Your SlideShare is downloading. ×
File000094
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

File000094

117
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
117
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3551 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Computer Hacking Forensic Investigator (CHFI) Module XL: Printer Forensics Exam 312-49
  • 2. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3552 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  News: Inkjet Research Could Aid Forensics Source: http://www.pcworld.com/ Researchers in the United Kingdom have found that applying a chemical compound on inkjet printer can be used to read the content of a letter without removing it from an envelope. When the chemical compound disulfur dinitride is applied on an envelope which consists of a letter, the words are shown on the envelope to which it has been transferred. The chemical compound applied to the envelope in gas form crystallizes the ink to make the print visible. In addition to this, fingerprints can also be seen using this compound. This results in a useful forensic tool to know the sender of the letter.
  • 3. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3553 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.    News: Particulate Emissions from Laser Printers Source: http://www.sciencedaily.com/ Researchers are performing investigation to know whether a printer releases any particles into the air. Reports say that printers release pathogenic toner dust into the air. Researchers at the Fraunhofer Wilhelm Klauditz Institute WKI in Braunschweig, Germany, in collaboration with colleagues from Queensland University of Technology QUT in Brisbane, Australia, are investigating the reality of the reports and the actual particles emitted by printers. The results they came across are, laser printers hardly emit any particles of toner into the air. Some printers emit ultra-fine particles made of organic chemical substances, says WKI Prof. Dr. Tunga Salthammer. Scientists have discovered a process that enables them to compare the quality, size, and chemical composition of emitted particles. Particle analyzers count the particles and measure their size distribution. The cause of the emission is the fixing unit – a component that gets heated up at 220°C to put the toner particles onto the paper, explains WKI scientist Dr. Michael Wensing. Due to high temperature, paraffins and silicon oils are evaporated, resulting in ulta-fine particles.
  • 4. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3554 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Module Objective This module deals with investigating printed documents and tracing the printer. It covers the different printing methods that are used for printing purposes, how the printing process is performed, how a particular printer can be identified from a printed document, how the documents are examined, and the different techniques and tools to identify and investigate on a printer. This module will familiarize you with:  Introduction to Printer Forensics  Different Printing Modes  Methods of Image Creation  Printer Forensics Process  Digital Image Analysis  Document Examination  Phidelity  Cryptoglyph Digital Security Solution  DocuColor Tracking Dot Decoding
  • 5. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3555 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow
  • 6. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3556 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.   Printer Forensics
  • 7. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3557 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Introduction to Printer Forensics Even with the increase in use of email and digital communication, the use of printed documents is on the rise. Many types of printed documents are noticeable by the printer. Some of the documents are identity documents, such as passports and other documents that are used for committing a crime. The methods that are used in identifying documents include special inks, security threads, or holograms, and are expensive. An easy and cost-effective technique for printer forensics is the use of intrinsic and extrinsic features obtained from modeling the printing process. It is observed that most of the criminals use printed material for different purposes, such as for changing documents of identity, recording transactions, and writing duplicate notes or manuals. Printed documents, such as instruction manuals, team rosters, meeting notes, and correspondence can help in catching criminals. The detection of devices used for printing documents provides valuable information to law enforcement and intelligence agencies for investigation. There are various techniques for identifying the technology, manufacturer, and model of printer used for printing. The two commonly used methods for printer identification are passive and active. The passive method identifies the internal characteristics of the printer, such as which printer is used, the type of model, and manufacturer's products. In the active method, an extrinsic signature is embedded in the printed page. This signature is created by adjusting the process parameters in the printer, which encodes the identifying data, such as the printer serial number and the date of printing.
  • 8. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3558 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Different Printing Modes Monochrome: A monochrome printer generates an image containing only one color, usually black. It can produce different tones for those colors, such as a gray-scale. Color printer: A color printer generates images of multiple colors Photo printer: A photo printer is a color printer that impersonates the color range and resolution of the photographic process of printing. Most of them can be used autonomously without the use of a computer, with the use of USB, memory cards, etc.
  • 9. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3559 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.
  • 10. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3560 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Methods of Image Creation The classification of the method used by the printers for image creation is: Toner-based printers: Toner-based printers use toners for printing. Toners are a kind of powder which is made of carbon or synthetic polymers. An electrostatic charge is uniformly distributed around a light sensitive device in the printer known as a drum. Toner-based printers adhere toners to a light sensitive print drum. Static electricity is used to transmit the toner to the printing medium to which it is fused with heat and pressure. Laser printers are toner-based printers that use precise lasers to cause adherence. LED printer uses an array of LEDs to cause toner adhesion. Toner-based printers can print on both sides of a paper, reducing paper usage. Inkjet printers: Inkjet printers spread small and enough amounts (normally a few picolitres) of ink to media. An inkjet printer is useful in the case of color applications including photo printing. Inkjet printers perform by propelling variable sizes of droplets of liquid or molten material (ink) to a sized page. Impact printers: Impact printers are dependent on forceful impact in order to transfer ink to the media, similar to that of typewriters. A daisy wheel printer is an impact printer in which the type is molded around the edge of a wheel. Dot-matrix printers: Printers depend on a matrix of pixels, or dots, which combines to form a larger image. A dot matrix printer is specially used for impact printers that use a matrix of small pins to create accurate dots. It can generate graphical images in addition to text. It differs in print resolution and the overall quality is of 9 or 24 pin printheads. The resolution is more for more pins per inch. Line printers: Line printers print an entire line of text at a time. The two principle designs of line printers are:  Drum printers: The drum takes the entire character set of the printer repeated in each column that is to be printed
  • 11. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3561 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Chain printers or train printers: The character set is positioned multiple times around a chain that moves horizontally past the print line Digital minilab: A digital minilab is a computer printer that makes use of traditional chemical photographic processes to print digital images. Inputs to digital minilab are photographs, which uses a built-in film scanner to capture images from negative and positive photographic films. Dye-sublimation printer: A dye-sublimation printer uses heat to transfer dye to the medium such as poster paper, plastic card, etc. It lays one color at a time with the help of a ribbon which has color panels. The advantages of this printer are increased resolution and life of printouts. Printouts from this printer are waterproofed. Spark printer: A spark printer consists of a special paper that is coated with a layer of aluminium on a black backing, which is printed with the help of pulsing current onto the paper through two styli that move across on a moving belt at a high speed.
  • 12. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3562 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Printers with Toner Levels Source: http://www.cs.dartmouth.edu/ Figure 40-01: Printer toner levels
  • 13. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3563 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Parts of a Printer A printer is comprised of:  A print head with a print head connector  A carriage with a carriage connector, which can detach the print head from the print head connector  A driver for driving the print head  A microprocessor for controlling the driver in accordance with an N-bit print head identification signal, wherein N is a positive integer  A plurality of signal lines for connecting the microprocessor to the carriage connector  A parallel-to-serial converter, which is disposed on the print head, for converting N parallel inputs into an N-bit print head identification signal
  • 14. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3564 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Printer Identification Strategy Two strategies to identify a printer used to print a document are: Passive: The passive strategy is characterized by finding the intrinsic features in the printed document which are characteristics of a particular printer, model, or manufacturer’s product. This is referred as the intrinsic signature. The intrinsic signature needs to understand and model the printer mechanism and develop mechanism tools to detect the signature in the printed document. Active: In the active strategy, an extrinsic signature is embedded in a printed page. An extrinsic signature is generated when the process parameters are modulated in the printer mechanism to encode the information that includes the printer serial number and date of printing. The information can be embedded using electrophotographic (EP) printers by modulating the intrinsic feature called banding. Figure 40-02: Identifying a printer
  • 15. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3565 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Printer Forensics Process Printer forensics is comprised of the following four basic steps:  Pre-processing  Printer profile  Forensics  Ballistics
  • 16. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3566 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Pre-Processing A printed document is digitally scanned and saved in an uncompressed format. Each page of the document is prosecuted. In the first stage, multiple copies of the same character are located in a scanned document. To perform this, the user first selects a bounding box around a character of interest to serve as a template. In order to minimize the effect of luminance variations across printers, the intensity histograms of the characters are matched as follows:  Select a random set of characters and average their intensity histograms to create a reference histogram so that the luminance variations across printers is minimized  Each character’s intensity histogram is then matched to this reference histogram A single character is then selected as a reference character. Each character is placed into spatial alignment with the reference character by using a coarse-to-fine differential registration technique.
  • 17. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3567 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Printer Profile Once the characters are aligned properly, a profile is constructed based on the degradation introduced by the printer. Based on the complex nature of degradation, a data driven approach is used to characterize the degradation. A principal components analysis is applied to the aligned characters to create a new linear basis that embodies the printer degradation.
  • 18. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3568 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Forensics In a forensics setting, determine if a part of the document has been manipulated:  Splicing in portions from a different document  Digitally editing a previously printed and scanned document and then printing the result.
  • 19. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3569 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Ballistics In a ballistics setting, determine if a document was printed from a specific printer. A printer profile is generated from a printer to determine if the document in question was printed from this printer. Assume that the printer profile is constructed from the same font family and size as the document to be analyzed.
  • 20. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3570 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  A Clustering Result of a Printed Page The printed page shows a clustered result of the HP LaserJet and Xerox Phaser. The top part of the page is printed with an HP LaserJet 4350 and the bottom half was printed on a Xerox Phaser 5500DN. These documents are scanned and combined and printed on a HP LaserJet 4300 printer. A printer profile was created from 200 copies of the letter “a.” The printer profile is effective in detecting fakes composed of parts initially printed on different printers. Figure 40-03: A Clustering result of a printed page (Source: http://www.cs.dartmouth.edu)
  • 21. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3571 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Digital Image Analysis The digital image analysis technique is used to analyze patterns generated in the printed document due to uneven movements by the print engine. The uneven movement causes lines to be printed across a page instead of a solid smooth print, which is called banding. The banding effect has been attributed to two causes:  Fine banding is because of the unevenness of the rotor component of the polygon mirror or due to mechanical flaws of the laser scanning unit  Rough banding is due to an uneven motion of the photoconductor drum or fuser unit Patterns resulting from banding are different from one printer to another, and it can be used to match a document to a printer that produced it. The banding effect can vary the size of a print across the page in patterns that differ based on the printer used. Digital image analysis is used to identify and measure the size variations. A high-spatial-resolution digital image analysis system is built that consists of a Hamamatsu C4742-95- 12NRB monochrome digital CCD camera. The main feature of the camera is that the CCD chip is Peltier- cooled to increase its signal-to-noise ratio. A high-quality Linos Mevis C lens is used to magnify the object’s image that improves the resolution of the images produced by the camera. The accuracy of the measurement is supported with the use of an LED light source from a DF-LDR-90. The illumination system is powered by a TTI EL302D power supply and regulated by RS components. The camera is mounted on a heavy Polaroid MP4 Land camera stand to negate vibration problems.
  • 22. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3572 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Printout Bins Printout bins are a staging area of a document after it has been printed. A printout provides the information about the project and the user who printed the document. There is a method and system for identifying and facilitating access to computer printouts contained in an array of printout bins. Each printout contains the information of the related project and the user who printed the document. The bin consists of the information that uniquely identifies the user by name, PIN number, the user project number, the date and/or time the printout was prepared, etc. The bin access is allowed only if:  Acceptable confidential user identification is presented  At least one printout for that user is presently contained in the locked bin
  • 23. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3573 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.
  • 24. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3574 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Document Examination Document examination is an important aspect in printer forensics to analyze documents. Printed documents can be examined to:  Find a genuine or counterfeit document  Determine the way a document was generated  Find the machine used print the document The various factors considered by a document examiner are:  The paper type (physical properties, optical properties)  Security features of the paper (e.g. watermark)  Printing process used  Verifying other digital evidence such as perforations  Microscopic analysis reveals tiny imperfections which links documents from one to another The different aspects of the examination are:  Altered or obliterated writing: o The presence of physical alterations or obliterated writing can sometimes be determined and the writing can sometimes be deciphered o The manufacturer can sometimes be determined if a watermark is present  Examining date of the document: o Paper examination - The letterheads and watermarks of business or personal stationery will be changed from time to time by the manufacturer. Samples of such papers will help in determining whether a document exists in that time period. o Typescript - Comparison of printed documents produced by an organization over a period of time. This can this can help an investigator conclusion whether a printer was used for a certain period of time or just recently.  Signature examination: o A signature examination is performed mainly to compare the signatures of the specimen (provable) to the questioned (disputed) signatures o In a signature comparison, the features of the questioned signature(s) - construction, shape, proportions, and fluency - are reviewed and then matched to the same features in the specimen signatures  Examining spur marks found on inkjet-printed documents: o Spur marks are the tool marks formed by the spur gears in the paper conveyance system of many inkjet printers o The spur marks on the printed document are compared with the spur marks of known printers to know the relationship between them o The comparison of two spur marks is based on the characteristics pitch and mutual distance
  • 25. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3575 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Services of a Document Examiner A document examiner examines the printed documents to find the links to other documents or printers. He/she is also responsible for finding the printer used to print the document. The document examiner examines the document for any alterations, counterfeiting of the document, and substitutions. The document examiner conducts research related to the document.  The research includes finding comparable documents to verify authenticity, the paper used, the type of printer, etc. The examiner conducts tests on the documents to find the conclusions. She/he prepares a review based on the outcome of the tested documents.
  • 26. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3576 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Tamper-Proofing of Electronic and Printed Text Documents Text document should be tamper proofed and authenticated to distribute them in electronic or printed forms. A text document authentication system tests the authenticity of a text document. The authenticity is performed at a global level in which a system gives a binary decision about the entire document, i.e. authentic or fake. If the system performs decisions at the local level it is referred as a “text document and tamper-proofing system.” A text document authentication and tamper-proofing system aims at validating the authenticity of a text document and representing the local modifications, if the document is assumed to be a fake. A solution to the document authentication is the generation of a document hash, which is securely stored. To perform authentication, a hash value is generated from the document and compared with the stored hash. For the document to be authentic, the two hash values should be identical. Tamper proofing is based on the concept of local hashing, where hashing is computed from each local part of the document. This will ensure identifying the local parts where the modifications are done to the document. There are three approaches to a hash-based document authentication based on where the hash is stored:
  • 27. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3577 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Hash storage in an electronic database  Hash stored in the document itself by using auxiliary special means of 2D bar codes, special links or crystals, memory chips, etc.  Hash stored in the document content by using data hiding techniques
  • 28. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3578 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Phidelity Phidelity is a technology used to enhance the security of printed documents by providing layers of protection. It provides five security features that work independently to ensure the document’s security.  Phidelity’s Optical watermark uses normal printers differently to print visual covert and overt watermarks. When a document with optical watermark is copied then the overt watermark disappears and covert watermark is made visible, showing that the document is a copy. It generates secured optical watermarks against different types of attacks with the use of common desktop printers, eliminating the need of special inks and papers. Optical watermark offers an easy way to verify the important documents via quick visual verification.  Phidelity SecureCODE is the result of creative use of open standards in both 2-Dimensinal (2D) barcodes and Public Key Infrastructure (PKI). A 2D barcode graphically represents the data and PKI is a technology that implements trust using digital signatures, certificates, and secrecy through the use of encryption when required. Combining the two technologies forms a synergy to create SecureCODE which is verified to discover the tampering of the document content.  Phidelity’s Microprint is an innovative feature to print in small fonts. It appears as an underline to the naked eye which actually contains the textual information that can be read using a magnifying glass. When printing an important document as Microprint, any casual copy of the original document will result in distorted text in the duplicates. It provides an efficient way of verifying the authenticity of a document.  Phidelity’s Print control makes use of a novel way to control printing. This helps in restricting the printing of a document more than needed. It reduces the risk of information leakage by restricting the number of documents printed. PrintControl is highly user-centric by providing automated printer detection, selection for printing, and dynamic configuration of optical watermark based on the specific printer to achieve the best watermark effect for security. It prevents printing of secured documents to virtual printers such as PDF creator.  Phidelity’s ID Trace covertly embeds the tracking information related to document identification into a printed document. This helps in tracing the document after it has been printed. It is used as a forensic tool to find the source of the leakage.
