Need help with a printer hacking idea

[rbutturini at epictn.com (Russell Butturini)]

This is a project I've thought about too.  I even posted around on a
couple of forums but nobody had any good ideas.  The only success I did
have with it was using a tiny utility (Can't recall the name now) that
did actively monitor the folder and copy any new files to an alternate
location via FTP.  

 

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian
Crenshaw
Sent: Tuesday, August 25, 2009 7:03 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Need help with a printer hacking idea

 

Ok, 
    I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes
has SPL files in it that contain EMF versions of what is being printed
(I've attached a sample). You can find a viewer here
http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx
<http://console.mxlogic.com/redir/?m7HI8zxOpJwsqekPhOO-edw0HlgZqdh7XjVv0
a6smza4Vg8Ud3oKcblGu6puo-f0YfdTWZQTQnDzhOyUrKrmRIZ2IROV2Hsbvg52vbqSuxmq_
bCT63hOyrhjvhjovhjpdLTdCBIbqSuxmqVFtd40c_Q3h0jYZoQg69j9Cy3jh0J6k9_4Qg4ZI
lB0yq898vFKvxYYmfSk3q9J4SMed7apEVhd79EVdHdJolc0Y>  . These normaly get
deleted as soon as the print job finishes printing. I've tried using
tools that look in the MFT, but they don't see any deleted files that
match (working on the data carve as we speak), Other than having a app
that sits there that constantly polls for new files in the spool folder,
can you think of a way to have an event fire off that will copy these
jobs as they are printed? Lot's of sensitive stuff is printed, and this
could be some useful info for pentesters/forensics guys.

Adrian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090826/40a1db61/attachment.htm