TLooking at the data a suspect has printed can be done by locating any EMF file stored on the drive. This is done in different ways depending on the Operating System. This method is described in the Intermediate Training Manual. Here are a few more observations that you should be aware of.

In Windows 98 the Spooler files (SPL) give the name and location of a temp file. This temp file holds the EMF data that was printed. So it is just a case of looking at the particular temp file, highlighting the header and choosing to view it as a Picture.

For Win NT and Win 2K the SPL files actually contain the EMF data itself, it is just a matter of finding it. This is made easier if you know the exact header for the EMF. This will also help if you wish to search for a EMF file in unallocated space:

You will notice that most of the header is the same except for the 5th and 6th byte. So a good GREP keyword to search for in unallocated space would be:

\x01\x00\x00\x00..\x00.{34,34}EMF

There are two things to keep in mind when dealing with SPL and EMF data:

No matter what OS you are running when you look at a SPL file the word EMF will appear very early on in the document. If you position your cursor on the byte before the E of EMF and drag back for a length of 41, the byte where you end is the first byte of the EMF header (usually hex 01).

The SHD and SPL file created during the print process should have the same file name (usually a number such as 0004.SPL). However, it appears that the SPL cannot exist without the SHD file. Apparently the SHD file tells the SPL what print format type was used (i.e. EMF, RAW). If both files are simply deleted the data can be read from them. Once the SHD file has been overwritten the corresponding SPL file becomes scrambled and can no longer be read.