Printer direct or shared? info from pc hdd image....

Also, using FTK i am unable to find any print related (.spl .shd or .emf files).

With FTK, out of these three, there is only the option to carve .emf files, i have tried this but no .emf files are reported.

Which makes me think that the printer used must have been shared and that these files must be on a server…

Does anyone know what the hex value for the .spl file extension is in the spool file header?

Thanks

Does nobody know of how i can tell then? registry locations?

Also, using FTK i am unable to find any print related (.spl .shd or .emf files).

With FTK, out of these three, there is only the option to carve .emf files, i have tried this but no .emf files are reported.

Which makes me think that the printer used must have been shared and that these files must be on a server…

Does anyone know what the hex value for the .spl file extension is in the spool file header?

Thanks

These files are deleted as soon as the printing is completed on the local machine. It's rare to find spool files.

The default printer is located at HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Device,
where local printers use a PrinterName,winspool,LPT1 format and network printers use a \\ServerName\PrinterShare,Description,LPTn format.

All the users printers are located at

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices

The computers printers are located at

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Providers\LanManPrintServices\Servers\<ServerName>\Printers\<PrinterName>

Thanks Earn, just what i needed. Yes i realise that they are deleted.

It seems that the printer is shared via a server, does this mean that the .spl, .emf and .shd files will be on that server in unallocated space?

Does anyone know if it is possible for them to be resident on the server but not the actual machine that the print jobs were sent from?

Cheers