Contenu connexe
Similaire à File000094 (20)
Plus de Desmond Devendran
Plus de Desmond Devendran (20)
File000094
- 1. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3551 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator (CHFI)
Module XL: Printer Forensics
Exam 312-49
- 2. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3552 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
News: Inkjet Research Could Aid Forensics
Source: http://www.pcworld.com/
Researchers in the United Kingdom have found that applying a chemical compound on inkjet printer can
be used to read the content of a letter without removing it from an envelope. When the chemical
compound disulfur dinitride is applied on an envelope which consists of a letter, the words are shown on
the envelope to which it has been transferred.
The chemical compound applied to the envelope in gas form crystallizes the ink to make the print visible.
In addition to this, fingerprints can also be seen using this compound. This results in a useful forensic tool
to know the sender of the letter.
- 3. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3553 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
News: Particulate Emissions from Laser Printers
Source: http://www.sciencedaily.com/
Researchers are performing investigation to know whether a printer releases any particles into the air.
Reports say that printers release pathogenic toner dust into the air. Researchers at the Fraunhofer
Wilhelm Klauditz Institute WKI in Braunschweig, Germany, in collaboration with colleagues from
Queensland University of Technology QUT in Brisbane, Australia, are investigating the reality of the
reports and the actual particles emitted by printers. The results they came across are, laser printers hardly
emit any particles of toner into the air. Some printers emit ultra-fine particles made of organic chemical
substances, says WKI Prof. Dr. Tunga Salthammer.
Scientists have discovered a process that enables them to compare the quality, size, and chemical
composition of emitted particles. Particle analyzers count the particles and measure their size
distribution.
The cause of the emission is the fixing unit – a component that gets heated up at 220°C to put the toner
particles onto the paper, explains WKI scientist Dr. Michael Wensing. Due to high temperature, paraffins
and silicon oils are evaporated, resulting in ulta-fine particles.
- 4. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3554 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Objective
This module deals with investigating printed documents and tracing the printer. It covers the different
printing methods that are used for printing purposes, how the printing process is performed, how a
particular printer can be identified from a printed document, how the documents are examined, and the
different techniques and tools to identify and investigate on a printer.
This module will familiarize you with:
Introduction to Printer Forensics
Different Printing Modes
Methods of Image Creation
Printer Forensics Process
Digital Image Analysis
Document Examination
Phidelity
Cryptoglyph Digital Security Solution
DocuColor Tracking Dot Decoding
- 5. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3555 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
- 6. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3556 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Printer Forensics
- 7. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3557 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Introduction to Printer Forensics
Even with the increase in use of email and digital communication, the use of printed documents is on the
rise. Many types of printed documents are noticeable by the printer. Some of the documents are identity
documents, such as passports and other documents that are used for committing a crime.
The methods that are used in identifying documents include special inks, security threads, or holograms,
and are expensive. An easy and cost-effective technique for printer forensics is the use of intrinsic and
extrinsic features obtained from modeling the printing process.
It is observed that most of the criminals use printed material for different purposes, such as for changing
documents of identity, recording transactions, and writing duplicate notes or manuals. Printed
documents, such as instruction manuals, team rosters, meeting notes, and correspondence can help in
catching criminals. The detection of devices used for printing documents provides valuable information to
law enforcement and intelligence agencies for investigation.
There are various techniques for identifying the technology, manufacturer, and model of printer used for
printing. The two commonly used methods for printer identification are passive and active.
The passive method identifies the internal characteristics of the printer, such as which printer is used, the
type of model, and manufacturer's products.
In the active method, an extrinsic signature is embedded in the printed page. This signature is created by
adjusting the process parameters in the printer, which encodes the identifying data, such as the printer
serial number and the date of printing.
- 8. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3558 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Different Printing Modes
Monochrome:
A monochrome printer generates an image containing only one color, usually black. It can produce
different tones for those colors, such as a gray-scale.
Color printer:
A color printer generates images of multiple colors
Photo printer:
A photo printer is a color printer that impersonates the color range and resolution of the photographic
process of printing. Most of them can be used autonomously without the use of a computer, with the use
of USB, memory cards, etc.
- 9. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3559 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 10. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3560 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Methods of Image Creation
The classification of the method used by the printers for image creation is:
Toner-based printers:
Toner-based printers use toners for printing. Toners are a kind of powder which is made of carbon or
synthetic polymers. An electrostatic charge is uniformly distributed around a light sensitive device in the
printer known as a drum. Toner-based printers adhere toners to a light sensitive print drum. Static
electricity is used to transmit the toner to the printing medium to which it is fused with heat and pressure.
Laser printers are toner-based printers that use precise lasers to cause adherence. LED printer uses an
array of LEDs to cause toner adhesion.
Toner-based printers can print on both sides of a paper, reducing paper usage.
Inkjet printers:
Inkjet printers spread small and enough amounts (normally a few picolitres) of ink to media. An inkjet
printer is useful in the case of color applications including photo printing. Inkjet printers perform by
propelling variable sizes of droplets of liquid or molten material (ink) to a sized page.
Impact printers:
Impact printers are dependent on forceful impact in order to transfer ink to the media, similar to that of
typewriters. A daisy wheel printer is an impact printer in which the type is molded around the edge of a
wheel.
Dot-matrix printers:
Printers depend on a matrix of pixels, or dots, which combines to form a larger image. A dot matrix
printer is specially used for impact printers that use a matrix of small pins to create accurate dots. It can
generate graphical images in addition to text. It differs in print resolution and the overall quality is of 9 or
24 pin printheads. The resolution is more for more pins per inch.
Line printers:
Line printers print an entire line of text at a time.
The two principle designs of line printers are:
Drum printers:
The drum takes the entire character set of the printer repeated in each column that is to be
printed
- 11. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3561 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Chain printers or train printers:
The character set is positioned multiple times around a chain that moves horizontally past the
print line
Digital minilab:
A digital minilab is a computer printer that makes use of traditional chemical photographic processes to
print digital images. Inputs to digital minilab are photographs, which uses a built-in film scanner to
capture images from negative and positive photographic films.
Dye-sublimation printer:
A dye-sublimation printer uses heat to transfer dye to the medium such as poster paper, plastic card, etc.
It lays one color at a time with the help of a ribbon which has color panels.
The advantages of this printer are increased resolution and life of printouts. Printouts from this printer
are waterproofed.
Spark printer:
A spark printer consists of a special paper that is coated with a layer of aluminium on a black backing,
which is printed with the help of pulsing current onto the paper through two styli that move across on a
moving belt at a high speed.
- 12. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3562 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Printers with Toner Levels
Source: http://www.cs.dartmouth.edu/
Figure 40-01: Printer toner levels
- 13. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3563 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Parts of a Printer
A printer is comprised of:
A print head with a print head connector
A carriage with a carriage connector, which can detach the print head from the print head
connector
A driver for driving the print head
A microprocessor for controlling the driver in accordance with an N-bit print head identification
signal, wherein N is a positive integer
A plurality of signal lines for connecting the microprocessor to the carriage connector
A parallel-to-serial converter, which is disposed on the print head, for converting N parallel
inputs into an N-bit print head identification signal
- 14. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3564 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Printer Identification Strategy
Two strategies to identify a printer used to print a document are:
Passive:
The passive strategy is characterized by finding the intrinsic features in the printed document which are
characteristics of a particular printer, model, or manufacturer’s product. This is referred as the intrinsic
signature. The intrinsic signature needs to understand and model the printer mechanism and develop
mechanism tools to detect the signature in the printed document.
Active:
In the active strategy, an extrinsic signature is embedded in a printed page. An extrinsic signature is
generated when the process parameters are modulated in the printer mechanism to encode the
information that includes the printer serial number and date of printing. The information can be
embedded using electrophotographic (EP) printers by modulating the intrinsic feature called banding.
Figure 40-02: Identifying a printer
- 15. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3565 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Printer Forensics Process
Printer forensics is comprised of the following four basic steps:
Pre-processing
Printer profile
Forensics
Ballistics
- 16. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3566 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Pre-Processing
A printed document is digitally scanned and saved in an uncompressed format. Each page of the
document is prosecuted.
In the first stage, multiple copies of the same character are located in a scanned document. To perform
this, the user first selects a bounding box around a character of interest to serve as a template.
In order to minimize the effect of luminance variations across printers, the intensity histograms of the
characters are matched as follows:
Select a random set of characters and average their intensity histograms to create a reference
histogram so that the luminance variations across printers is minimized
Each character’s intensity histogram is then matched to this reference histogram
A single character is then selected as a reference character. Each character is placed into spatial alignment
with the reference character by using a coarse-to-fine differential registration technique.
- 17. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3567 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Printer Profile
Once the characters are aligned properly, a profile is constructed based on the degradation introduced by
the printer. Based on the complex nature of degradation, a data driven approach is used to characterize
the degradation. A principal components analysis is applied to the aligned characters to create a new
linear basis that embodies the printer degradation.
- 18. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3568 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Forensics
In a forensics setting, determine if a part of the document has been manipulated:
Splicing in portions from a different document
Digitally editing a previously printed and scanned document and then printing the result.
- 19. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3569 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ballistics
In a ballistics setting, determine if a document was printed from a specific printer. A printer profile is
generated from a printer to determine if the document in question was printed from this printer. Assume
that the printer profile is constructed from the same font family and size as the document to be analyzed.
- 20. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3570 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
A Clustering Result of a Printed Page
The printed page shows a clustered result of the HP LaserJet and Xerox Phaser. The top part of the page is
printed with an HP LaserJet 4350 and the bottom half was printed on a Xerox Phaser 5500DN. These
documents are scanned and combined and printed on a HP LaserJet 4300 printer. A printer profile was
created from 200 copies of the letter “a.” The printer profile is effective in detecting fakes composed of
parts initially printed on different printers.
Figure 40-03: A Clustering result of a printed page (Source: http://www.cs.dartmouth.edu)
- 21. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3571 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Digital Image Analysis
The digital image analysis technique is used to analyze patterns generated in the printed document due to
uneven movements by the print engine. The uneven movement causes lines to be printed across a page
instead of a solid smooth print, which is called banding.
The banding effect has been attributed to two causes:
Fine banding is because of the unevenness of the rotor component of the polygon mirror or due to
mechanical flaws of the laser scanning unit
Rough banding is due to an uneven motion of the photoconductor drum or fuser unit
Patterns resulting from banding are different from one printer to another, and it can be used to match a
document to a printer that produced it. The banding effect can vary the size of a print across the page in
patterns that differ based on the printer used. Digital image analysis is used to identify and measure the
size variations.
A high-spatial-resolution digital image analysis system is built that consists of a Hamamatsu C4742-95-
12NRB monochrome digital CCD camera. The main feature of the camera is that the CCD chip is Peltier-
cooled to increase its signal-to-noise ratio. A high-quality Linos Mevis C lens is used to magnify the
object’s image that improves the resolution of the images produced by the camera. The accuracy of the
measurement is supported with the use of an LED light source from a DF-LDR-90. The illumination
system is powered by a TTI EL302D power supply and regulated by RS components. The camera is
mounted on a heavy Polaroid MP4 Land camera stand to negate vibration problems.
- 22. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3572 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Printout Bins
Printout bins are a staging area of a document after it has been printed. A printout provides the
information about the project and the user who printed the document.
There is a method and system for identifying and facilitating access to computer printouts contained in an
array of printout bins.
Each printout contains the information of the related project and the user who printed the document.
The bin consists of the information that uniquely identifies the user by name, PIN number, the user
project number, the date and/or time the printout was prepared, etc.
