Notifications

Clear all

Multifunction device

ThePM · 2010-05-28T00:36:11Z

I'm trying to perform an analysis of a multifunction device (printer + scanner + copier). I want to recover pictures of copied/scanned/faxed documents.The device is a Canon imageRunner C3100. The drive was a 40 GB drive, which I imaged and added to my case in FTK 3.On the drive, there are 9 partitions detectedPartition 1 Unrecognized File System [FAT32] - Content unknownPartition 10 NONAME [FAT16] - Contains 3 folders (ADRSBOOK, FILTER, LDAPTEMP)Partition 11 NONAME [FAT16] - Seems to contain some stuff related to the Web interface of the copier.Partition 12 NONAME [FAT16] - Completely emptyPartition 5 Unrecognized File System [FAT32] - Unknown content with the following header "MM-*"Partition 6 NONAME [FAT16] - Contains a bunch of folders named P** (where * is a char between 0-9 and A-F). These folders contain some files, but nothing of interest… Partition 7 NONAME [FAT16] - this looks like the system partition with folders like ETC, NVMEM, VAR.Partition 8 NONAME [FAT16] - This contains 2 folders SPOOL and SPOOLER. The SPOOL folder is empty, but the SPOOLER folder contains several TMP files that are marked as erased but they dont seem to be graphic files when looking at the file headers.Partition 9 Unrecognized File System [FAT] - Unknown content - Partition header is "NadaFs_FntFstVctlTbl".In a paper about forensic analysis of digital copiers (www.willassen.no/pub/copier-en.pdf), it is mentionned that the actual images of scanned documents should be on the last partition. But even after datacarving and metacarving the whole drive, I can't get access to the pictures I need. Has anyone been able to perform a forensic analysis of a multifunction device and could help me with this? Thanks!

Page 2 / 3 Prev Next

General (Technical, Procedural, Software, Hardware etc.)

Last Post by ThePM 14 years ago

23 Posts

11 Users

0 Reactions

3,051 Views

RSS

ThePM

(@thepm)

Reputable Member

Joined: 17 years ago

Posts: 254

Topic starter 01/06/2010 9:15 pm

It would be interesting to be able to perform live forensic on a copier…

ReplyQuote

binarybod

(@binarybod)

Reputable Member

Joined: 17 years ago

Posts: 272

02/06/2010 12:53 am

It would be interesting to be able to perform live forensic on a copier…

If you do, don't forget to wear sunglasses 8) those lamps can be really bright lol

Paul

ReplyQuote

CFEx

(@cfex)

Trusted Member

Joined: 16 years ago

Posts: 69

02/06/2010 3:28 am

It would be interesting to be able to perform live forensic on a copier…

How long has it been since many network devices come with a web interface? * years maybe.

1. Most of these multifunction devices have port 80 active.
2. You can access the interface unless it has been disabled.
3. Most of the times, I run into these multifunction devices with no administrative password.
4. You can change the configuration of the device if no password, or depending on the model and default settings, view the last several documents printed.

It wouldn't be "live forensics" but I can tell you from experience that you can view some of the documents printed using the web interface to the multifunction device.

ReplyQuote

CFEx

(@cfex)

Trusted Member

Joined: 16 years ago

Posts: 69

02/06/2010 8:48 am

* years was supposed to mean "8 years".

ReplyQuote

CFEx

(@cfex)

Trusted Member

Joined: 16 years ago

Posts: 69

03/06/2010 10:36 am

The other thing I should add is that these days, some of those devices (again, depends on the manufacturer and model) come with good functionality and settings that enable the device to purge documents after certain time, or to even not store any documents at all.

That functionality is great because it doesn't require that you use a security kit or encryption. Unfortunately, that same functionality seems to be too much of an administrative task for IT departments.

This falls more on the realm of IT security, but it may be something you are not aware of.

ReplyQuote

peak

(@peak)

Active Member

Joined: 16 years ago

Posts: 6

04/06/2010 2:29 am

Thanks for the detailed info, saves a lot of work. These MFPs have become a hot item for our organization as well.

ReplyQuote

CFEx

(@cfex)

Trusted Member

Joined: 16 years ago

Posts: 69

04/06/2010 10:40 am

Thanks for the detailed info, saves a lot of work. These MFPs have become a hot item for our organization as well.

I call them MESD - that is multi edge sword devices, as an analogy to double edge swords. It happens that I was taking a look at one of these devices where a suspect was printing, and found out you can also use some of these devices to conduct some type of electronic surveillance.

In some models you can set the device to store all print jobs by user name. Isn't that great? Obviously, this applies when you believe somebody is a suspect; why bother with the print spool in these situations.

ReplyQuote

ThePM

(@thepm)

Reputable Member

Joined: 17 years ago

Posts: 254

Topic starter 23/06/2010 9:03 pm

Just wanted to let you guys know that I've been able to recover images from a Ricoh multi function device. Here is what I did

1- Created a DD image of the hard drive.
2- Swapped all the bytes in the image file.
3- Added the swapped image in FTK 3.
4- Performed data carving on the unallocated space (the whole drive was unallocated space).
5- Recovered 98 images.

Voilà!

ReplyQuote

peak

(@peak)

Active Member

Joined: 16 years ago

Posts: 6

29/06/2010 12:24 am

I just imaged our Toshiba E studio 550. It had a 40gb IDE drive with a whopping 26 partitions!

Each partition was formatted either FAT16 or FAT32 and there was some unpartitioned space. Partitions 2,3, & 4 are invisible or non-existent as they didn't show up. I used FTK imager to image and FTK 1.8 to analyze.

Each partition contained a list of folders which vary depending on the
partition. The common theme was every partition has a folder named "root".

Folders named cpy004, scn0018, emailTA, etc. appeared to be easy pickings, but were empty or had files named in a odd format such as pr001.001. These odd files were not very large, mainly around 400kb.

However in partition 15, the folder structure of root/smb/scan yielded deleted PDFs. These were easily read and exported. Here is where I found pay stubs, vacation confirmations, and other personal information.

I was expecting to find a lot more of this information all over the drive, but it was localized in that one scan folder.

Interestingly, many of the copy, scan, and email folders showed as deleted. I don't know what process deleted these and am looking for documentation to find out what security features this machine has.

Hope this helps,
Thanks!

ReplyQuote

NaterBC

(@naterbc)

New Member

Joined: 14 years ago

Posts: 1

23/02/2011 7:42 am

Just wanted to let you guys know that I've been able to recover images from a Ricoh multi function device. Here is what I did

1- Created a DD image of the hard drive.
2- Swapped all the bytes in the image file.
3- Added the swapped image in FTK 3.
4- Performed data carving on the unallocated space (the whole drive was unallocated space).
5- Recovered 98 images.

Voilà!

I know this is a question on an old post, but I was wondering how you "swapped all the bytes in the image file"? What did you use to swap them (i.e. hex editor, other program)? Could you please provide the details of your procedures? I am conducting some research on this topic and was intrigued by this forum. Thanks.

ReplyQuote

Page 2 / 3 Prev Next

Forum Jump:

Previous Topic

Next Topic

Currently viewing this topic 1 guest.

8 Forums
15.7 K Topics
92.3 K Posts
265 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed