Printer forensics

Printer blog post

Why are printers useful? 

Information on windows systems can also be found in connection with a computers configured printer and printing activity

How does it work? 

Systems running windows can generally be set to send data to a printer in raw or enhanced metafile (EMF). Both raw and EMF create two file types;

A shadow file (.SHD) and a spool file (.SPL); these can be found in the c:\windows\ system32\spool\printers folder.

Example:

FP00001.SHD file and FP00001.SPL- would be the two files for the same print job.

.SHD-contains information about the job itself, such as printer name, computer name, files accessed to enable printer, user account creating the print job, app used to print the file and the name of the printed file.

.SPL contains the actual data to be printed- this contains one EMF for each page in the job sent to the printer, with each page marked by “EMF”.

Software such as Encase automatically converts the bytes that make these files in to a user viewable format by bookmarking the data as a picture as seen in the picture below (Handbook of digital forensics, 2009).

 

However; we can only find these files if…

 1. There was some problem with the print job that prevented it from completing successfully (e.g., the printer being out of paper, a communication problem between the sending system and the printer, or the chosen printer not being powered on).

2. The sending system is configured to keep printed documents as shown in Figure 5.38, thereby retaining backup or tracking copies of jobs sent to the printer.

Why is this useful? This is another avenue for forensic investigators to find potential evidence. Files that may have been deleted and unrecoverable may still be view able through the printer files.

Example: An employee at a company has printed out a confidential document. The company have been informed by a different employee that this was done on the upstairs printer. Checking the SPL file of this printer will confirm if the data printed is the confidential data. Checking the Shadow copy will provide information of who printed the job, as you cannot blame anyone without proper evidence.