The bin access is allowed only if:
Acceptable confidential user identification is presented
At least one printout for that user is presently contained in the locked bin
- 23. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3573 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 24. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3574 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Document Examination
Document examination is an important aspect in printer forensics to analyze documents.
Printed documents can be examined to:
Find a genuine or counterfeit document
Determine the way a document was generated
Find the machine used print the document
The various factors considered by a document examiner are:
The paper type (physical properties, optical properties)
Security features of the paper (e.g. watermark)
Printing process used
Verifying other digital evidence such as perforations
Microscopic analysis reveals tiny imperfections which links documents from one to another
The different aspects of the examination are:
Altered or obliterated writing:
o The presence of physical alterations or obliterated writing can sometimes be determined and
the writing can sometimes be deciphered
o The manufacturer can sometimes be determined if a watermark is present
Examining date of the document:
o Paper examination - The letterheads and watermarks of business or personal stationery will
be changed from time to time by the manufacturer. Samples of such papers will help in
determining whether a document exists in that time period.
o Typescript - Comparison of printed documents produced by an organization over a period of
time. This can this can help an investigator conclusion whether a printer was used for a
certain period of time or just recently.
Signature examination:
o A signature examination is performed mainly to compare the signatures of the specimen
(provable) to the questioned (disputed) signatures
o In a signature comparison, the features of the questioned signature(s) - construction, shape,
proportions, and fluency - are reviewed and then matched to the same features in the
specimen signatures
Examining spur marks found on inkjet-printed documents:
o Spur marks are the tool marks formed by the spur gears in the paper conveyance system of
many inkjet printers
o The spur marks on the printed document are compared with the spur marks of known
printers to know the relationship between them
o The comparison of two spur marks is based on the characteristics pitch and mutual distance
- 25. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3575 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Services of a Document Examiner
A document examiner examines the printed documents to find the links to other documents or printers.
He/she is also responsible for finding the printer used to print the document.
The document examiner examines the document for any alterations, counterfeiting of the document, and
substitutions.
The document examiner conducts research related to the document.
The research includes finding comparable documents to verify authenticity, the paper used, the
type of printer, etc.
The examiner conducts tests on the documents to find the conclusions. She/he prepares a review based on
the outcome of the tested documents.
- 26. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3576 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Tamper-Proofing of Electronic and Printed Text Documents
Text document should be tamper proofed and authenticated to distribute them in electronic or printed
forms. A text document authentication system tests the authenticity of a text document. The authenticity
is performed at a global level in which a system gives a binary decision about the entire document, i.e.
authentic or fake.
If the system performs decisions at the local level it is referred as a “text document and tamper-proofing
system.” A text document authentication and tamper-proofing system aims at validating the authenticity
of a text document and representing the local modifications, if the document is assumed to be a fake.
A solution to the document authentication is the generation of a document hash, which is securely stored.
To perform authentication, a hash value is generated from the document and compared with the stored
hash.
For the document to be authentic, the two hash values should be identical. Tamper proofing is based on
the concept of local hashing, where hashing is computed from each local part of the document. This will
ensure identifying the local parts where the modifications are done to the document.
There are three approaches to a hash-based document authentication based on where the hash is stored:
- 27. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3577 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Hash storage in an electronic database
Hash stored in the document itself by using auxiliary special means of 2D bar codes, special links
or crystals, memory chips, etc.
Hash stored in the document content by using data hiding techniques
- 28. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3578 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Phidelity
Phidelity is a technology used to enhance the security of printed documents by providing layers of
protection.
It provides five security features that work independently to ensure the document’s security.
Phidelity’s Optical watermark uses normal printers differently to print visual covert and overt
watermarks. When a document with optical watermark is copied then the overt watermark
disappears and covert watermark is made visible, showing that the document is a copy. It
generates secured optical watermarks against different types of attacks with the use of common
desktop printers, eliminating the need of special inks and papers. Optical watermark offers an
easy way to verify the important documents via quick visual verification.
