Special Files

Print Spool Files

When a file is printed in Windows, it is first spooled to the print spooler directory as a file (or set of files). In Windows 9 x , this consists of a metadata SPL file with a link to a TMP file with the actual data to be printed. On Windows NT/2000/XP/2003, there are generally two files printed, an SHD file with information about the print job and an SPL file with the actual print job itself and an associated header.

Like other files, SHD and SPL files can be recovered from unallocated space and may still be present on drives after their respective source contents have been eradicated. The files can provide proof on what was printed, who printed it, when it was printed, how many copies were printed, and even the contents of the print job. The spool files reside on the local system under the %SYSTEMROOT%/System32/Spool/Printers directory, or under the designated spool directory on a print server (in the same directory by default for Windows print servers). The files are specific to a given printer, and cannot be transferred to another, although they can be reprinted by connecting the same model printer.

The first place to find information on the print job is the SHD file (named sequentially and paired with a similarly named SPL file). The meta-data about the print job is stored in this file, but standard string programs will not be able to view it as the data is stored in Unicode and requires a Unicode capable program or hex editor to view accurately. The data of primary importance to a forensic investigation starts with the Windows username of the printer and includes (in order):

• User name : Who printed the job.

• Notification name: Who is notified when the job is completed.

• Document name: The name of the file that was printed.

• Port name: Which printer port was used, local or remote.

• Printer name: The specific name of the printer (not type, though they may be the same).

The relevant information starts as shown (in reversed bytes) at an offset defined at location 14h within a given SHD file. The type of printer file (EMF for Enhanced Metafile or RAW for RAW) will be present in the file after the basic information given previously as well as driver information and the last non-numeric character string in the printer file which generally contains the name of the computer the file was printed from (on nonWindows 9 x systems).

Figure 10-18 shows a sample SHD file from a Windows XP machine. The start of the file is as follows :

Figure 10-18: Start of the spool file

The first two bytes, 67 49h , show the file came from a Windows 2000/XP machine. The value (reversed) at location 14h indicates the user name starts at 048C .

Figure 10-19 shows that piece of the file.

Figure 10-19: User name in the print file

The user name and notification name are both CMSS1212. The document name was Microsoft Word (printed from Word)Document1. The printer was attached to LTP1 (the local parallel port) and called HP DeskJet 895 Cse (which was also its type). The job was an EMF job, and the printer was printed from a machine called RJLLL12033121.

The SPL file format depends on the datatype, RAW or EMF. RAW files can be viewed directly using an appropriate viewer (for example, IrFanView works). EMF-formatted SPL files contain a header that needs to be parsed out first. The header contains the document name and its size , and is parsed out when printing. To recover and print an SPL file's contents:

1. Open the file in Winhex and find the word EMF.

2. Select back 41 bytes to find the first valid EMF file byte (usually 01h ) and note the location ( 5Ch in the following example).

3. Select Edit Define Block and choose the starting location noted previously and an ending location of End of File.

4. Choose Edit Copy Block and select Into New File. Name the file with an .emf extension.

Opening the newly created file in Irfanview shows the actual file sent to the printer from the preceding example (see Figure 10-20).

Figure 10-20: Reconstructed printer file

Windows Shortcuts

Microsoft uses shortcuts to provide links to files in other locations. Microsoft supports two types of file aliasing: symbolic links and LNK files. Windows symbolic links perform similarly to Unix aliases where multiple MFT entries point to the same file data. In practice, symbolic links are rarely used in a Windows environment (although NTFS does support them). Most links are actually file-based shortcuts place in LNK files.

The LNK file format is used for both user and system created shortcuts. Desktop icons and documents listed under My Recent Documents are actually shortcut files within their respective directories (Desktop and Recent under the user profile). Additionally, drives, shared folder and partitions can have LNK-based shortcuts.

LNK files provide information on files that are (or were) present in a specific location. For investigators , shortcuts to content may exist long after the content itself is deleted. Since shortcuts are not true symbolic links, they can and frequently do point to no-longer-present content. Evidence that an individual accessed a particular file and where they accessed that file can be obtained from shortcuts. Similarly, shortcuts can be used to confirm an individual had a particular drive mapped, connected a specific peripheral (for example, if the shortcut references a USB or DVD-R drive), or accessed a network resource if that resource's name appears somewhere in a local shortcut.

The LNK file format is fairly complex, but the primary pieces of use to an investigator are as follows:

• File location (local or network). Used to show a file likely existed in a particular location at a particular time.

• Description. Can provide details on what the individual used the file for (for example, a shortcut called Interesting Finance Data).

• Working directory. Provides a possible location for files related to a particular program such as temporary or configuration files.

• Command line. Used for executables, the command line can show the specific options a user ran with a program.

The easiest way to view shortcut information is using the Windows XP explorer interface and viewing file properties. Most programs will not open an LNK file and will open the target of the LNK file instead. For example, the properties of a Google Desktop Search icon are shown in Figure 10-21. This shows the pointer to the Google Desktop Search program, located in C:\Program Files\Google Desktop Search.

