File000153

Module XL - Printer Forensics

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Inkjet Research Could Aid Forensics

Source: http://www.pcworld.com/



News: Particulate Emissions From Laser Printers

Source: http://www.sciencedaily.com/



Module Objective

• Introduction to Printer Forensics• Different Printing Modes• Methods of Image Creation• Printer Forensics Process• Digital Image Analysis• Document Examination• Phidelity• Cryptoglyph Digital Security Solutions• DocuColor Tracking Dot Decoding

This module will familiarize you with:



Module Flow

Introduction to Printer Forensics

Printer Forensics Process Methods of Image Creation

Cryptoglyph Digital Security Solutions

Phidelity

Document ExaminationDigital Image Analysis

Different Printing Modes



Printer Forensics



Introduction to Printer Forensics

Printer forensics refer to the investigation done on any printed document or the printer used to print the document

Investigation of the documents and printers will provide valuable information of crime to the law enforcement agencies and intelligence agencies

• Examples include forgery or alteration of documents used for purposes of identity, security, or recording transactions

• Printed material may be used in the course of conducting illicit or terrorist activities

In several cases, printed material is a direct accessory to criminal acts

• Examples include instruction manuals, team rosters, meeting notes, and correspondence



Different Printing Modes

• A monochrome printer can only produce an image consisting of one color, usually black

Monochrome:

• A color printer can produce images of multiple colors

Color printer:

• A photo printer is a color printer that can produce images that mimic the color range and resolution of photographic methods of printing

Photo printer:



Methods of Image Creation

• Toner based printers adhere toners to a light sensitive print drum

• It uses static electricity to transfer the toner to the printing medium to which it is fused with heat and pressure

• Different toner based printers are:• Laser printers uses precise lasers to cause adherence• LED printer uses an array of LEDs to cause toner adhesion

Toner-based printers:

• Inkjet printers spray small, precise amounts of ink onto the media

Inkjet printers:



Methods of Image Creation (cont’d)

• Impact printers rely on a forcible impact to transfer ink to the media, similar to typewriters, that are typically limited to the reproducing text

• A daisy wheel printer is a specific type of impact printer where the type is molded around the edge of a wheel

Impact printers:

• Printers rely on a matrix of pixels, or dots, that together form the larger image

• It is specifically used for impact printers that use a matrix of small pins to create precise dots

• It can produce graphical images in addition to text

Dot-matrix printers:




Line printers print an entire line of text at a time

The two principle designs of Line printers:

• Drum printers: A drum carries the entire character set of the printer repeated in each column that is to be printed

• Chain printers or train printers: The character set is arranged multiple times around a chain that travels horizontally past the print line




• A digital minilab is a computer printer that uses traditional chemical photographic processes to make prints of digital images

• Photographs are input to the digital minilab using a built-in film scanner that captures images from negative and positive photographic films

Digital Minilab:




• Dye-sublimation printer uses heat to transfer dye to the medium such as poster paper, plastic card, etc.

• It lays one color at a time with the help of a ribbon which has color panels

Dye-sublimation printer:

• A spark printer uses a special paper coated with a layer of aluminum over a black backing, which is printed on by using a pulsing current onto the paper via two styli that move across on a moving belt at high speed

Spark printer:



Printers with Toner Levels

Make/Model Toner

HP LaserJet 4300 72%



Xerox Phaser 5500DN 94%



Xerox Phaser 8550DP -



Parts of a Printer

• A print head with a print head connector• A carriage with a carriage connector, which can detach the print head from

the print head connector • A driver for driving the print head • A microprocessor for controlling the driver in accordance with an N-bit

print head identification signal, wherein N is a positive integer • A plurality of signal lines for connecting the microprocessor to the carriage

connector • A parallel-to-serial converter, which is disposed on the print head, for

converting N parallel inputs into an N-bit print head identification signal

A printer is comprised of:



Printer Identification Strategy

• Passive strategy involves characterizing the printer by finding intrinsic features in the printed document that are characteristic of that particular printer, model, or manufacturer's products

• This is referred as intrinsic signature

Passive:

