so first off, Hi to all.
Wonder if you guys could point me in the right direction. I am very new to CF and am hanstrung by the fact that my boss currently expects me to find out evidence utilising free tools.
I have a situation where I am trying to find a particular document on a laptop that was printed on a specific day. The log on the network print server gives the document as
2/20/2008 113424 AM Print Information None 10 Domain\userID Print Server Document 240, Document 108440454 owned by userID was printed on PGSL3B04 via port IP_10.110.140.37. Size in bytes 295939; pages printed 9
I have done a search on the laptop for documents of that size, that name, but that has not come up with anything relevant that I can see.
Can anyone give any clues as to where I might be able to look to find out about this specific file?
Many Thanks in advance
T
> I am very new to CF and am hanstrung[sic] by the fact that my boss
> currently expects me to find out evidence utilising free tools.
Not a problem…
http//
> Can anyone give any clues as to where I might be able to look to find
> out about this specific file?
It appears that you're assuming that the user printed a document that is named "document 108440454" and is 295939 bytes in size. I hope you didn't do a search for "document 108440454" on the system. 😉 This is most likely just an identifier used by the print server.
Also, the log says that 9 pages were printed…what if the document wasn't a whole document, but just 9 pages of a larger document? Is there anything else you know about the document..was it a Word or PDF document?
Thank you very much for the link, that is absolutely spot on.
As for the document, all the information I have is in the info on the print server. I have looked at his Recent Documents to see what he might have had opened at that time but there is nothing remotely like that in his list. The only thing I can think is that it might have been an Email attachment. Would that make any sense?
Tony
One of the first places i would look would be in the "index.dat" files, particularly for entries starting with "file///" which show activity by a user with certain types of files (including some e-mail attachments).
There is an open source tool called "pasco" (available from Foundstone) which does a nice job of formatting "index.dat" files into a readable and searchable text file. You can the grep out any "file///" entries and look for the relevant time period.
HTH
Stu
You haven't reported which file system you are under; if we assume you it is a NTFS file system, after printing the document its Accessed Timestamp should have been changed, so it could be a nice idea to search for the accessed files closely to 2/20/2008 113424 AM. It could have been accessed after the printing job but, it is just another try. Besides, if the attachement was opened directly from inside the email message, a temporal file should have been also created in that date.