Jump to content


Photo
- - - - -

Data Recovery from Printer Hard Drives


  • Please log in to reply
11 replies to this topic

#1 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 02 June 2010 - 07:41 PM

http://articles.merc...-be-stolen.aspx

In this video they point out that some 'digital copiers' have hard drives that make images of each fax sent and document that has been copied.

Its an intersting video but I think they're using some scare tactics. Im interested in finding out what model printers have drives in them. Im also curious as to what file system the printers use to store data.

Can anyone shead some light on ths subject?

#2 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 02 June 2010 - 09:40 PM

http://articles.mercola.com/sites/articles/archive/2010/05/29/waring--how-your-digital-copier-can-cause-your-identity-to-be-stolen.aspx

In this video they point out that some 'digital copiers' have hard drives that make images of each fax sent and document that has been copied.

Its an intersting video but I think they're using some scare tactics. Im interested in finding out what model printers have drives in them. Im also curious as to what file system the printers use to store data.

Can anyone shead some light on ths subject?

this is very interesting... i may have to take the $300 that i was going to spend on a nettop and invest in one of these digital copiers.. i wonder what free forensic software that is available on the internet would be able to obtain the information contained on the hard drives...

#3 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 02 June 2010 - 11:17 PM


http://articles.merc...-be-stolen.aspx

In this video they point out that some 'digital copiers' have hard drives that make images of each fax sent and document that has been copied.

Its an intersting video but I think they're using some scare tactics. Im interested in finding out what model printers have drives in them. Im also curious as to what file system the printers use to store data.

Can anyone shead some light on ths subject?

this is very interesting... i may have to take the $300 that i was going to spend on a nettop and invest in one of these digital copiers.. i wonder what free forensic software that is available on the internet would be able to obtain the information contained on the hard drives...



Photorec comes to mind. It all really depends on what kind of file system the printer uses. Im going to make an educated guess and say the majority are going to be a FAT file system, but cant say for sure untill I find out what spicific printers have these built in hard drives (hopefully the manual for the printer will tell us)


Edit: 300 bux isnt bad even if they've zero'd the hard drive (cuz you still get a printer!)

Edited by Afterm4th, 02 June 2010 - 11:18 PM.


#4 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 03 June 2010 - 12:55 AM

Edit: 300 bux isnt bad even if they've zero'd the hard drive (cuz you still get a printer!)

thats what i was thinking... but being how it appears most of this equiptment is leased, i do not see many companies paying much attention to wiping the drive, if they even know of its existence... seems like this brings dumpster diving for information to a whole different level - since you do not need to get dirty, and are guaranteed to get many docs... if only there were a way to get a printer used previously by whatever target you are attempting to obtain information from (since many are leased it would be difficult to purchace directly from the target, although i am sure some are owned by the company using them, and may be sold or auctioned to the public)

#5 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 03 June 2010 - 02:08 AM

but being how it appears most of this equiptment is leased, i do not see many companies paying much attention to wiping the drive, if they even know of its existence


I've worked on a lot of these machines. Especially, the larger ones that you see at a Staples or FedexKinkos or Office Depot copy and print centers. There are a ton of uses for these drives as have been delineated. On the larger machines for instance they are often networked into the office so that users can not just print to them but also use them almost like industrial scanners. Therefore their primary use is just as a relatively massive memory dump. The firmware/OS for these machines are usually in EPROMs so they don't use them like you might think as in a PC.

The file systems on the machines I've worked with are FAT16 with many of them using FAT12 for external memory devices such as a thumb drive. Often time when you upgrade the firmware you'll do it through a thumbdrive but you have to format it as FAT12...I know it wastes a ton...but the the firmware is usually only in the few megabyte range...far lower than you would think especially for the larger machines. When you port jobs over it is generally done through the network so it doesn't become a user issue.

