Analysis of the Forensic Traces Left by Airprint in IOS
Exploring artifacts from the IMO call and chat app for both Android and iOS platforms.
6 Pages6139 Words29 Views
Added on 2022-08-25
Analysis of the Forensic Traces Left by Airprint in IOS
Exploring artifacts from the IMO call and chat app for both Android and iOS platforms.
Added on 2022-08-25
ShareRelated Documents
Analysis of the forensic traces left by AirPrint in
Apple iOS devices
Luis G ́omez-Miralles, Joan Arnedo-Moreno
Internet Interdisciplinary Institute (IN3)
Universitat Oberta de Catalunya
Carrer Roc Boronat, 117 , 7a planta 08018 Barcelona, Spain
pope,jarnedo@uoc.edu
Abstract—Since its presentation by Apple, both the iPhone and
iPad devices have achieved a great success and gained widespread
popularity. This fact, added to the given idiosyncrasies of these
new portable devices and the kind of data they may store open
new opportunities in the field of computer forensics. In 2010,
version 4 of their operating system (iOS) introduced AirPrint,
a simple and driverless wireless printing functionality supported
by some network printers. This paper presents an analysis of
the traces left by AirPrint and assesses whether it is feasible to
recover them in the context of a forensic investigation.
Keywords: Forensics, iPad, iPhone, iOS, Cybercrime, Air-
Print, Apple
I. I NTRODUCTION
Information technologies have grown rapidly in the last
decades, changing the way we live, work, and communicate.
Portable devices such as smartphones and tablets have evolved
from simple phones and agendas into literally full-fledged,
always-online computers that fit our pockets, containing huge
amounts of valuable data about us: contacts, calendar, e-mails,
photographs, as well as a pile of logs: phone calls, chat,
geographic positions, etc.
The practice of digital forensics has needed to adapt quickly
to the emerging mobile technologies. We once had a homo-
geneous personal computer market, mainly dominated by a
few different Windows versions, with minor representations
of Mac OS or Unix-based systems. Now we find that the
most personal devices, the ones that always accompany their
users and are more prone to contain sensitive information,
run software environments which simply didn’t exist a few
years ago - namely Android and iOS. Furthermore, because of
the competitive nature of the market, with each new version
of these systems, new functionalities are added in order to
appeal to a greater set of users, and thus become their device
of choice. However, some of these new features may manage
personal user data and are worth analyzing from a forensic
investigation standpoint.
This paper focuses on Apple iOS devices (namely, iPhone,
iPad and iPod Touch) and, specifically, their capabilities to
print wirelessly to compatible printers using the AirPrint
technology, presented by Apple in late 2010 [1]. This paper
analyzes this relatively recent feature and determines whether
using AirPrint to print a document leaves some kind of trace in
the iOS device itself which may be open to subsequent forensic
analysis, leaving personal user data exposed without their
knowledge. Given the popularity and acceptance of iOS based
devices [2], any available process which allows to recover
user data becomes especially relevant from both a computer
forensics and a privacy concern standpoint.
As far as the authors can tell, there has been no research on
how AirPrint works behind the scenes and the forensic traces it
may leave. Several authors have reviewed the existing, mostly
commercial, forensic investigation tools for iOS based devices
[3], [4]. However, analysis of AirPrint activity does not seem to
be covered by any of the software solutions available for iOS
devices. In fact, it may seem odd that something as basic as
document printing has been left out of the forensic analysis of
mobile devices so far. One must consider, however, that mobile
operating systems have lacked common printing frameworks
till quite recently. Apple incorporated AirPrint into iOS in late
2010, whereas Android was not provided printing capabilities
until early 2011, through Google Cloud Print [5].
This paper is structured as follows. First of all, in Section
II, AirPrint and its mode of operation both from a user’s and
technical standpoint are presented. The results of the analysis
of forensic traces left by AirPrint are shown in Section III.
Following, in Section IV, the recoverability of such traces and
which kind of useful information may be obtained is assessed.
Finally, concluding the paper, Section V summarizes the paper
contributions and outlines further work.
II. D ESCRIPTION OF A IR P RINT NETWORK PRINTING
Briefly explained, AirPrint is an iOS feature that allows
applications to send content to printers using the iOS device’s
wireless connection. Directly quoting Apple [1]: ‘AirPrint
automatically finds printers on local networks and can print
text, photos and graphics to them wirelessly over Wi-Fi without
the need to install drivers or download software’.
Apple announced AirPrint in September 2010. Two months
later, iOS 4.2 was released for the iPhone, iPad and iPod
Touch, being the first iOS version to offer this feature to users.
Its standard functionality allows printing only to specific,
AirPrint-enabled printers. Nevertheless, as of January 2012,
there are more than one hundred AirPrint-enabled printers in
the market, from five major vendors (Brother, Canon, Epson,
HP and Lexmark) [6]. Apple does not support sharing a
common printer via the computer it is connected to, even when
2013 27th International Conference on Advanced Information Networking and Applications Workshops
978-0-7695-4952-1/13 $26.00 © 2013 IEEE
DOI 10.1109/WAINA.2013.40
703
Apple iOS devices
Luis G ́omez-Miralles, Joan Arnedo-Moreno
Internet Interdisciplinary Institute (IN3)
Universitat Oberta de Catalunya
Carrer Roc Boronat, 117 , 7a planta 08018 Barcelona, Spain
pope,jarnedo@uoc.edu
Abstract—Since its presentation by Apple, both the iPhone and
iPad devices have achieved a great success and gained widespread
popularity. This fact, added to the given idiosyncrasies of these
new portable devices and the kind of data they may store open
new opportunities in the field of computer forensics. In 2010,
version 4 of their operating system (iOS) introduced AirPrint,
a simple and driverless wireless printing functionality supported
by some network printers. This paper presents an analysis of
the traces left by AirPrint and assesses whether it is feasible to
recover them in the context of a forensic investigation.
Keywords: Forensics, iPad, iPhone, iOS, Cybercrime, Air-
Print, Apple
I. I NTRODUCTION
Information technologies have grown rapidly in the last
decades, changing the way we live, work, and communicate.
Portable devices such as smartphones and tablets have evolved
from simple phones and agendas into literally full-fledged,
always-online computers that fit our pockets, containing huge
amounts of valuable data about us: contacts, calendar, e-mails,
photographs, as well as a pile of logs: phone calls, chat,
geographic positions, etc.
The practice of digital forensics has needed to adapt quickly
to the emerging mobile technologies. We once had a homo-
geneous personal computer market, mainly dominated by a
few different Windows versions, with minor representations
of Mac OS or Unix-based systems. Now we find that the
most personal devices, the ones that always accompany their
users and are more prone to contain sensitive information,
run software environments which simply didn’t exist a few
years ago - namely Android and iOS. Furthermore, because of
the competitive nature of the market, with each new version
of these systems, new functionalities are added in order to
appeal to a greater set of users, and thus become their device
of choice. However, some of these new features may manage
personal user data and are worth analyzing from a forensic
investigation standpoint.
This paper focuses on Apple iOS devices (namely, iPhone,
iPad and iPod Touch) and, specifically, their capabilities to
print wirelessly to compatible printers using the AirPrint
technology, presented by Apple in late 2010 [1]. This paper
analyzes this relatively recent feature and determines whether
using AirPrint to print a document leaves some kind of trace in
the iOS device itself which may be open to subsequent forensic
analysis, leaving personal user data exposed without their
knowledge. Given the popularity and acceptance of iOS based
devices [2], any available process which allows to recover
user data becomes especially relevant from both a computer
forensics and a privacy concern standpoint.