Phidelity SecureCODE is the result of creative use of open standards in both 2-Dimensinal (2D)
barcodes and Public Key Infrastructure (PKI). A 2D barcode graphically represents the data and
PKI is a technology that implements trust using digital signatures, certificates, and secrecy
through the use of encryption when required. Combining the two technologies forms a synergy to
create SecureCODE which is verified to discover the tampering of the document content.
Phidelity’s Microprint is an innovative feature to print in small fonts. It appears as an underline to
the naked eye which actually contains the textual information that can be read using a magnifying
glass. When printing an important document as Microprint, any casual copy of the original
document will result in distorted text in the duplicates. It provides an efficient way of verifying
the authenticity of a document.
Phidelity’s Print control makes use of a novel way to control printing. This helps in restricting the
printing of a document more than needed. It reduces the risk of information leakage by restricting
the number of documents printed. PrintControl is highly user-centric by providing automated
printer detection, selection for printing, and dynamic configuration of optical watermark based
on the specific printer to achieve the best watermark effect for security. It prevents printing of
secured documents to virtual printers such as PDF creator.
Phidelity’s ID Trace covertly embeds the tracking information related to document identification
into a printed document. This helps in tracing the document after it has been printed. It is used as
a forensic tool to find the source of the leakage.
- 29. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3579 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Zebra Printer Labels to Fight against Crime
Source: http://www.zebraprinterlabels.net/
Law enforcement agencies depend on Zebra printer labels for exact and confidential printing needs at the
time of collecting important criminal evidence. Zebra printer labels helps to identify criminal evidence
more quickly with Zebra bar code printers. They produce ID badges (for both criminals and law
enforcement) and maintain criminal records confidentially and safely.
The labels allow law enforcement agencies to collect evidence effectively and in a timely manner. The
Zebra printer labels used by the law enforcement agencies to fight against crime are:
High performance bar code printers
Industrial and commercial bar code printers
Mobile printers
PAX print engines
- 30. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3580 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Cryptoglyph Digital Security Solution
Source: http://www.alpvision.com/
The Cryptoglyph security process provides an invisible marking with standard ink and standard printing
processes. It can be included in the current packaging production line or other document processing
workflow before printing. Embed the invisible Cryptoglyph file in the prepress digital packaging image file
or produce it before printing it with the document processing system. Cryptoglyph does not require any
packaging design or page template modifications.
Unlike the processes which use additional elements such as inks and holograms, Cryptoglyph uses
standard ink during the standard printing process. It can be perceptible only with the use of the
appropriate equipment.
The two elements in Cryptoglyph are:
1. Print the invisible micro-points over the entire area of the primary packaging or secondary
packaging. These micro-points are impossible to replicate or erase due to its invisible nature.
2. These micro-points consist of encrypted information that can be deciphered using the encryption
key.
- 31. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3581 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Case Study: Dutch Track Counterfeits via Printer Serial Numbers
Source: http://www.pcworld.idg.com.au/
Printouts reveal hidden code information about the printer it was printed from. The Dutch police force
solved the cases related to prints with the help of printer manufacturers. Government agencies use this
hidden information to fight against counterfeiters.
Security:
The Canon company strives to protect customers from counterfeits. Anna McIntyre, PR manager at Canon
Europe, says that protection from counterfeits is crucial and it has fitted all of its color machines with
anti-counterfeits detection technology. Canon works with different authorities in order to minimize
counterfeits.
Sources who know the printer industry reveal that the security code is a unique number which is printed
on every color page from a particular printer. The code can be printed as thin as 0.1 millimeter. This
indeed helps to find out which county delivered a specific printer, and to which dealer.
Success:
"We are familiar with this research method," said Ed Kraszewski of the Dutch national police agency
KLPD. The spokesman did not reveal that the method is used deal with counterfeits, but sources said that
the Dutch Railway Police is investigating a gang which is counterfeiting tickets.
