Hi,
I'm fairly new to these forums and was advised that this would be one of the best places I could come to for some advice.
(If this is the wrong area for this topic, feel free to move it elsewhere)
Anyway,
I recently performed an experiment to find out what artefact's are created when I print out a document.
I performed a literature review before hand to find out what kind of artefact's I would find (.SPL, .SHD and .EMF files).
I created a Virtual Machine with Windows XP, created a document and installed my printer drivers, taking a "before shot" of the virtual machine.
I put this before shot into encase to create a hash set for removing known operating system files in my after shot.
I went back into the VM and simulated the printing of the document I had previously created and shut down the VM.
I then created an "aftershot" of the VM ware, placed this into encase and created a condition to remove the known files with the hashset I previously created.
After navigating to the correct folder for the artefacts, there were indeed a .SPL and .SHD file.
However, when I selected these artefacts in encase, in text view , it shows the contents as "Empty File".
It shows the description as being File, Invalid Cluster, Archive.
There is no logical or physical size, there is no physical location or physical sector.
I am aware that a SPL /SHD file is temporary and is only available whilst it is being used by the printer, therefore once the printing has finished it is deleted.
but I was not expecting these results from encase and I was wondering if someone could kindly explain what has happened to the spool / shadow files to result in an empty file being shown and what I would do in a future experiment in order to view the contents of the SPL /SHD file.
Thanks alot for your help,
Laura
Laura
I note you say "simulated the printing of the document" which implies you did not print the document and wonder whether this has something to do with it.
I have just tried a similar test and set the printer to be off-line. When I then save the state of the VM I can find two files the shd has contents and the spl has a size but is actually all zeroes. Maybe the fact that the documents are not quite printed has some effect on this.
I have then tried printing from my live machine and can see the two files and the spl file has the contents to be printed (the printer was just switched on and going through its start up so the printing was delayed).
I can't explain your findings, I would suggest you experiment a little further varying what you do as I have mentioned and see what happens. In practice on the rare occasions I have looked for spooler files I haven't actually found much AFAICR.
H
Hi,
Sorry if my wording has got you confused. I did actually print off a document in the VM ware which I then put into encase to view the artefacts.
the .SPL file and SHD file were there but they were empty and there was nothing in there to look at in terms of evidence that I printed a specific document. Encase told me both of the files were empty.
see attached picture for my results
With all due respect, UNLIKE .spl files, posts on the board do not disappear, and can be searched
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5043
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3346
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2089
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1911
Common opinion seems that .spl/.shd files are a modern incarnation of Keyser Soze
http//
And like that he was gone. Underground. Nobody has ever seen him since. He becomes a myth, a spook story that criminals tell their kids at night. "Rat on your pop, and Keyser Soze will get you." And no-one ever really believes.
mythical files noone ever saw but that are talked about around a fire, when the night is dark and the winter is cold….
jaclaz
No EMF file?
What sort of printer/drivers are you using? It may be that the SPL file is cleared really quickly after the print is complete, or may be using a different method to spool the data. Searching for the following grep expression may turn something up in unallocated; \x01\x00\x00\x00.{36,36}\x20EMF
One of the given threads points to this
http//
Was the partition NTFS?
http//
jaclaz
No EMP file?
Didn't find any when I looked in encase.
What sort of printer/drivers are you using? It may be that the SPL file is cleared really quickly after the print is complete, or may be using a different method to spool the data. Searching for the following grep expression may turn something up in unallocated; \x01\x00\x00\x00.{36,36}\x20EMF
I used an Epson SX405 printer with the latest available drivers.
Thanks for the advice, I will have another look and do the search you provided.
Will also have a look at the links that have been provided, thank you.
Laura