Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
they often do a pretty lousy job of disappearing. Temp files are often aband<strong>on</strong>ed, frequently<br />
as a c<strong>on</strong>sequence of a program lock up, power interrupti<strong>on</strong> or other atypical shut down.<br />
When the applicati<strong>on</strong> is restarted, it creates new temp file, but rarely does away with the<br />
predecessor file. It just hangs around indefinitely. Even when the applicati<strong>on</strong> does delete the<br />
temp file, the c<strong>on</strong>tents of the file tend to remain in unallocated space until overwritten, as with<br />
any other deleted file.<br />
As an experiment, search your hard drive for all files with the .TMP extensi<strong>on</strong>. You can<br />
usually do this with the search query “*.TMP.” You may have to adjust your system settings<br />
to allow viewing of system and hidden files. When you get the list, forget any with a current<br />
date and look for .TMP files from prior days. Open those in Notepad or WordPad and you<br />
may be shocked to see how much of your work hangs around without your knowledge. Word<br />
processing applicati<strong>on</strong>s are by no means the <strong>on</strong>ly types which keep (and aband<strong>on</strong>) temp<br />
files.<br />
Files with the .BAK extensi<strong>on</strong>s (or a variant) usually represent timed back ups of work in<br />
progress maintained to protect a user in the even of a system crash or program lock up.<br />
Applicati<strong>on</strong>s, in particular word processing software, create .BAK files at periodic intervals.<br />
These applicati<strong>on</strong>s may also be c<strong>on</strong>figured to save earlier versi<strong>on</strong>s of documents that have<br />
been changed in a file with a .BAK extensi<strong>on</strong>. While .BAK files are supposed to be deleted<br />
by the system, they often linger <strong>on</strong>.<br />
If you’ve ever poked around your printer settings,<br />
you probably came across an opti<strong>on</strong> for spooling<br />
print jobs, promising faster performance. See<br />
Figure 12 for what the setting box looks like in<br />
Windows XP. The default Windows setting is to<br />
spool print jobs so, unless you’ve turned it off,<br />
your work is spooling to the printer. Spool<br />
sounds like your print job is winding itself <strong>on</strong>to a<br />
reel for release to the print queue, but it actually<br />
is an acr<strong>on</strong>ym which stands for (depending up<strong>on</strong><br />
who you ask) “simultaneous peripheral<br />
operati<strong>on</strong>s <strong>on</strong> line” or “system print operati<strong>on</strong>s<br />
off-line.” The forensic significance of spool files<br />
is that, when spooling is enabled, anything you<br />
print gets sent to the hard drive first, with the<br />
document stored there as a graphical<br />
representati<strong>on</strong> of your print job. Spool files are<br />
usually deleted by the system when the print job<br />
Figure 12<br />
has completed successfully but here again, <strong>on</strong>ce<br />
data gets <strong>on</strong> the hard drive, we know how tenacious it can be. Like temp files, spool files<br />
occasi<strong>on</strong>ally get left behind for prying eyes when the program crashes. You can’t read spool<br />
files as plain text. They must either be decoded (typically from either Windows enhanced<br />
<strong>Page</strong> 29
Change language