  • 29. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3579 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Zebra Printer Labels to Fight against Crime Source: http://www.zebraprinterlabels.net/ Law enforcement agencies depend on Zebra printer labels for exact and confidential printing needs at the time of collecting important criminal evidence. Zebra printer labels helps to identify criminal evidence more quickly with Zebra bar code printers. They produce ID badges (for both criminals and law enforcement) and maintain criminal records confidentially and safely. The labels allow law enforcement agencies to collect evidence effectively and in a timely manner. The Zebra printer labels used by the law enforcement agencies to fight against crime are:  High performance bar code printers  Industrial and commercial bar code printers  Mobile printers  PAX print engines
  • 30. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3580 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Cryptoglyph Digital Security Solution Source: http://www.alpvision.com/ The Cryptoglyph security process provides an invisible marking with standard ink and standard printing processes. It can be included in the current packaging production line or other document processing workflow before printing. Embed the invisible Cryptoglyph file in the prepress digital packaging image file or produce it before printing it with the document processing system. Cryptoglyph does not require any packaging design or page template modifications. Unlike the processes which use additional elements such as inks and holograms, Cryptoglyph uses standard ink during the standard printing process. It can be perceptible only with the use of the appropriate equipment. The two elements in Cryptoglyph are: 1. Print the invisible micro-points over the entire area of the primary packaging or secondary packaging. These micro-points are impossible to replicate or erase due to its invisible nature. 2. These micro-points consist of encrypted information that can be deciphered using the encryption key.
  • 31. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3581 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Case Study: Dutch Track Counterfeits via Printer Serial Numbers Source: http://www.pcworld.idg.com.au/ Printouts reveal hidden code information about the printer it was printed from. The Dutch police force solved the cases related to prints with the help of printer manufacturers. Government agencies use this hidden information to fight against counterfeiters. Security: The Canon company strives to protect customers from counterfeits. Anna McIntyre, PR manager at Canon Europe, says that protection from counterfeits is crucial and it has fitted all of its color machines with anti-counterfeits detection technology. Canon works with different authorities in order to minimize counterfeits. Sources who know the printer industry reveal that the security code is a unique number which is printed on every color page from a particular printer. The code can be printed as thin as 0.1 millimeter. This indeed helps to find out which county delivered a specific printer, and to which dealer. Success: "We are familiar with this research method," said Ed Kraszewski of the Dutch national police agency KLPD. The spokesman did not reveal that the method is used deal with counterfeits, but sources said that the Dutch Railway Police is investigating a gang which is counterfeiting tickets. Research: Researchers at Purdue University in West Lafayette, Indiana, explained a method they developed that allows authorities to trace documents of specific printers. Technique used to trace the documents are: by analyzing the document to identify characteristics that are unique for each printer, and by designing printers to purposely embed individualized characteristics in documents. "Investigators want to be able to determine that a fake bill or document was created on a certain brand and model of printer," said Edward J. Delp, a professor of electrical and computer engineering at Purdue. Researchers used specific software for detecting slight variations in printed characters that they call intrinsic signatures.