• In active strategy, extrinsic signature is embedded in a printed page• The extrinsic signature is obtained by modulating the process parameters

in the printer mechanism to encode identifying information such as the printer serial number and date of printing

Active:

Two strategies to identify a printer that was used to print a document:



Printer Identification

Unknown Document

Extra Characters

Extra Features

Variance/Entropy

GLCM Features

SVM Classifier

Majority Vote

Output class

Individual Characters

Feature Vector per Character



Printer Forensics Process

Pre-processing

Printer Profile

Forensics

Ballistics



Pre-Processing

A printed document is first digitally scanned and saved in an uncompressed format

In the first stage, multiple copies of the same character are located in a scanned document

A user first selects a bounding box around a character of interest to serve as a template

To minimize the effect of luminance variations across printers, the intensity histograms of the characters are matched as follows:

• Select a random set of characters and average their intensity histograms to create a reference histogram so that the luminance variations across printers is minimized

• Each character’s intensity histogram is then matched to this reference histogram



Printer Profile

Once the characters are aligned properly, a profile is constructed based on the degradation introduced by the printer

Based on the complex nature of degradation, a data driven approach is used to characterize the degradation

A principal components analysis is applied to the aligned characters to create a new linear basis that embodies the printer degradation



Forensics

• Splicing in portions from a different document • Digitally editing a previously printed and scanned document

and then printing the result

In a forensics setting, determine if a part of the document has been manipulated:



Ballistics

In a ballistics setting, determine if a document was printed from a specific printer

A printer profile is generated from a printer to determine if the document in question was printed from this printer

Assume that the printer profile is constructed from the same font family and size as the document to be analyzed



A Clustering Result of a Printed Page

HP LaserJet

Xerox Phaser

The printed page shows a clustered result of the HP LaserJet and Xerox Phaser

The top part of the page is printed with HP LaserJet 4350 and the bottom half was printed on a Xerox Phaser 5500DN

These documents are scanned, combined and printed on a HP LaserJet 4300 printer

A printer profile was created from 200 copies of the letter ‘a’

Printer profile is effective in detecting fakes composed of parts initially printed on different printers



Digital Image Analysis

Digital Image Analysis technique is used to analyze patterns generated in the printed document due to irregular movements by the print engine

The irregular movement cause lines to be printed across a page instead of solid smooth print which is known as banding

Banding effect has been attributed to two causes:

• Fine banding is due to the imbalance of the rotor component of the polygon mirror or mechanical weaknesses of the laser scanning unit

• Rough banding caused by unsteady motion of the photoconductor drum or the fuser unit

This banding can be used to link a document to the printer that produced it



Printout Bins

Printout Bins are a staging area after a document has been printed

Each printout consists the information of the related project and the user who printed the document

The bin consists of the information that uniquely identifies the user by name, PIN number, the user project number, and the date and/or time the printout was prepared, etc.

The bin access is allowed only if:

• Acceptable confidential user identification is presented• Atleast one printout for that user is presently contained in the locked bin



Document Examination

• Find genuine or counterfeit of the document• Determine the way document is generated• Examine the machines used to print the document

Printed documents can be examined to:

• The paper type (physical properties, optical properties)• Security features of the paper (e.g. watermark)• Printing process used• Verifying of other digital evidence such as perforations• Microscopic analysis reveal tiny imperfections which links documents

from one to another

The various factors considered by the document examiner:

Document examination is an important aspect in printer forensics to analyze the documents



Document Examination (cont’d)

• The presence of physical alterations or obliterated writing can sometimes be determined, and the writing can sometimes be deciphered

• The manufacturer can sometimes be determined if a watermark is present

Altered or Obliterated Writing:

• Paper examination - the letterheads and watermarks of business or personal stationery will be modified from time to time by the manufacturer

• Typescript - comparison of typewritten documents produced by an organization over a period of time

Examining date of document:

The different aspects of examination:



Document Examination (cont’d)

• Signature examinations generally involve the comparison of signatures which are specimen (provable) against questioned (disputed) signatures

• In signature comparison, the features of the questioned signature(s) -construction, shape, proportions and fluency - are assessed and then compared with the same features in the specimen signatures

Signature Examination

• Spur marks are tool marks created by the spur gears in the paper conveyance system of many inkjet printers

• The spur marks on the printed document is compared with the spur marks of known printers to know the relationship between them

• The comparison of two spur marks is based on the characteristics: pitch and mutual distance

Examining spur marks found on inkjet-printed documents



Services of a Document Examiner

The document examiner examines the document for any alterations, counterfeiting of document, and substitutions

The examiner conducts research related to the document

• The research includes finding of comparable documents to verify authenticity, paper used, type of printer, etc.

