Despite the advances in technology, the use of paper and printers will not disappear anytime during the foreseeable future. Many sectors and societies still rely heavily on printed documents. That is why it is important to be able to retrieve information related to the printers the system has access to and might have used.
During an investigation, examiners may find themselves in need to identify which printer(s) the user had access to or may have used. This information is particularly important in cases involving data leakage or intellectual property theft.
In Windows systems, information related to printers are maintained within the NTUSER.dat registry hive at
the following locations:
The PrinterPorts key contains a list of all the installed printers on the system. However, the Device value within the Software\Microsoft\Windows NT\CurrentVersion\Windows key contains the user's default printer.
This section discusses how to use ArtiFast Windows to analyze Printers Information artifact from Windows
machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select Printers Information artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Printers Information artifact in ArtiFast Windows.
Printers Information Artifact
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com