  • 32. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3582 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Is Your Printer Spying On You? A printer is an important factor for the investigation of a crime. A printer notes the information about the documents that are printed. Nowadays, new printers, which can contain a secret code, are available. This secret code is already installed in the printer during its manufacturing. This code is used to detect the printer and the person who used it. This printer has helped forensics investigating organizations, such as the FBI, to monitor the documentation activities of organizations. According to a report by the ACLU, since 2001, the FBI has collected more than 1100 pages of documents from organizations and groups, such as Greenpeace and United for Peace and Justice.
  • 33. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3583 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.    
  • 34. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3584 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  DocuColor Tracking Dot Decoding DocuColor Tracking Dot Decoding is a part of the Machine Identification Code Technology project. DocuColor color laser printers print the tracking code on a printout page, which reads the date, time, and the printer’s serial number. These printers print rectangular grids of 15 by 8 miniscule yellow dots on every color page. The same grid is printed repeatedly on the complete page, but the repetition of grids started somewhat different from other grids. Due to this, each grid is separated from other grids. All the grids are printed parallel to the side of a page, and are slightly different from other grids. These yellow dots have different background colors, so they are invisible to the naked eyes under white light. You can see that dots with the help of a microscope or by illuminating the page in blue light. Under pure blue light, these dots look black.
  • 35. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3585 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Figure 40-04: Image of the dot grid produced by a Xerox DocuColor 12 (Source: http://www.infowars.com) Figure 40-05: Image of a portion of the dot grid (Source: http://www.infowars.com) Image of one repetition of the dot grid from the same Xerox DocuColor 12 page, under illumination from a Photon blue LED flashlight:
  • 36. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3586 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Figure 40-06: Illumination from a Photon blue LED flashlight (Source: http://www.infowars.com)  Figure 40-07: Black dots in the microscope image (Source: http://www.infowars.com)
  • 37. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3587 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Explanatory text that show the significance of the dots: Figure 40-08: Significance of dots (Source: http://www.infowars.com) The topmost row and first left column are the parity row and column used for error correction. They help the investigator to read the forensic information accurately. All the rows and columns, except the topmost row, contain an odd number of dots. If any row or column has an even number of dots, then it has been read incorrectly. Every column consists of seven bits, (excepting the first, because it is the parity bit). Then bytes are read from right to left. Each column has a different meaning as explained in the following:  15: unknown. It is constant for each separate printer. It gives some information about the printer’s model and its configuration  14, 13, 12, 11: Serial number of the printer in binary coded decimal fashion  10: Separator  9: It is unused  8: Indicates the year when the page was printed  7: Indicates the month  6: Indicates the day of printing  5: Indicates the hour when the page was printed  4, 3: Unused  2: Minute  1: It is row parity bit, which shows that all rows consist of an odd number of dots
  • 38. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3588 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Tools
  • 39. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3589 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.    Print Spooler Software Source: http://www.networkprinting.info/ The print spooler is meant to send the documents to be printed to the print queue for processing, which allows the CPU and the printer to concentrate on other tasks before printing the data present in the print queue. The print spooler has many duties in managing the print process. It manages the printing pools, maintains the track record on which task went to which printer, and the devices that are connected to the port. The print spooler is also called the print scheduler, since it schedules the jobs to be done. The spooler maintains a file that is to be printed, emailed, faxed, or sent to a device which is presently used by other tasks. It gives flexibility to the user to delete a file that is about to be processed or presently waiting to be printed. The print spooler prints the document to the intended printer when the printer is ready. It allows system resources to perform other tasks, where the Line Printer Requester (LPR) print spooler performs the printing process.