Examiner conducts tests on the documents to find the conclusions

Examiner prepares a review based on the outcome of the tested documents



Tamper-Proofing of Electronic and Printed Text Documents

Text document should be tamper-proofed and authenticated to distribute them in electronic or printed forms

A text document authentication system aims at deciding whether a given text document is authentic or not

Text document tamper-proofing system aims at verifying the authenticity of a text document and indicating the local modifications, if the document is suspected to be a fake



Tamper-Proofing of Electronic and Printed Text Documents (cont’d)

There are three approaches to hash-based document authentication based on where the hash is stored:

• Hash storage in an electronic database • Hash storage onto the document itself using auxiliary special means such as 2D bar

codes, special inks or crystals, magnetic stripes, memory chips, etc.• Hash storage onto the document's content itself using data-hiding techniques



Phidelity

Phidelity is a technology used to enhance the security of printed documents by providing layers of protection

Phidelity's Optical Watermark makes innovative use of normal printers to print visual covert and overt watermarks

It generates secure optical watermarks against various types of possible attacks while only using common desktop printers, eliminating the need of special inks or papers

Phidelity's Microprint is the creative use of printer capabilities to print small fonts

By printing important document information as Microprint, any casual copying of the original document will result in highly distorted text in the duplicates



Zebra Printer Labels to Fight Against Crime

Law enforcement agencies rely on Zebra printer labels for accurate and confidential printing needs when collecting important criminal evidence

Zebra printer labels help to identify criminal evidence more quickly with Zebra bar code printers

The labels can also produce ID badges (both for criminals and law enforcement) and keep track of criminal records confidentially and safely



Cryptoglyph Digital Security Solution

Cryptoglyph security process provides an invisible marking with standard ink and standard printing processes

It can be easily integrated into any current packaging production line or any document processing workflow before printing

Embed the invisible Cryptoglyph file in the prepress digital packaging image file or generate it before printing it with your document processing system

Cryptoglyph requires no packaging design or any page template modification



Case Study: Dutch Track Counterfeits via Printer Serial Numbers

Wilbert de Vries (WebWereld Netherlands) 26/10/2004 08:39:31 It appears that although consumers aren't aware of the hidden code on their color prints, government agencies are. And they are using this knowledge in their battle against counterfeiters -- with help from well-known printer manufacturers.

SecuritySources familiar with the printer industry confirm this built-in security is in fact a unique number that is printed on every color page. The code, in yellow, can be printed on a line as thin as 0.1 millimeter. With help from manufacturers like Canon, authorities can gather information about the printer used in counterfeit crimes. Thenumber tells them in which country a specific printer has been delivered, and to what dealer. The dealer then can lead them to the local computer store where the printer was sold.

Success"We are familiar with this research method," said Ed Kraszewski of the Dutch national police agency KLPD. "We are using it in our research and it has proven to be successful in the past." Even though the spokesman cannot detail what kind of successes or in what cases the agency is using this method now, anonymous sources confirm that the Dutch Railway Police, part of the KLPD, is investigating a gang that could be counterfeiting tickets on a large scale. As part of the research in this case, officers have tracked down the printer used to print the fake tickets. They are now trying to get the name of the person who bought the printer. A local distributor in the Netherlands was visited by two officers with specific questions about the printer. "Their research led them to our company," said the director of the big Dutch distributor, who wants to remain anonymous. "It concerned an investigation about counterfeit tickets. With the number they apparently found, they could see what engine was used. They knew exactly what printer was used and wanted to know to whom I had sold that specific printer." The company's records only revealed in what batch the printer had arrived. The police left the building with specific sales information about that batch, which contained about a hundred printers. The investigation is still running, according to a spokesman for the team investigating this matter.



Is Your Printer Spying On You?

Imagine that every time you printed a document, it automatically included a secret code that could be used to identify the printer - and potentially, the person who used it

In a purported effort to identify currency counterfeiters, the US government has succeeded in persuading some color laser printer manufacturers to encode each page with identifying information

For a list of printers with this tracking capability, please visit:

• http://www.eff.org/Privacy/printers/list.php



DocuColor Tracking Dot Decoding

The yellow dots are visible after the dot grid are magnified under 60x magnification



DocuColor Tracking Dot Decoding (cont’d)

A computer graphics software is used to overlay the black dots in the microscope image with a larger yellow dots for clear visibility




The topmost row and the left column are the parity row and column for error correction

It helps to verify the forensic information for correctness

The rows and columns has odd parity




Columns are read from top to bottom as a single byte of seven bits, the bytes are then read from right-to-left. Columns from left to right have the following meanings:

15Unknown (often zero; constant for each individual printer; may convey some non-user-visible fact about the printer's model or configuration)

14, 13, 12, 11Printer serial number in binary-coded-decimal, two digits per byte (constant for each individual printer; see below)

10Separator (typically all ones; does not appear to code information)

9 Unused

8 Year that page was printed (without century; 2005 is coded as 5)




Column are read from top to bottom as a single byte of seven bits, the bytes are then read from right-to-left. Columns from left to right have the following meanings:

7 Month that page was printed

6 Day that page was printed

5Hour that page was printed (may be UTC time zone, or may be set inaccurately within printer)

4,3 Unused

2 Minute that page was printed

1Row parity bit (set to guarantee an odd number of dots present per row)



Tools



Print Spooler Software

Print Spooler prints the document to the intended printer when the printer is ready

It allows system resources to perform other tasks, where Line Printer Requester (LPR) print spooler performs the printing process

It sends the job to print queue for processing

It manages the printing process

Spooling prepared a file for printing, emailing, and sending to a device or system which is presently being occupied by other tasks



Investigating Print Spooler

For each print job on Windows XP, the files found in C:\Windows\System32\spool\Printers folder are:

• .SPL – the spool file consists of print job’s spool data• .SHD - shadow file consists of job settings

To view the metadata of the print job use PA Spool View tool

To view the spooled pages , use EMF Spool View tool

Enhanced metafiles provide true device independence

Enhanced metafiles are standardized, that allows pictures stored in this format to copy from one application to other

Check the spool folder location of a specific printer by opening the registry key:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers \<printer>



Printer Tools

iDetector is an effective tool to visually compare inspected documents and products with genuine ones

Print Inspector lets you manage the print jobs queued to any shared printer and provides easy access to the printer and print server settings



Tool: EpsonNet Job Trackerhttp://www.business-solutions.epson.co.uk/

• Monitors and analyzes network printer activity• Controls access to color, keep costs down• Manages print resources, improves network traffic• Defines printer activity, calculates, assigns and recovers

costs• Sends reports automatically to departments and managers• Controls by time of day, type of printing, number of pages

Benefits of Epson NetJob Tracker:

EpsonNet Job Tracker is a web-based application software

It gives a clear picture of what is being printed, where and by whom, thereby helping you control your printing costs



Summary

Printer forensics refers to the investigation done on any printed document or the printer used to print the document

Investigation of the documents and printers will provide valuable information for the law enforcement agencies and intelligence agencies

Different Printing Modes are Monochrome , Color Printer, and Photo printer

Methods used for Image Creation are: Toner-based printers, Inkjet printers, Impact printers, Dot-matrix printers, Line printers, Digital Minilab, Dye-sublimation printer, and Spark printer

A printed document is first digitally scanned and saved in an uncompressed format

Method and system for identifying and facilitating access to computer printouts contained in an array of printout bins





Date post:	14-Sep-2014
Category:	Technology
View:	103 times
Download:	0 times

File000153

Technology