As far as the authors can tell, there has been no research on
how AirPrint works behind the scenes and the forensic traces it
may leave. Several authors have reviewed the existing, mostly
commercial, forensic investigation tools for iOS based devices
[3], [4]. However, analysis of AirPrint activity does not seem to
be covered by any of the software solutions available for iOS
devices. In fact, it may seem odd that something as basic as
document printing has been left out of the forensic analysis of
mobile devices so far. One must consider, however, that mobile
operating systems have lacked common printing frameworks
till quite recently. Apple incorporated AirPrint into iOS in late
2010, whereas Android was not provided printing capabilities
until early 2011, through Google Cloud Print [5].
This paper is structured as follows. First of all, in Section
II, AirPrint and its mode of operation both from a user’s and
technical standpoint are presented. The results of the analysis
of forensic traces left by AirPrint are shown in Section III.
Following, in Section IV, the recoverability of such traces and
which kind of useful information may be obtained is assessed.
Finally, concluding the paper, Section V summarizes the paper
contributions and outlines further work.
II. D ESCRIPTION OF A IR P RINT NETWORK PRINTING
Briefly explained, AirPrint is an iOS feature that allows
applications to send content to printers using the iOS device’s
wireless connection. Directly quoting Apple [1]: ‘AirPrint
automatically finds printers on local networks and can print
text, photos and graphics to them wirelessly over Wi-Fi without
the need to install drivers or download software’.
Apple announced AirPrint in September 2010. Two months
later, iOS 4.2 was released for the iPhone, iPad and iPod
Touch, being the first iOS version to offer this feature to users.
Its standard functionality allows printing only to specific,
AirPrint-enabled printers. Nevertheless, as of January 2012,
there are more than one hundred AirPrint-enabled printers in
the market, from five major vendors (Brother, Canon, Epson,
HP and Lexmark) [6]. Apple does not support sharing a
common printer via the computer it is connected to, even when
2013 27th International Conference on Advanced Information Networking and Applications Workshops
978-0-7695-4952-1/13 $26.00 © 2013 IEEE
DOI 10.1109/WAINA.2013.40
703
it was possible with some Mac OS X 10.6.5 beta versions;
however, it can be done by using software tweaks such as
AirPrintActivator [7].
Long before the introduction of AirPrint, different solutions
[8], [9] tried to fill in this gap. Usually, such solutions involved
iOS applications capable of opening different file formats and
sending them to a desktop computer, running a companion
application, which would in turn send the document to the
printer itself. Some printer vendors developed specific clients,
however, none of these solutions were ever widely spread
among users. Currently, with AirPrint working out-of-the-
box and embedded into all applications, it is hard to believe
that new users will consider using a specific, usually paid,
application to handle printing, except maybe in some very
particular environments, such as cases where the use of these
kind of applications was consolidated before AirPrint was
launched, or some advanced capabilities are required by power
users.
From a user’s standpoint, Figure 1 summarizes the printing
process, showing the screens it is actually possible to interact
with, as seen on an iPhone.
Fig. 1. Step-by-step AirPrint options screen on an iPhone.
In the client side (iOS device), AirPrint-enabled applications
contain a “Print” button that, when pressed, will present an
extremely simple menu (Figure 1, (a)), with only two or three
available options:
1) Printer: This option opens a list of all AirPrint-enabled
printers found in the local network, showing a “name”
and “description” field for each one.
2) Range: (optional) Defaulting to “all pages”, this option
opens a selector which allows the user to choose a range
of pages to be printed, rather than all the document.
3) Copies: Specifies the number of copies to be printed.
4) Depending on the printer features, additional parameters
such as duplex printing can be controlled.
5) Print: This button proceeds to send the job to the printer.
The user cannot specify any other kind of information
usually available in printing menus, such as paper size or
orientation, printing quality, etc. Everything is automatically
handled by AirPrint, using some default options. When the
user chooses to ”Print” the job, the device shows some brief
messages (‘Contacting Printer’; ‘Preparing page (...) of (...)’;
‘Sending to Printer’). However, depending on how long the
print job is, these messages may be barely visible or last for
several seconds.
After the job has been sent to the printer, the printing menu
disappears and the application returns to its previous state.