  • 40. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3590 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.    Investigating Print Spooler For each print job in Windows XP, the files found in C:WindowsSystem32spoolPrinters folder are:  .SPL - the spool file consists of the print job’s spool data  .SHD - the shadow file consists of the job settings To view the metadata of the print job, use the PA Spool View tool. To view the spooled pages, use the EMF Spool View tool. Enhanced metafiles provide true device independence. Enhanced metafiles are standardized, which allows pictures stored in this format to copy from one application to other. Check the spool folder location of a specific printer by opening the registry key:  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintPrinters <printer> Figure 40-09: EMF Spool View tool (Source: www.clubhack.com)
  • 41. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3591 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Figure 40-10: PA Spool View tool (Source: www.clubhack.com)
  • 42. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3592 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Printer Tools: iDetector Source: http://www.graphicsecurity.com/ iDetector is an effective tool to visually compare inspected documents and products with genuine ones. It is ideal for brand owners and document examiners, and can generate and record information about the authentication performed. Brand integrity inspectors can easily capture checkpoints on genuine products, and add them to a secure database. Captured images of inspected products can be verified on the spot, or transferred via the Internet to the authentication server. Figure 40-11: Screenshot of iDetector
  • 43. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3593 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Printer Tools: Print Inspector Source: http://www.softperfect.com/ Print Inspector is a powerful print management and auditing solution for your corporate network. This software lets you manage the print jobs queued to any shared printer and provides easy access to the printer and print server settings. It saves detailed statistics about all printed documents in a separate database. A built-in reporting tool lets you create various reports based on the collected data about all printed documents. Figure 40-12: Screenshot of Print Inspector
  • 44. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3594 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited.  Tool: EpsonNet Job Tracker Source: http://www.business-solutions.epson.co.uk/ EpsonNet Job Tracker is web-based application software. It gives a clear picture of what is being printed, where and by whom, thereby helping you control your printing costs. Epson NetJob Tracker Benefits:  Monitors and analyzes network printer activity  Controls access to color, keeps costs down  Manages print resources, improves network traffic  Defines printer activity, calculates, assigns and recovers costs  Sends reports automatically to departments and managers  Controls by time of day, type of printing, number of pages
  • 45. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3595 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Summary  Printer forensics refers to the investigation done on any printed document or the printer used to print the document  Investigation of the documents and printers will provide valuable information for the law enforcement agencies and intelligence agencies  Different printing modes are monochrome , color printer, and photo printer  Methods used for image creation are: toner-based printers, inkjet printers, impact printers, dot- matrix printers, line printers, digital minilabs, dye-sublimation printers, spark printers  A printed document is first digitally scanned and saved in an uncompressed format  Methods and systems for identifying and facilitating access to computer printouts are contained in an array of printout bins
  • 46. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3596 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Exercise: 1. Describe what you understand by “printer forensics.” 2. What are the different methods of image creation? 3. Describe the printer forensic process. 4. Explain digital image analysis. 5. Discuss printout bins. 6. How is tamper-proofing of electronic and printed text documents done?
  • 47. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3597 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. 7. How is Phidelity is used to enhance the security of printed documents? 8. What is the Cryptoglyph security process? 9. Explain DocuColor Tracking Dot Decoding. 10. Discuss the different tools used in printer forensics.
  • 48. Computer Hacking Forensic Investigator Exam 312-49 Printer Forensics Module XL Page | 3598 Computer Hacking Forensic Investigator Copyright © by EC-Council        All Rights Reserved. Reproduction is Strictly Prohibited. Hands-On 1. Visit http://www.spiritus-temporis.com/ and read about computer printers. 2. Download the Print Inspector from http://www.softperfect.com/products/pinspector/, run it, and check the results. 3. Visit http://www.undocprint.org/ and read “Ways to investigate print spooler.” 4. Visit http://www.alpvision.com/ and read “Cryptoglyph Digital Security Solutions.”