to mean "8 years".

 
Posted : 02/06/2010 8:48 am
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

The other thing I should add is that these days, some of those devices (again, depends on the manufacturer and model) come with good functionality and settings that enable the device to purge documents after certain time, or to even not store any documents at all.

That functionality is great because it doesn't require that you use a security kit or encryption. Unfortunately, that same functionality seems to be too much of an administrative task for IT departments.

This falls more on the realm of IT security, but it may be something you are not aware of.

 
Posted : 03/06/2010 10:36 am
Page 1 / 2
Share:
Share to...