Figure 10-21: Google Search LNK file properties

Command line utilities can also be used to view the strings present in an LNK file and elucidate information. Using a Windows port of the Unix strings utility on an LNK file called Shortcut to 2005 Purchases.doc.lnk returns the following:

 C:\temp>strings "Shortcut to 2005 Purchases.doc.lnk" MYDOCU~1 2005PU~1.DOC \ServStore4\cmss My Documents05 Purchases.doc 

The LNK file shows that a file called 2005 Purchases.doc existed on the My Documents directory on the ServStore4 server under the cmss share. This is a good indicator that the individual was aware of the server, share, and file, had permission to the file, accessed the file, and maybe even frequently accessed the file if the shortcut was in a likely user-created location such as the Desktop.

Paging File

The paging file, or swap file, is a file-based supplement to main memory. When programs or data require more memory than is available in traditional RAM, a portion of the RAM (multiple pages) is transferred or swapped temporarily to slower disk-based storage. By doing so, more memory than is available in RAM is provided for program use. In a multitasking environment such as Windows, the operating system may make heavy use of the paging file to allocate the maximum amount of higher-speed RAM for running programs and to abdicate background programs and data to slower disk-based storage.

The paging file, pagefile.sys (WIN386.SWP on Windows 9x) is managed automatically by the operating system and can be anywhere from a few megabytes to several gigabytes in size. A common practice is to set the pagefile size to be equal to the amount of actual RAM present. Examiners can find copies of information in the pagefile which has been deleted from the disk itself, was never intended to be written to the disk (for example, user names , passwords, credit card numbers ), or was though to be transient (a file printed from a website). For long-running systems, the pagefile can contain significant amounts of valuable information. Unfortunately, Windows cleans the pagefile on reboot. This is one of the key reasons not to shutdown a Windows system using the built-in shutdown function.

Analyzing the paging file as well as hiberfile.sys or memory dump files is a matter of string viewing and searching. String viewing can be used for browsing the contents of the file and searching for identifying keywords present. Searching these files is the same as other files and the techniques noted previously work well. Browsing of text is slightly more complex and uses the strings program to dump the contents to a file as there is too much text to directly read from the command line.

Neither the pagefile.sys nor the hiberfil.sys can be directly viewed on a running system. Both are protected by the operating system. The files can only be accurately analyzed on a forensically duplicated drive or a non- booted partition. Using the strings command with a limit option (for example, strings -n 7 to only show strings of size 7 or greater) on the files can provide a reasonably sized output file that contains possible investigative clues. The strings output from the pagefile can also be directly and quickly searched. As an example, the following is used to generate a text-string output of the pagefile for all strings of seven characters or more then search for hypertext links (truncated listing shown):

 C:\strings -n 7 g:\pagefile.sys > d:\evidence\pageout.txt C:\findstr "http://" d:\evidence\pageout.txt http://www.zug.com/pranks/credit_card/index5.html http://jgen49.cjt1.net/HTM/712/0/JavaSiteRequest.asp?LV=6000&DC=454&NF=0 &IW=468&IH=60&ORD=1111438276998 http://jgen49.cjt1.net/HTM/712/0/JavaSiteReport.asp?AS=454&PR=221667&SQ=  5313&IG=0&ORD=1111438277769&PK=0 http://www.yahoo.com/_ylh=X3oDMTEwdnZjMjFhBF9TAzI3MTYxNDkEdGVzdAMwBHRtcG wDaW5kZXgtY3Nz/s/227051 ... 

FINDING COMPRESSED FILES

Identifying files that have been compressed or encrypted ( specifically those with their extensions changed) or that have been created by proprietary programs that do not use standard file headers can be challenging. Ordinary searches and viewing of file contents will not work unless the files are decompressed and unencrypted. However, this cannot be done until the files are identified as compressed or encrypted. There are many file headerbased searches that can identify encrypted or compressed files, but a simple test relies on the entropy property of a file.

Entropy, or randomness, can be measured in both binary and text files. All written languages and even binary programs contain repetition and character frequencies that are non-random in nature. The letter e occurs more frequently in text files than q. Similarly, the hex code for the ADD instruction occurs more frequently than a random collection of hexadecimal characters in binary files. Both compression and encryption use these characteristics to their advantage.

Compression algorithms look for repeating patterns in files and replace those patterns. In lossless compression, the most frequent patterns are replaced with smaller, shorthand versions. Because of this, compressed files contain little to no repetition, and a result compressing them a second time actually results in a larger file size than the original file.

Encryption algorithms that are well-written (and there are plenty that are not) should produce ciphertext (the encrypted content) that has no discernible pattern and maximizes the entropy or randomness of characters. This prevents statistical attacks on the output which look for repeating strings or character frequencies which may be useful in cryptanalysis.

Because both encrypted and compressed files contain few or no repetition, they can be identified by trying to compress or recompress them. The easiest method is to use WinZip. Select the files in question to be compressed, add them to a new ZIP file, and sort the list by the Ratio (compression ratio) column. Compressed or encrypted files should compress less than 5%. An example in the following figure shows a suspicious-looking Excel file, Finance.xls, which in fact is a renamed as a ZIP file.

Certain file formats employ compression by default. Most common image formats like JPEG and PNG (shown in the example) are already compressed, as are most movie and music files. Similarly, Acrobat (PDF) files and some executable (EXE) and library (DLL) files are compressed already and may not compress further. Finally, very small files (<5K) may not be compressed depending on the overhead of the algorithm used.

WinZip view of a directory