Need help with a printer hacking idea

[joel.folkerts at gmail.com (Joel Folkerts)]

You may also consider attempting to carve the SPL file out of unallocated or
the pagefile.sys. I don't recall what the file header or footer is but it
may be worth investigating. It's also been my experience that these SPL
don't hang around for long on the drive but it's always worth a quick check.

-Joel


"The path to hell is paved with good intentions."


On Tue, Aug 25, 2009 at 7:03 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:

> Ok,
>     I've noticed the c:\Windows\System32\spool\PRINTERS folder sometimes
> has SPL files in it that contain EMF versions of what is being printed (I've
> attached a sample). You can find a viewer here
> http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx . These normaly
> get deleted as soon as the print job finishes printing. I've tried using
> tools that look in the MFT, but they don't see any deleted files that match
> (working on the data carve as we speak), Other than having a app that sits
> there that constantly polls for new files in the spool folder, can you think
> of a way to have an event fire off that will copy these jobs as they are
> printed? Lot's of sensitive stuff is printed, and this could be some useful
> info for pentesters/forensics guys.
>
> Adrian
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090826/f8553edf/attachment.htm