As to the security, believe it or not, for the big machines the manufactures are keen on it. It is typically an "up sell" to a customer and I've had to install a lot of those packages. What will happen is that, say you scan in a job, after it is complete it will "securely" erase the data, meaning that they not only "erase" the data, which we know is not really erased, but will write over it. It will do it automatically and you have to wait until it is complete to use the machine. They've also thought about hardware hacks. For instance, on some models if you remove the secure EPROMs and just put they back- the machine won't work! You have to BUY a new security package...I had that experience on one machine I was working on. Nobody told me!! Doah! They had to order a new set of security EPROMs...took a couple days. Customer was not happy. Some include working memory or RAM rewrites too so that an attacker cannot pull the chips out and try to read the state as well as security communication between itself- image say from a programming perspective the output of a function sent to another function is encrypted and then decrypted when it arrives as data for another function.

So believe it or not some of those big all in one machines are very secure and meet DOD and other government standards for data security. Obviously, the consumer models you buy at Staples are far more vulnerable as some of these "security packages" cost 5-10 grand.


#6 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 03 June 2010 - 03:52 AM


but being how it appears most of this equiptment is leased, i do not see many companies paying much attention to wiping the drive, if they even know of its existence


I've worked on a lot of these machines. Especially, the larger ones that you see at a Staples or FedexKinkos or Office Depot copy and print centers. There are a ton of uses for these drives as have been delineated. On the larger machines for instance they are often networked into the office so that users can not just print to them but also use them almost like industrial scanners. Therefore their primary use is just as a relatively massive memory dump. The firmware/OS for these machines are usually in EPROMs so they don't use them like you might think as in a PC.

The file systems on the machines I've worked with are FAT16 with many of them using FAT12 for external memory devices such as a thumb drive. Often time when you upgrade the firmware you'll do it through a thumbdrive but you have to format it as FAT12...I know it wastes a ton...but the the firmware is usually only in the few megabyte range...far lower than you would think especially for the larger machines. When you port jobs over it is generally done through the network so it doesn't become a user issue.

As to the security, believe it or not, for the big machines the manufactures are keen on it. It is typically an "up sell" to a customer and I've had to install a lot of those packages. What will happen is that, say you scan in a job, after it is complete it will "securely" erase the data, meaning that they not only "erase" the data, which we know is not really erased, but will write over it. It will do it automatically and you have to wait until it is complete to use the machine. They've also thought about hardware hacks. For instance, on some models if you remove the secure EPROMs and just put they back- the machine won't work! You have to BUY a new security package...I had that experience on one machine I was working on. Nobody told me!! Doah! They had to order a new set of security EPROMs...took a couple days. Customer was not happy. Some include working memory or RAM rewrites too so that an attacker cannot pull the chips out and try to read the state as well as security communication between itself- image say from a programming perspective the output of a function sent to another function is encrypted and then decrypted when it arrives as data for another function.

So believe it or not some of those big all in one machines are very secure and meet DOD and other government standards for data security. Obviously, the consumer models you buy at Staples are far more vulnerable as some of these "security packages" cost 5-10 grand.



Thank you for such a very informed post.


Is there any particular brand or model numbers more suspetable to a data-recovery style attack? Are there even ways of identifying a printer with a hard drive in it without looking at each individual manual?


I'm very interested in trying this out as a proof of concept

#7 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 03 June 2010 - 04:14 AM

Any consumer model will be fine. Get one figure out how to open it up. When you work with printers there is always the "secret" way to get the covers off...its like a frickin puzzle. lol. But it really isn't that hard but taking the covers off just takes more time than it seems that it should. On most consumer models the main board and hard drive are usually next to each other...makes sense right as it connects right to the board. The trick to figuring out which side, left or right, that it is on is to find the fan. That is usually where it will be for obvious reasons.

The hard drives are usually PATA...not the SATA that you are used too. However, more advanced machines are actually starting to use 3.5 laptop SATA's but these are on the larger machines I was talking about earlier. Because they are PATA, that old computer that is running a nice striped down version of Linux you save for such projects will come in handy. Since at this point all you need to do is connect the hard drive to that old machine which is using PATA, mount it, and since it is a FAT drive you will be able to see what's on there.

Be advised many of the models you will experiment on the files will be RAW. The driver and software that connects to your computer usually will do the conversion to PDF, RTF, DOC, etc. That is the images you see, may just be RAW data images. You might have to research how the data is formated as RAW is just a generic moniker for data images that aren't using a well known format. Each manufacturer uses a different method.

Keep us filled in on your successes!


