Notifications

Clear all

Windows XP printer spool directory always empty

General (Technical, Procedural, Software, Hardware etc.)

Last Post by DFICSI 17 years ago

7 Posts

5 Users

0 Reactions

964 Views

RSS

ahoog

(@ahoog)

Eminent Member

Joined: 17 years ago

Posts: 47

Topic starter 07/01/2009 5:00 am

I am trying to locate evidence of what documents a user printed (Windows XP, SP2) and was looking in the print spooler directory at

c\windows\system32\spool\printers

for .shd or .spl files. I understand Windows deletes these files after a successful print but I've checked 4 hard drives now and have not found a single file (I'm searching allocated and unallocated/deleted files, of course). If the printer is networked, I'm pretty sure the file is spooled on the file/print server however I thought at least 1 of the drives printed locally.

Am I looking in the wrong place? Do I have the directories/process incorrect? Or perhaps everyone is just using network printers these days. Thanks for any direction.

Quote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

07/01/2009 6:17 am

"I understand Windows deletes these files after a successful print but I've checked 4 hard drives now and have not found a single file…"

Sounds like you're on the right track…

ReplyQuote

ahoog

(@ahoog)

Eminent Member

Joined: 17 years ago

Posts: 47

Topic starter 07/01/2009 8:30 am

But on an 80GB+ hard drive, I can't imagine Windows would overwrite the deleted print files. Shouldn't there be a bunch of "deleted but recoverable" files? Do people come across many in their investigations? Thanks.

ReplyQuote

CdtDelta

(@cdtdelta)

Estimable Member

Joined: 17 years ago

Posts: 134

07/01/2009 11:25 am

Are you looking for them in unallocated space in or in the spool\printers directory? If it's in unallocated, then you could try a search for EMF. If you have EnCase, then I have a grep search from my CF 2 book you could try too (or use the EnScript program if you have it).

Tom

ReplyQuote

brede

(@brede)

Trusted Member

Joined: 20 years ago

Posts: 64

07/01/2009 2:27 pm

try to check registry, maybe default spool directory place was changed

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

07/01/2009 6:00 pm

But on an 80GB+ hard drive, I can't imagine Windows would overwrite the deleted print files. Shouldn't there be a bunch of "deleted but recoverable" files? Do people come across many in their investigations? Thanks.

Windows systems, and XP in particular, have their own anti-forensics techniques built into the operating system…something I've blogged about and mentioned in my books.

I have examinations where finding indications of files being printed was important, and I found nothing with respect to the print spools, and instead relied on metadata from MS Word and Excel docs…

ReplyQuote

DFICSI

(@dficsi)

Reputable Member

Joined: 19 years ago

Posts: 283

07/01/2009 6:16 pm

Oh no, you mentioned your book! Didn't you know that's not allowed on here? 😉

ReplyQuote

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 3 days ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 3 days ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 4 days ago

8 Forums
15.7 K Topics
92.3 K Posts
6 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed