File000153

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Inkjet Research Could Aid
Forensics
Source: http://www.pcworld.com/

EC-Council
News: Particulate Emissions From
Laser Printers
Source: http://www.sciencedaily.com/

EC-Council
Module Objective
• Introduction to Printer Forensics
• Different Printing Modes
• Methods of Image Creation
• Printer Forensics Process
• Digital Image Analysis
• Document Examination
• Phidelity
• Cryptoglyph Digital Security Solutions
• DocuColor Tracking Dot Decoding
This module will familiarize you with:

EC-Council
Module Flow
Introduction to Printer Forensics
Printer Forensics Process Methods of Image Creation
Cryptoglyph Digital Security
Solutions
Phidelity
Document ExaminationDigital Image Analysis
Different Printing Modes

EC-Council
Printer Forensics

EC-Council
Introduction to Printer Forensics
Printer forensics refer to the investigation done on any printed document or the printer
used to print the document
Investigation of the documents and printers will provide valuable information of crime to
the law enforcement agencies and intelligence agencies
• Examples include forgery or alteration of documents used for purposes of identity, security, or
recording transactions
• Printed material may be used in the course of conducting illicit or terrorist activities
In several cases, printed material is a direct accessory to criminal acts
• Examples include instruction manuals, team rosters, meeting notes, and correspondence

EC-Council
Different Printing Modes
• A monochrome printer can only produce an image
consisting of one color, usually black
Monochrome:
• A color printer can produce images of multiple colors
Color printer:
• A photo printer is a color printer that can produce images
that mimic the color range and resolution of photographic
methods of printing
Photo printer:

EC-Council
Methods of Image Creation
• Toner based printers adhere toners to a light sensitive
print drum
• It uses static electricity to transfer the toner to the
printing medium to which it is fused with heat and
pressure
• Different toner based printers are:
• Laser printers uses precise lasers to cause adherence
• LED printer uses an array of LEDs to cause toner adhesion
Toner-based printers:
• Inkjet printers spray small, precise amounts of ink onto
the media
Inkjet printers:

EC-Council
(cont’d)
• Impact printers rely on a forcible impact to transfer ink
to the media, similar to typewriters, that are typically
limited to the reproducing text
• A daisy wheel printer is a specific type of impact printer
where the type is molded around the edge of a wheel
Impact printers:
• Printers rely on a matrix of pixels, or dots, that together
form the larger image
• It is specifically used for impact printers that use a matrix
of small pins to create precise dots
• It can produce graphical images in addition to text
Dot-matrix printers:

EC-Council
(cont’d)
Line printers print an entire line of text at a time
The two principle designs of Line printers:
• Drum printers: A drum carries the entire character set of the
printer repeated in each column that is to be printed
• Chain printers or train printers: The character set is arranged
multiple times around a chain that travels horizontally past
the print line

EC-Council
(cont’d)
• A digital minilab is a computer printer that uses traditional chemical
photographic processes to make prints of digital images
• Photographs are input to the digital minilab using a built-in film scanner
that captures images from negative and positive photographic films
Digital Minilab:

EC-Council
(cont’d)
• Dye-sublimation printer uses heat to transfer dye to the
medium such as poster paper, plastic card, etc.
• It lays one color at a time with the help of a ribbon which
has color panels
Dye-sublimation printer:
• A spark printer uses a special paper coated with a layer of
aluminum over a black backing, which is printed on by
using a pulsing current onto the paper via two styli that
move across on a moving belt at high speed
Spark printer:

EC-Council
Printers with Toner Levels
Make/Model Toner
HP LaserJet 4300 72%
Xerox Phaser 5500DN 94%
Xerox Phaser 8550DP -

EC-Council
Parts of a Printer
• A print head with a print head connector
• A carriage with a carriage connector, which can detach the print head from
the print head connector
• A driver for driving the print head
• A microprocessor for controlling the driver in accordance with an N-bit
print head identification signal, wherein N is a positive integer
• A plurality of signal lines for connecting the microprocessor to the carriage
connector
• A parallel-to-serial converter, which is disposed on the print head, for
converting N parallel inputs into an N-bit print head identification signal
A printer is comprised of:

EC-Council
Printer Identification Strategy
• Passive strategy involves characterizing the printer by finding intrinsic
features in the printed document that are characteristic of that particular
printer, model, or manufacturer's products
• This is referred as intrinsic signature
Passive:
• In active strategy, extrinsic signature is embedded in a printed page
• The extrinsic signature is obtained by modulating the process parameters
in the printer mechanism to encode identifying information such as the
printer serial number and date of printing
Active:
Two strategies to identify a printer that was used to print a document:

EC-Council
Printer Identification
Unknown
Document
Extra
Characters
Extra
Features
Variance/
Entropy
GLCM
Features
SVM Classifier
Majority Vote
Output class
Individual
Characters
Feature Vector per Character

EC-Council
Printer Forensics Process
Pre-processing
Printer Profile
Forensics
Ballistics

EC-Council
Pre-Processing
A printed document is first digitally scanned and saved in an uncompressed format
In the first stage, multiple copies of the same character are located in a scanned
document
A user first selects a bounding box around a character of interest to serve as a template
To minimize the effect of luminance variations across printers, the intensity histograms
of the characters are matched as follows:
• Select a random set of characters and average their intensity histograms to create a reference
histogram so that the luminance variations across printers is minimized
• Each character’s intensity histogram is then matched to this reference histogram

EC-Council
Printer Profile
Once the characters are aligned properly, a profile is constructed based on
the degradation introduced by the printer
Based on the complex nature of degradation, a data driven approach is
used to characterize the degradation
A principal components analysis is applied to the aligned characters to
create a new linear basis that embodies the printer degradation

EC-Council
Forensics
• Splicing in portions from a different document
• Digitally editing a previously printed and scanned document
and then printing the result
In a forensics setting, determine if a part of
the document has been manipulated:

EC-Council
Ballistics
In a ballistics setting, determine if a document was
printed from a specific printer
A printer profile is generated from a printer to determine
if the document in question was printed from this printer
Assume that the printer profile is constructed from the
same font family and size as the document to be analyzed

EC-Council
A Clustering Result of a Printed
Page
HP
LaserJet
Xerox
Phaser
The printed page shows a clustered result of the
HP LaserJet and Xerox Phaser
The top part of the page is printed with HP
LaserJet 4350 and the bottom half was printed
on a Xerox Phaser 5500DN
These documents are scanned, combined and
printed on a HP LaserJet 4300 printer
A printer profile was created from 200 copies
of the letter ‘a’
Printer profile is effective in detecting fakes
composed of parts initially printed on different
printers

EC-Council
Digital Image Analysis
Digital Image Analysis technique is used to analyze patterns
generated in the printed document due to irregular movements by the
print engine
The irregular movement cause lines to be printed across a page
instead of solid smooth print which is known as banding
Banding effect has been attributed to two causes:
• Fine banding is due to the imbalance of the rotor component of the polygon
mirror or mechanical weaknesses of the laser scanning unit
• Rough banding caused by unsteady motion of the photoconductor drum or
the fuser unit
This banding can be used to link a document to the printer that
produced it

EC-Council
Printout Bins
Printout Bins are a staging area after a document has been printed
Each printout consists the information of the related project and the user who printed the
document
The bin consists of the information that uniquely identifies the user by name, PIN
number, the user project number, and the date and/or time the printout was prepared,
etc.
The bin access is allowed only if:
• Acceptable confidential user identification is presented
• Atleast one printout for that user is presently contained in the locked bin

EC-Council
Document Examination
• Find genuine or counterfeit of the document
• Determine the way document is generated
• Examine the machines used to print the document
Printed documents can be examined to:
• The paper type (physical properties, optical properties)
• Security features of the paper (e.g. watermark)
• Printing process used
• Verifying of other digital evidence such as perforations
• Microscopic analysis reveal tiny imperfections which links documents
from one to another
The various factors considered by the
document examiner:
Document examination is an important aspect in printer forensics to analyze
the documents

EC-Council
Document Examination (cont’d)
• The presence of physical alterations or obliterated writing can
sometimes be determined, and the writing can sometimes be
deciphered
• The manufacturer can sometimes be determined if a watermark is
present
Altered or Obliterated Writing:
• Paper examination - the letterheads and watermarks of business or
personal stationery will be modified from time to time by the
manufacturer
• Typescript - comparison of typewritten documents produced by an
organization over a period of time
Examining date of document:
The different aspects of examination:

EC-Council
Document Examination (cont’d)
• Signature examinations generally involve the comparison of signatures which are
specimen (provable) against questioned (disputed) signatures
• In signature comparison, the features of the questioned signature(s) -
construction, shape, proportions and fluency - are assessed and then compared
with the same features in the specimen signatures
Signature Examination
• Spur marks are tool marks created by the spur gears in the paper conveyance
system of many inkjet printers
• The spur marks on the printed document is compared with the spur marks of
known printers to know the relationship between them
• The comparison of two spur marks is based on the characteristics: pitch and
mutual distance
Examining spur marks found on inkjet-printed
documents

EC-Council
Services of a Document Examiner
The document examiner examines the document for any
alterations, counterfeiting of document, and substitutions
The examiner conducts research related to the document
• The research includes finding of comparable documents to verify
authenticity, paper used, type of printer, etc.
Examiner conducts tests on the documents to find the conclusions
Examiner prepares a review based on the outcome of the tested
documents

EC-Council
Tamper-Proofing of Electronic and
Printed Text Documents
Text document should be tamper-proofed and authenticated to
distribute them in electronic or printed forms
A text document authentication system aims at deciding whether a
given text document is authentic or not
Text document tamper-proofing system aims at verifying the
authenticity of a text document and indicating the local modifications,
if the document is suspected to be a fake

EC-Council
Tamper-Proofing of Electronic and
Printed Text Documents (cont’d)
There are three approaches to hash-based document authentication based
on where the hash is stored:
• Hash storage in an electronic database
• Hash storage onto the document itself using auxiliary special means such as 2D bar
codes, special inks or crystals, magnetic stripes, memory chips, etc.
• Hash storage onto the document's content itself using data-hiding techniques

EC-Council
Phidelity
Phidelity is a technology used to enhance the security of printed
documents by providing layers of protection
Phidelity's Optical Watermark makes innovative use of normal
printers to print visual covert and overt watermarks
It generates secure optical watermarks against various types of
possible attacks while only using common desktop printers,
eliminating the need of special inks or papers
Phidelity's Microprint is the creative use of printer capabilities to
print small fonts
By printing important document information as Microprint, any
casual copying of the original document will result in highly
distorted text in the duplicates

EC-Council
Zebra Printer Labels to Fight
Against Crime
Law enforcement agencies rely on Zebra printer labels for
accurate and confidential printing needs when collecting
important criminal evidence
Zebra printer labels help to identify criminal evidence more
quickly with Zebra bar code printers
The labels can also produce ID badges (both for criminals and
law enforcement) and keep track of criminal records
confidentially and safely

EC-Council
Cryptoglyph Digital Security
Solution
Cryptoglyph security process provides an invisible marking with
standard ink and standard printing processes
It can be easily integrated into any current packaging production line or
any document processing workflow before printing
Embed the invisible Cryptoglyph file in the prepress digital packaging
image file or generate it before printing it with your document
processing system
Cryptoglyph requires no packaging design or any page template
modification

EC-Council
Case Study: Dutch Track Counterfeits
via Printer Serial Numbers
Wilbert de Vries (WebWereld Netherlands) 26/10/2004 08:39:31
It appears that although consumers aren't aware of the hidden code on their color prints, government agencies are. And they are
using this knowledge in their battle against counterfeiters -- with help from well-known printer manufacturers.
Security
Sources familiar with the printer industry confirm this built-in security is in fact a unique number that is printed on every color
page. The code, in yellow, can be printed on a line as thin as 0.1 millimeter.
With help from manufacturers like Canon, authorities can gather information about the printer used in counterfeit crimes. The
number tells them in which country a specific printer has been delivered, and to what dealer. The dealer then can lead them to
the local computer store where the printer was sold.
Success
"We are familiar with this research method," said Ed Kraszewski of the Dutch national police agency KLPD. "We are using it in
our research and it has proven to be successful in the past."
Even though the spokesman cannot detail what kind of successes or in what cases the agency is using this method now,
anonymous sources confirm that the Dutch Railway Police, part of the KLPD, is investigating a gang that could be
counterfeiting tickets on a large scale.
As part of the research in this case, officers have tracked down the printer used to print the fake tickets. They are now trying to
get the name of the person who bought the printer. A local distributor in the Netherlands was visited by two officers with
specific questions about the printer.
"Their research led them to our company," said the director of the big Dutch distributor, who wants to remain anonymous. "It
concerned an investigation about counterfeit tickets. With the number they apparently found, they could see what engine was
used. They knew exactly what printer was used and wanted to know to whom I had sold that specific printer."
The company's records only revealed in what batch the printer had arrived. The police left the building with specific sales
information about that batch, which contained about a hundred printers. The investigation is still running, according to a
spokesman for the team investigating this matter.