#8 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 03 June 2010 - 11:30 AM

Any consumer model will be fine. Get one figure out how to open it up. When you work with printers there is always the "secret" way to get the covers off...its like a frickin puzzle. lol. But it really isn't that hard but taking the covers off just takes more time than it seems that it should. On most consumer models the main board and hard drive are usually next to each other...makes sense right as it connects right to the board. The trick to figuring out which side, left or right, that it is on is to find the fan. That is usually where it will be for obvious reasons.

The hard drives are usually PATA...not the SATA that you are used too. However, more advanced machines are actually starting to use 3.5 laptop SATA's but these are on the larger machines I was talking about earlier. Because they are PATA, that old computer that is running a nice striped down version of Linux you save for such projects will come in handy. Since at this point all you need to do is connect the hard drive to that old machine which is using PATA, mount it, and since it is a FAT drive you will be able to see what's on there.

Be advised many of the models you will experiment on the files will be RAW. The driver and software that connects to your computer usually will do the conversion to PDF, RTF, DOC, etc. That is the images you see, may just be RAW data images. You might have to research how the data is formated as RAW is just a generic moniker for data images that aren't using a well known format. Each manufacturer uses a different method.

Keep us filled in on your successes!


All fine and dandy.. but what you're saying is that _ANY_ consumer model printer will have a hard drive in it?

Once you find the file format of the drive you should easily be able to extract files with photorec

#9 m3747r0n

m3747r0n

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 400 posts
  • Country:
  • Gender:Male
  • Location:164.225.0.0

Posted 03 June 2010 - 02:27 PM

I would have thought unless it was one of those Xerox style photocopiers that are networked and replace the need for an additional laser printer a hard drive would be a waste of money from a manufacturing stand point, as you really only need a gigs at the very most if its a one user at a time unit, even with an auto-feeder for the document.

#10 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 03 June 2010 - 02:46 PM

I would have thought unless it was one of those Xerox style photocopiers that are networked and replace the need for an additional laser printer a hard drive would be a waste of money from a manufacturing stand point, as you really only need a gigs at the very most if its a one user at a time unit, even with an auto-feeder for the document.


Agreed, but that comes down to the original question: what are model numbers/and brand/types of printers that have these hard drives in them. In the video they were saying some Sharp printers had them.. but which series/model numbers?

#11 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 03 June 2010 - 05:59 PM


I would have thought unless it was one of those Xerox style photocopiers that are networked and replace the need for an additional laser printer a hard drive would be a waste of money from a manufacturing stand point, as you really only need a gigs at the very most if its a one user at a time unit, even with an auto-feeder for the document.


Agreed, but that comes down to the original question: what are model numbers/and brand/types of printers that have these hard drives in them. In the video they were saying some Sharp printers had them.. but which series/model numbers?

You are right about the Sharps. Off the top of my head, the 3500N's, MX350/450...But these are big machines. These are not the types of machines you buy at best buy. For the general consumer models I'm not sure, but if you browse amazon, best buy's website this will be indicated as it is a sales point.

As to wasting space, yeah it may seem like a waste, especially if they are using FAT16 (only 4Gigs of space can be 'seen'), but they are getting them so cheap it doesn't really matter. It is cheaper and easier to use a hard drive with 40G's they got for 20 bucks or even less at their rates than to use a more advanced motherboard with more RAM slots and do everything in memory.


#12 mrscozhelper

mrscozhelper

    Will I break 10 posts?

  • Members
  • 2 posts
  • Country:
  • Gender:Female
  • Location:Phoenix

Posted 20 May 2014 - 07:21 PM

I saw your posts from the "Data Recovery from Printer Hard Drives" in 2010. I have a problem that you might be able to help me with. Do you know how to recover DELETED items from the recycle bin? If so...please tell me how!!!!!!!!!!!! These items are documents that were printed off and then sent to the recycle bin and then I deleted the contents of my recycle bin. I also printed out the documents before sending them to the recycle bin. So if you know how to pull them from the printer hard drive too that would be of great help as well!!!!!!!!!!!!!!!!!!!!!!! Keep in mind that I did all of this back in the beginning of April!
Thanks





BinRev is hosted by the great people at Lunarpages!