Research:
Researchers at Purdue University in West Lafayette, Indiana, explained a method they developed that
allows authorities to trace documents of specific printers. Technique used to trace the documents are: by
analyzing the document to identify characteristics that are unique for each printer, and by designing
printers to purposely embed individualized characteristics in documents.
"Investigators want to be able to determine that a fake bill or document was created on a certain brand
and model of printer," said Edward J. Delp, a professor of electrical and computer engineering at Purdue.
Researchers used specific software for detecting slight variations in printed characters that they call
intrinsic signatures.
- 32. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3582 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Is Your Printer Spying On You?
A printer is an important factor for the investigation of a crime. A printer notes the information about the
documents that are printed. Nowadays, new printers, which can contain a secret code, are available. This
secret code is already installed in the printer during its manufacturing. This code is used to detect the
printer and the person who used it.
This printer has helped forensics investigating organizations, such as the FBI, to monitor the
documentation activities of organizations. According to a report by the ACLU, since 2001, the FBI has
collected more than 1100 pages of documents from organizations and groups, such as Greenpeace and
United for Peace and Justice.
- 33. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3583 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 34. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3584 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
DocuColor Tracking Dot Decoding
DocuColor Tracking Dot Decoding is a part of the Machine Identification Code Technology project.
DocuColor color laser printers print the tracking code on a printout page, which reads the date, time, and
the printer’s serial number.
These printers print rectangular grids of 15 by 8 miniscule yellow dots on every color page. The same grid
is printed repeatedly on the complete page, but the repetition of grids started somewhat different from
other grids. Due to this, each grid is separated from other grids. All the grids are printed parallel to the
side of a page, and are slightly different from other grids.
These yellow dots have different background colors, so they are invisible to the naked eyes under white
light. You can see that dots with the help of a microscope or by illuminating the page in blue light. Under
pure blue light, these dots look black.
- 35. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3585 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 40-04: Image of the dot grid produced by a Xerox DocuColor 12 (Source:
http://www.infowars.com)
Figure 40-05: Image of a portion of the dot grid (Source: http://www.infowars.com)
Image of one repetition of the dot grid from the same Xerox DocuColor 12 page, under illumination from
a Photon blue LED flashlight:
- 36. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3586 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 40-06: Illumination from a Photon blue LED flashlight (Source: http://www.infowars.com)
Figure 40-07: Black dots in the microscope image (Source: http://www.infowars.com)
- 37. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3587 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Explanatory text that show the significance of the dots:
Figure 40-08: Significance of dots (Source: http://www.infowars.com)
The topmost row and first left column are the parity row and column used for error correction. They help
the investigator to read the forensic information accurately. All the rows and columns, except the topmost
row, contain an odd number of dots. If any row or column has an even number of dots, then it has been
read incorrectly. Every column consists of seven bits, (excepting the first, because it is the parity bit).
Then bytes are read from right to left. Each column has a different meaning as explained in the following:
15: unknown. It is constant for each separate printer. It gives some information about the
printer’s model and its configuration
14, 13, 12, 11: Serial number of the printer in binary coded decimal fashion
10: Separator
9: It is unused
8: Indicates the year when the page was printed
7: Indicates the month
6: Indicates the day of printing
5: Indicates the hour when the page was printed
4, 3: Unused
2: Minute
1: It is row parity bit, which shows that all rows consist of an odd number of dots
- 38. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3588 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Tools
- 39. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3589 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Print Spooler Software
Source: http://www.networkprinting.info/
The print spooler is meant to send the documents to be printed to the print queue for processing, which
allows the CPU and the printer to concentrate on other tasks before printing the data present in the print
queue. The print spooler has many duties in managing the print process. It manages the printing pools,
maintains the track record on which task went to which printer, and the devices that are connected to the
port.
The print spooler is also called the print scheduler, since it schedules the jobs to be done. The spooler
maintains a file that is to be printed, emailed, faxed, or sent to a device which is presently used by other
tasks. It gives flexibility to the user to delete a file that is about to be processed or presently waiting to be
printed.
