If a suspect has printed something that they shouldn't have, eg private company information, which locations on a system should be checked in the case of Windows XP?
Where can the spool/shadow files be located?
Are there any other locations to take into consideration for evidence?
Registry keys?
Thanks a lot, any information appreciated )
Dont forget its not only the computer that may have evidence. If the file was sent across a network the network print server may contain the document.
Also the printer itself, if its got a buffer may contain the document that was sent to it.
Just some extra thoughts.
OK cheers bud, good point i was taking that into consideration.
Any more ideas with regards to the actual machine the printing was started from?
What OS are you working with?
I know in Windows 9x, the location is C\Windows\spool\Printers. .
.SPL are the spool files that hold the job. .
If that helps any. .
When a file is sent to a printer in Windows, the local print provider (Localspl.dll) writes the contents to a spool file (.spl) and creates a separate graphics file (.emf) for each page. Localspl.dll also tracks info such as username, filename, etc. in a shadow file (.shd).
By default .spl and .shd files are written to the Spool folder driveWindows_directory\System32\Spool\Printers. Depending on the printer setup, print jobs can also be spooled in Windows virtual memory.
Since the .spl, .shd and .emf files are deleted after the printer completes the print job, you will have to carve these files from unallocated space.
Thanks, i've just checked that directory on a networked machine and the folder is empty; no .spl files, does anyone know if they are kept by default on windows?
Any tips like registry locations, any more info would be cool thanks
Thanks, i've just checked that directory on a networked machine and the folder is empty; no .spl files, does anyone know if they are kept by default on windows?
Hmmm. Since the .spl, .shd and .emf files are deleted after the printer completes the print job, you will have to carve these files from unallocated space.
Thanks, i've just checked that directory on a networked machine and the folder is empty; no .spl files, does anyone know if they are kept by default on windows?
BitHead did a fairly thorough job of covering that already. You likely didn't find the .spl files in the folder as they are deleted as soon as the print job completes.
Any tips like registry locations, any more info would be cool thanks
Well, if you know the file name or type/extension that was opened, I'd start with searches through the RecentDocs and ComDlg keys to see if you find the file name (some entries are binary rather than ASCII, so straight searches via RegEdit won't work). Check the MRU/Recent Files keys for the application used to open the file to see if you find references to the file there.
Further, many documents contain metadata…Word docs may even contain the date/time that the doc was last printed.
Hope that helps…
Bithead
Since the .spl, .shd and .emf files are deleted after the printer completes the print job, you will have to carve these files from unallocated space.
Thanks, sorry i asked a question you had already answered earlier. I assume the .emf files are also written to this directory and then deleted when the print job finishes?
Thanks for those pointers aswell Harlan.
The printer involved is a Ricoh Aficio 1224c, i've located a PDF at the following link http//
Richo's Document Server provides you with comprehensive storage, search and retrieval tools to manage the conversion of paper-based originals into digital files. Whether documents are copied, printed or faxed they can be stored on the system's 40GB hard drive
So i guess that printer does have a buffer and it definitely has a hard drive, although i don't know if documents are stored to it by default and the passage above leaves this open. I should really arrange a time to go and image this.
Just a quick question/update. Cheers