Retrieving .spl fil...
 
Notifications
Clear all

Retrieving .spl files  

  RSS
strobak
(@strobak)
Junior Member

I will be looking for spool files on an image using FTK (i know there are also the .emf and .shd files to consider) and i was wondering, in order, what steps you would take to try and locate them?

keyword search for ".spl"?
live keyword search for ".spl"?
live keyword search for .spl file signature in hex?
data carve? (although there is no option to carve .spl files in FTK, only .emf)

Value your input

cheers

Quote
Posted : 11/12/2007 4:09 pm
cfprof
(@cfprof)
Member

sounds like a school project……

you might find the path where the .spl and .shd files are…..

ReplyQuote
Posted : 11/12/2007 6:44 pm
armresl
(@armresl)
Community Legend

.spl files are usually kept right next to Bigfoot and the Loch Ness Monster

ReplyQuote
Posted : 11/12/2007 7:40 pm
strobak
(@strobak)
Junior Member

The spool files are deleted when the print finishes

ReplyQuote
Posted : 12/12/2007 2:50 pm
strobak
(@strobak)
Junior Member

i can see 50 files in the spool directory with names similar to 00202.spl

when i highlight one of these, for example, FTK displays

" EMF Print Spool

Job Print Information

Name - Microsoft Word - Procedure List May 2007.doc
Port - Ne02
Page Count - 1
"

However i thought that when a print job starts a .spl file (containing the documents being printed) is created, also an .emf file (containing each page from the document) and finally a .shd (which has information on the user account that started the job etc).

Does anyone know why there are only 50 in this directory and where i can locate others? also does anyone know why they only give this info and do not contain the documents that were printed?

Thanks

ReplyQuote
Posted : 13/12/2007 3:36 pm
andy1500mac
(@andy1500mac)
Member

The .spl file should have emf file or files embedded (for lack of better word) within them that represent the printed pages.

Export one of them (00202.spl) out of FTK and then re-launch the program adding just that file. FTK should show 1 evidence file with xx number of graphics (each graphic, EMF representing a printed page).

I did just this by sending a 10 page print job to a printer that was offline and recouping the SPL file from windows/system32/spool/printers on an XP machine.

hth

ReplyQuote
Posted : 13/12/2007 8:52 pm
eyez0n
(@eyez0n)
Junior Member

I have been lurking on board for quite some time and usually do not like the responses that say something along the lines of "Google it" but in this case, there is a wealth of information related to .spl, .emf, and .shd files available on the "internets".

You will find that most people in this field appreciate folks that do some extensive (or at the very least cursory wink ) research on a subject prior to posting a request for assistance.

If I understand correctly, one of the things you are wondering is where/how to find .spl files and why there are not more on your suspect media.

Check out the following link (it was on the first page of Google hits) to Hacking Exposed Computer Forensics Secrets and Solutions

http//books.google.com/books?id=hL-Z3NVBBKsC&pg=PA131&lpg=PA131&dq=spl+file+temporary&source=web&ots=UzqgQPKtEH&sig=sy2ZEYz1AN9ibyTF8WxThv7hKZ0#PPA132,M1

ReplyQuote
Posted : 13/12/2007 9:17 pm
strobak
(@strobak)
Junior Member

eyez0n- I already knew this, and the image has two partitions

C which is 12 GB and has a FAT32 file system

D which is 192GB in size and has an NTFS file system

The spool directory is in - Part_2\WINDOWS\System32\Spool\PRINTERS

Andy1500MAC - I can view the .emf files for each spool file in the spool directory, i just can't work out why theres only 70 there, the computer has been in use for 4 years and apparently he prints many documents each day.
It was a surprise for me when i discovered that the .spl files were easily viewable in FTK by browsing to the spool directory as i understood they were deleted upon print job completion and so expected to have had to examine unallocated space to retrieve any.

As far as data carving is concerned, of the three file types i'm interested in(.spl, .emf, .shd) FTK only gives the option to carve .emf files out of these three, but as each .emf file carved should relate to a different print job, i did this in an attempt to locate .emf files that werent in the spool directory but were in unallocated space.
However, the .emf files i located through this were only those that corresponded to the .spl files in the spool directory.

So am i to believe that there are only those 70 sets of .spl, .emf and .shd files to be found on the HDD? I'm just asking for opinions, from people who have experienced .spl file related cases in the past.

If i know that this IS the case then thats fine. I just need a good explanation for it if it is thats all…

Thanks

ReplyQuote
Posted : 13/12/2007 9:58 pm
 Anonymous

I can view the .emf files for each spool file in the spool directory, i just can't work out why theres only 70 there, the computer has been in use for 4 years and apparently he prints many documents each day.
It was a surprise for me when i discovered that the .spl files were easily viewable in FTK by browsing to the spool directory as i understood they were deleted upon print job completion and so expected to have had to examine unallocated space to retrieve any….

The "missing" .spl files were in all likelihood overwritten. Remember, when a file is "deleted," its entry is removed from the from the "catalog" (FAT, MFT) and the space the file occupied is marked as "available" (unallocated). So, if "Mr. Print-Happy" also moves a lot of documents, images, cached web pages, video clips, MP3s (surely not at work!!! 😯 )… etc onto and off of his hard drive, then unallocated space may be overwritten, unallocated, overwritten, unallocated and on and on many times.

-Austin

ReplyQuote
Posted : 13/12/2007 10:24 pm
cfprof
(@cfprof)
Member

I can view the .emf files for each spool file in the spool directory, i just can't work out why theres only 70 there, the computer has been in use for 4 years and apparently he prints many documents each day.

So am i to believe that there are only those 70 sets of .spl, .emf and .shd files to be found on the HDD? I'm just asking for opinions, from people who have experienced .spl file related cases in the past.
Thanks

Given that all of these files are typically deleted and given that the normal amount found is 0, I'd say 70 is an unbelievable number to have remaining!

In my limited experience, "only those 70 sets" is a large amount.

Has anyone else ever seen numbers like this???

ReplyQuote
Posted : 14/12/2007 2:41 am
strobak
(@strobak)
Junior Member

The "missing" .spl files were in all likelihood overwritten. Remember, when a file is "deleted," its entry is removed from the from the "catalog" (FAT, MFT) and the space the file occupied is marked as "available" (unallocated). So, if "Mr. Print-Happy" also moves a lot of documents, images, cached web pages, video clips, MP3s (surely not at work!!! 😯 )… etc onto and off of his hard drive, then unallocated space may be overwritten, unallocated, overwritten, unallocated and on and on many times.

Yeah this what i thought the explanation probably was, its a heavily used drive.

Given that all of these files are typically deleted and given that the normal amount found is 0, I'd say 70 is an unbelievable number to have remaining!

In my limited experience, "only those 70 sets" is a large amount.

Has anyone else ever seen numbers like this???

Really? oh well i'll think myself lucky wink .

Yeah, i knew that the spool files were usually deleted as soon as the print job finished, so any ideas why these ones aren't?
all i have to do to view them in FTK is navigate to the obvious directory, maybe FTK is pulling them back from unallocated space and placing them there in the tree but i very much doubt this as they would have an orphan sign next to their filename…

ReplyQuote
Posted : 14/12/2007 2:39 pm
Share: