Need help with a printer hacking idea

[irongeek at irongeek.com (Adrian Crenshaw)]

Only a little, but the hex values I found for a data carve did not seem to
help. If you encounter a better source, I'd love to see it. :)

Thanks,

Adrian

On Thu, Aug 27, 2009 at 1:40 PM, subzer0girl <subzer0girl at gmail.com> wrote:

> Adrian
>
> have you searched on printer or copier forensics for file and format
> information ?
>
>
>
> On Tue, Aug 25, 2009 at 6:03 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
>
> > Ok,
> >     I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes
> > has SPL files in it that contain EMF versions of what is being printed (I've
> > attached a sample). You can find a viewer here
> > http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx . These
> > normaly get deleted as soon as the print job finishes printing. I've tried
> > using tools that look in the MFT, but they don't see any deleted files that
> > match (working on the data carve as we speak), Other than having a app that
> > sits there that constantly polls for new files in the spool folder, can you
> > think of a way to have an event fire off that will copy these jobs as they
> > are printed? Lot's of sensitive stuff is printed, and this could be some
> > useful info for pentesters/forensics guys.
> >
> > Adrian
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090827/94f6df7b/attachment.htm