I am in a Digital forensics class. In our studies a questions about Printers have come up and I was hoping some of the posters on FORENSIC FOCUS could weigh in.
Now that printers are more complex and have hard drives/data storage do they not only save information about the documents they print but also information about the network/computer/user that requested the print job. Could this be used to tie documents to criminals?
Do all printers erase their hard drives like Xerox claims to?
At my place of work our copier is hooked directly into the network and not through a computer terminal. It can send it's own emails. When it comes to security is it possible for a hacker to break into the printer and get his own print outs of all the documents that come accross? Is it harder/eaisier/ or impossible to remotely break into a printer (one of the higher end ones with network capabilitys of course, my desk top printer is probably safe).
Note This is just part of a discussion and not in any way homework. I will be linking this post to my prof and classmates so they can also see the responses.
Thank you for any thoughts.
I have examined 2 copier HDs. Outside of configuation settings, nothing else user related was recoverable.
At my place of work our copier is hooked directly into the network and not through a computer terminal. It can send it's own emails. When it comes to security is it possible for a hacker to break into the printer and get his own print outs of all the documents that come accross? Is it harder/eaisier/ or impossible to remotely break into a printer (one of the higher end ones with network capabilitys of course, my desk top printer is probably safe).
I had a lot of fun with HP printers around 2006, when it was discovered that not only were some of them vulnerable, but you could also run your own code on the printer.
We changed text in the LCD displays to "INSERT QUARTER" and other werid messages, but we could have done anything we wanted
- redirect print jobs
- save print jobs to local system
- forward files to other systems
Nowadays, if you Google for "hp printer exploits", you'll still get hits on recently discovered vulnerabilities, so even recent machines could be vulnerable.
If the printers are properly configured & secured, most of them are much more secure than those of say, 5 years earlier. Most network printers can be accessed via
- http(s)
- ftp
- telnet
HTTP, FTP & telnet are unsafe protocols (no encryption), and most let attackers guess passwords for as long as they want.
I still regularly recover printers that are not locked down
- no (admin) password
- all kinds of unneeded ports & services open
Some of those printers have the option to send scanned documents as e-mail. It would be easy to enter another email address, and resend the message from there (properly spoofed, of course).
Roland
I removed the hard drive from a large multifunction printer (print, fax, scan, email) and had a field day. There were several files on the hard disk that were in fact PCL print jobs that I was able to retrieve and print.
Based on the directory structure it looked like the printer was running a flavor of Linux or BSD. That's just a guess, I didn't look close enough to determine what the OS was.
Most vendors seem to claim either they securely erase any file that is written to the hard drive that contains a scanned or printed document OR they offer a feature to do that…at an additional cost of course or have a feature that allows the drive to be wiped before disposing of the printer. (Trust but verify)
My "investigation" was the result of an article that hit the mainstream press in the US last year about someone recovering a bunch of personal data from printers at a refurbishing center. We just happened to have a printer sitting in the hall waiting to be picked up. I removed the drive and poked around a bit.
Of course, I wiped the drive before putting it back.
And yes, there are logs that can be printed from most printers that show the date, time,number of pages, file name etc. In fact one case I worked the Toshiba printer had very detailed logs from the RIP engine that even showed the network user name and file name for each job printed.
Tony,
What kind of printer were you working with? In my case, where there was nothing to be retrieved, it was a Xerox printer.
Greg,
It was either a Canon or a Toshiba but I don't remember.
I do remember attending a Xerox sales presentation a number of years ago and hearing that they were using secure erase to make sure that sensitive data did not remain on the hard drive in the printer.
My examination was not extensive. It was one of those opportunities that presented itself when the printer sat in the hall for several days waiting to be picked up.
BTW I just reread my post. The printer that we got logs off of was a Canon not a Toshiba. As I recall, at least on the Canon, the retention time for the logs is configurable.
TonyC
I know that it's not the printer side of things, but examining the storage in a big Canon office multi-function we were able to carve out hundreds upon hundreds of previously scanned files from unallocated space.
I seem to remember that there were several partitions on this one, and only one of them yielded results. I don't think we recovered previously printed documents from that one, but it was a while ago, so I might be wrong there.
I once went on a self catering holiday and the cottage next door was being rented by a guy who was a regional rep for one of the big names in the copier industry. He admitted that once the machines reach the end of their first lease they are either sold or leased to a third party with the original drives in and no wiping function carried out. They did offer at extra cost a "purge" function that would wipe the drive but he said only the MOD ever ordered this option as it was seen as expensive and OTT by the private sector
There is massive scope for research in this area but getting hold of some used copiers to experiment on is the issue.
I was given a hard drive from a Phaser 7760DX and asked to see if I could recover information from it. It was 'encrypted' with Xerox's proprietary binary coding, but the log files, with user name, IP of the station from which they printed, and document names, viewable by string search. Word from a colleague indicated that it may be possible to view the actual documents if I managed to break the binary coding, but I've had no luck getting that information.
I have managed to extract postscript files from the hard drive in a Canon copier / network printer previously, it was a 40GB drive and stored a lot of files to interrogate!