Blog >> Printers Information

Investigating Printers Information

26/11/2021 Friday

Despite the advances in technology, the use of paper and printers will not disappear anytime during the foreseeable future. Many sectors and societies still rely heavily on printed documents. That is why it is important to be able to retrieve information related to the printers the system has access to and might have used.

Digital Forensics Value of Printers Information Artifact

During an investigation, examiners may find themselves in need to identify which printer(s) the user had access to or may have used. This information is particularly important in cases involving data leakage or intellectual property theft.

Location of Printers Information Artifact

In Windows systems, information related to printers are maintained within the NTUSER.dat registry hive at the following locations:

Structure of Printers Information Artifact

The PrinterPorts key contains a list of all the installed printers on the system. However, the Device value within the Software\Microsoft\Windows NT\CurrentVersion\Windows key contains the user's default printer.

Analyzing Printers Information Artifact with ArtiFast Windows

This section discusses how to use ArtiFast Windows to analyze Printers Information artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Printers Information artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Printers Information artifact in ArtiFast Windows.

Printers Information Artifact

For more information or suggestions please contact: [email protected]