ITM is an open framework - Submit your contributions now.

Preparation

Archive Data

Boot Order Manipulation

CCTV Enumeration

Circumventing Security Controls

Data Obfuscation

Renaming Files or Changing File Extensions

Data Staging

Device Mounting

Email Collection

External Media Formatting

File Exploration

IT Ticketing System Exploration

Network Scanning

Physical Disk Removal

Physical Exploration

Physical Item Smuggling

Private / Incognito Browsing

Read Windows Registry

Security Software Enumeration

Social Engineering (Outbound)

Software Installation

Software or Access Request

Managerial Approval

Suspicious Web Browsing

Testing Ability to Print

ID: PR013
Created: 25th May 2024
Updated: 09th June 2024
Platforms: Windows, Linux, MacOS
Contributor: The ITM Team

Testing Ability to Print

A subject attempts to print a document from a system to identify if this capability is permitted, restricted, or not possible.

Prevention

ID	Name	Description
PV014	Disable Printing, Windows	Group Policy can be used to disable printing for specific user accounts.

Detection

ID	Name	Description
DT006	Installed Printers via Registry	The Windows Registry stores information about installed printers and their configurations. The following registry keys can be useful to investigators: Printer settings - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers` User-specific settings - `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices`
DT005	Print Spooler Service	The Spool files can typically be found in the following directory: `C:\\Windows\\System32\\spool`. A spool file with a `.SPL` extension contains the actual print data. This data can be in various formats, including RAW, EMF (Enhanced Metafile), or other printer-specific formats. The spool file is stored in the spool directory associated with the printer until the print job is completed. Once the print job is finished and successfully printed, the .SPL file is typically deleted. A job control language file with a `.SHD` extension contains metadata about the print job, such as document properties, print settings, and information about the account that submitted the print job. The .SHD file is also stored in the spool directory during the print job's processing. Unlike the .SPL file, the .SHD file can sometimes persist longer, but it is generally deleted after the print job is completed or upon system cleanup. If the files are not present, it may be possible to use file carving techniques on a disk image to retrieve .SPL and .SHD files. Content and metadata analysis can be conducted to identify timestamps, document names, and user names.
DT007	Printed Documents via Event Logs	Windows logs print job activities to Event logs, containing information such as job creation, completion, errors, and adding or deleting printer devices. `Windows Logs -> System` Event ID 307 - A document was printed. Event ID 310 - A document failed to print. Event ID 701 - Printer status changed. Event ID 703 - Printer object added. Event ID 804 - Document resumed for printing. Event ID 805 - Printer driver was installed. `Applications and Services Logs -> Microsoft -> Windows -> PrintService -> Operational` Event ID 808 - Printer driver was installed. Event ID 843 - The print spooler failed to import the printer driver. Event ID 1000 - Document print started. Event ID 1001 - Document was printed. Event ID 1100 - Printer was added. Event ID 1101 - Printer was deleted. Event ID 1200 - Print spooler service started. Event ID 1201 - Print spooler service stopped.