±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36632
New Yesterday: 3 Visitors: 136

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Retrieving .spl files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

strobak
Member
 

Retrieving .spl files

Post Posted: Dec 11, 07 16:09

I will be looking for spool files on an image using FTK (i know there are also the .emf and .shd files to consider) and i was wondering, in order, what steps you would take to try and locate them?

keyword search for ".spl"?
live keyword search for ".spl"?
live keyword search for .spl file signature in hex?
data carve? (although there is no option to carve .spl files in FTK, only .emf)

Value your input

cheers  
 
  

cfprof
Senior Member
 

Re: Retrieving .spl files

Post Posted: Dec 11, 07 18:44

sounds like a school project......

you might find the path where the .spl and .shd files are.....  
 
  

armresl
Senior Member
 

Re: Retrieving .spl files

Post Posted: Dec 11, 07 19:40

.spl files are usually kept right next to Bigfoot and the Loch Ness Monster
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

strobak
Member
 

Re: Retrieving .spl files

Post Posted: Dec 12, 07 14:50

The spool files are deleted when the print finishes  
 
  

strobak
Member
 

Re: Retrieving .spl files

Post Posted: Dec 13, 07 15:36

i can see 50 files in the spool directory with names similar to 00202.spl

when i highlight one of these, for example, FTK displays:

" EMF Print Spool

Job Print Information

Name - Microsoft Word - Procedure List May 2007.doc
Port - Ne02
Page Count - 1
"

However i thought that when a print job starts a .spl file (containing the documents being printed) is created, also an .emf file (containing each page from the document) and finally a .shd (which has information on the user account that started the job etc).

Does anyone know why there are only 50 in this directory and where i can locate others? also does anyone know why they only give this info and do not contain the documents that were printed?

Thanks  
 
  

andy1500mac
Senior Member
 

Re: Retrieving .spl files

Post Posted: Dec 13, 07 20:52

The .spl file should have emf file or files embedded (for lack of better word) within them that represent the printed pages.

Export one of them (00202.spl) out of FTK and then re-launch the program adding just that file. FTK should show 1 evidence file with xx number of graphics (each graphic, EMF representing a printed page).

I did just this by sending a 10 page print job to a printer that was offline and recouping the SPL file from windows/system32/spool/printers on an XP machine.

hth
_________________
Andrew 
 
  

eyez0n
Member
 

Re: Retrieving .spl files

Post Posted: Dec 13, 07 21:17

I have been lurking on board for quite some time and usually do not like the responses that say something along the lines of "Google it" but in this case, there is a wealth of information related to .spl, .emf, and .shd files available on the "internets".

You will find that most people in this field appreciate folks that do some extensive (or at the very least cursory Wink ) research on a subject prior to posting a request for assistance.

If I understand correctly, one of the things you are wondering is where/how to find .spl files and why there are not more on your suspect media.

Check out the following link (it was on the first page of Google hits) to Hacking Exposed: Computer Forensics Secrets and Solutions:

books.google.com/books...#PPA132,M1  
 

Page 1 of 2
Page 1, 2  Next