The print spooler prints the document to the intended printer when the printer is ready. It allows system
resources to perform other tasks, where the Line Printer Requester (LPR) print spooler performs the
printing process.
- 40. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3590 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Investigating Print Spooler
For each print job in Windows XP, the files found in C:WindowsSystem32spoolPrinters folder are:
.SPL - the spool file consists of the print job’s spool data
.SHD - the shadow file consists of the job settings
To view the metadata of the print job, use the PA Spool View tool. To view the spooled pages, use the EMF
Spool View tool.
Enhanced metafiles provide true device independence. Enhanced metafiles are standardized, which
allows pictures stored in this format to copy from one application to other.
Check the spool folder location of a specific printer by opening the registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintPrinters <printer>
Figure 40-09: EMF Spool View tool (Source: www.clubhack.com)
- 41. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3591 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 40-10: PA Spool View tool (Source: www.clubhack.com)
- 42. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3592 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Printer Tools: iDetector
Source: http://www.graphicsecurity.com/
iDetector is an effective tool to visually compare inspected documents and products with genuine ones. It
is ideal for brand owners and document examiners, and can generate and record information about the
authentication performed. Brand integrity inspectors can easily capture checkpoints on genuine products,
and add them to a secure database. Captured images of inspected products can be verified on the spot, or
transferred via the Internet to the authentication server.
Figure 40-11: Screenshot of iDetector
- 43. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3593 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Printer Tools: Print Inspector
Source: http://www.softperfect.com/
Print Inspector is a powerful print management and auditing solution for your corporate network. This
software lets you manage the print jobs queued to any shared printer and provides easy access to the
printer and print server settings. It saves detailed statistics about all printed documents in a separate
database. A built-in reporting tool lets you create various reports based on the collected data about all
printed documents.
Figure 40-12: Screenshot of Print Inspector
- 44. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3594 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Tool: EpsonNet Job Tracker
Source: http://www.business-solutions.epson.co.uk/
EpsonNet Job Tracker is web-based application software. It gives a clear picture of what is being printed,
where and by whom, thereby helping you control your printing costs.
Epson NetJob Tracker Benefits:
Monitors and analyzes network printer activity
Controls access to color, keeps costs down
Manages print resources, improves network traffic
Defines printer activity, calculates, assigns and recovers costs
Sends reports automatically to departments and managers
Controls by time of day, type of printing, number of pages
- 45. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3595 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Summary
Printer forensics refers to the investigation done on any printed document or the printer used to
print the document
Investigation of the documents and printers will provide valuable information for the law
enforcement agencies and intelligence agencies
Different printing modes are monochrome , color printer, and photo printer
Methods used for image creation are: toner-based printers, inkjet printers, impact printers, dot-
matrix printers, line printers, digital minilabs, dye-sublimation printers, spark printers
A printed document is first digitally scanned and saved in an uncompressed format
Methods and systems for identifying and facilitating access to computer printouts are contained
in an array of printout bins
- 46. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3596 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Exercise:
1. Describe what you understand by “printer forensics.”
2. What are the different methods of image creation?
3. Describe the printer forensic process.
4. Explain digital image analysis.
5. Discuss printout bins.
6. How is tamper-proofing of electronic and printed text documents done?
- 47. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3597 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
7. How is Phidelity is used to enhance the security of printed documents?
8. What is the Cryptoglyph security process?
9. Explain DocuColor Tracking Dot Decoding.
10. Discuss the different tools used in printer forensics.
- 48. Computer Hacking Forensic Investigator Exam 312-49
Printer Forensics
Module XL Page | 3598 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Hands-On
1. Visit http://www.spiritus-temporis.com/ and read about computer printers.
2. Download the Print Inspector from http://www.softperfect.com/products/pinspector/, run it,
and check the results.
3. Visit http://www.undocprint.org/ and read “Ways to investigate print spooler.”
4. Visit http://www.alpvision.com/ and read “Cryptoglyph Digital Security Solutions.”