EC-Council
Is Your Printer Spying On You?
Imagine that every time you printed a document, it automatically
included a secret code that could be used to identify the printer - and
potentially, the person who used it
In a purported effort to identify currency counterfeiters, the US
government has succeeded in persuading some color laser printer
manufacturers to encode each page with identifying information
For a list of printers with this tracking capability, please visit:
• http://www.eff.org/Privacy/printers/list.php

EC-Council
DocuColor Tracking Dot
Decoding
The yellow dots are visible after the dot grid are magnified under 60x
magnification

EC-Council
Decoding (cont’d)
A computer graphics software is used to overlay the black dots in the
microscope image with a larger yellow dots for clear visibility

EC-Council
Decoding (cont’d)
The topmost row and the left
column are the parity row and
column for error correction
It helps to verify the forensic
information for correctness
The rows and columns has odd
parity

EC-Council
Decoding (cont’d)
Columns are read from top to bottom as a single byte of seven
bits, the bytes are then read from right-to-left. Columns from left
to right have the following meanings:
15
Unknown (often zero; constant for each individual printer; may
convey some non-user-visible fact about the printer's model or
configuration)
14, 13, 12, 11
Printer serial number in binary-coded-decimal, two digits per
byte (constant for each individual printer; see below)
10
Separator (typically all ones; does not appear to code
information)
9 Unused
8 Year that page was printed (without century; 2005 is coded as 5)

EC-Council
Decoding (cont’d)
Column are read from top to bottom as a single byte of seven bits,
the bytes are then read from right-to-left. Columns from left to
right have the following meanings:
7 Month that page was printed
6 Day that page was printed
5
Hour that page was printed (may be UTC time zone, or
may be set inaccurately within printer)
4,3 Unused
2 Minute that page was printed
1
Row parity bit (set to guarantee an odd number of dots
present per row)

EC-Council
Tools

EC-Council
Print Spooler Software
Print Spooler prints the document to the intended printer when
the printer is ready
It allows system resources to perform other tasks, where Line
Printer Requester (LPR) print spooler performs the printing
process
It sends the job to print queue for processing
It manages the printing process
Spooling prepared a file for printing, emailing, and sending to a
device or system which is presently being occupied by other tasks

EC-Council
Investigating Print Spooler
For each print job on Windows XP, the files found in
C:WindowsSystem32spoolPrinters folder are:
• .SPL – the spool file consists of print job’s spool data
• .SHD - shadow file consists of job settings
To view the metadata of the print job use PA Spool View tool
To view the spooled pages , use EMF Spool View tool
Enhanced metafiles provide true device independence
Enhanced metafiles are standardized, that allows pictures stored in this format to copy
from one application to other
Check the spool folder location of a specific printer by opening the registry key:
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPrintPrinters <printer>

EC-Council
Printer Tools
iDetector is an effective tool to
visually compare inspected documents
and products with genuine ones
Print Inspector lets you manage the
print jobs queued to any shared printer
and provides easy access to the printer
and print server settings

EC-Council
Tool: EpsonNet Job Tracker
http://www.business-solutions.epson.co.uk/
• Monitors and analyzes network printer activity
• Controls access to color, keep costs down
• Manages print resources, improves network traffic
• Defines printer activity, calculates, assigns and recovers
costs
• Sends reports automatically to departments and managers
• Controls by time of day, type of printing, number of pages
Benefits of Epson NetJob Tracker:
EpsonNet Job Tracker is a web-based application software
It gives a clear picture of what is being printed, where and by whom, thereby helping
you control your printing costs

EC-Council
Summary
Printer forensics refers to the investigation done on any printed document or the printer used to
print the document
Investigation of the documents and printers will provide valuable information for the law
enforcement agencies and intelligence agencies
Different Printing Modes are Monochrome , Color Printer, and Photo printer
Methods used for Image Creation are: Toner-based printers, Inkjet printers, Impact printers, Dot-
matrix printers, Line printers, Digital Minilab, Dye-sublimation printer, and Spark printer
A printed document is first digitally scanned and saved in an uncompressed format
Method and system for identifying and facilitating access to computer printouts contained in an
array of printout bins

EC-Council

File000153

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (6)

Similar to File000153

Similar to File000153 (20)

More from Desmond Devendran

More from Desmond Devendran (20)

Recently uploaded

Recently uploaded (20)

File000153