At this point, invoking the list of recently used applications,
by double-clicking the device “Home” button, reveals a Print
Center application (Figure 1, (b)). Unless the user somehow
knows this application has started running in background, it
may be difficult for him to find it, since no active feedback
is provided during the printing process, thus being invisible at
casual glance.
Opening the Print Center application, the user can see the
list of running and pending printing jobs, check their details
and cancel them (Figure 1, (c)). When the last job finishes,
i.e. the moment the printer ejects the last page, the application
closes, and does not appear anymore in the list of recently
used applications. As far as it is known, there is no way to
open the Print Center as a standalone application. It is only
executed while there are jobs being printed.
From a technical standpoint, the AirPrint service is known
to use the standard IPP protocol at network level for printer
management, and Bonjour/Zeroconf [10] for service discovery.
A comprehensive description of the printing architecture and
its underlaying API in iOS devices can be found in [11].
III. A NALYSIS OF FORENSIC TRACES
This section presents the preliminary information that must
be considered before more in-depth forensic investigation may
proceed. Mainly, assessing which traces are left by the AirPrint
subsystem, how they can be discovered, how they behave and
which useful information can be obtained from them. All this
information was discovered through some basic experiments.
A. Preliminary setup
The following equipment was used for all the analysis and
tests throughout this paper:
1) iOS devices: iPhone 3G (8 GB, iOS 4.2.1, multitasking
enabled) and iPhone 4 (16 GB, iOS 4.3.3 and 5.0.0),
both jailbroken with redsn0w.
2) AirPrint-enabled printer: HP Photosmart 5510.
3) Two laptops with 802.11 wireless connectivity.
The iPhone 3G was used so that it would be possible to
dump and analyze the filesystem without being affected by
the filesystem encryption policy enforced on newer devices.
Nevertheless, Bedrune and Sigwald published details about
iOS data protection, and shortly after they released the tools
and source code capable of breaking this encryption [12]. The
device was jailbroken in order to gain root access, and install
an SSH server and basic UNIX tools.
Given that iOS enforces the device to run only code signed
by Apple (downloaded from the App Store), the process of
jailbreaking was used in the tests to bypass that restriction in
order to have full access to the devices and be able to run
shell commands on them. The jailbreak process is exempted
from prosecution under the anti-circumvention section of the
704
however, it can be done by using software tweaks such as
AirPrintActivator [7].
Long before the introduction of AirPrint, different solutions
[8], [9] tried to fill in this gap. Usually, such solutions involved
iOS applications capable of opening different file formats and
sending them to a desktop computer, running a companion
application, which would in turn send the document to the
printer itself. Some printer vendors developed specific clients,
however, none of these solutions were ever widely spread
among users. Currently, with AirPrint working out-of-the-
box and embedded into all applications, it is hard to believe
that new users will consider using a specific, usually paid,
application to handle printing, except maybe in some very
particular environments, such as cases where the use of these
kind of applications was consolidated before AirPrint was
launched, or some advanced capabilities are required by power
users.
From a user’s standpoint, Figure 1 summarizes the printing
process, showing the screens it is actually possible to interact
with, as seen on an iPhone.
Fig. 1. Step-by-step AirPrint options screen on an iPhone.
In the client side (iOS device), AirPrint-enabled applications
contain a “Print” button that, when pressed, will present an
extremely simple menu (Figure 1, (a)), with only two or three
available options:
1) Printer: This option opens a list of all AirPrint-enabled
printers found in the local network, showing a “name”
and “description” field for each one.
2) Range: (optional) Defaulting to “all pages”, this option
opens a selector which allows the user to choose a range
of pages to be printed, rather than all the document.
3) Copies: Specifies the number of copies to be printed.
4) Depending on the printer features, additional parameters
such as duplex printing can be controlled.
5) Print: This button proceeds to send the job to the printer.
The user cannot specify any other kind of information
usually available in printing menus, such as paper size or
orientation, printing quality, etc. Everything is automatically
handled by AirPrint, using some default options. When the
user chooses to ”Print” the job, the device shows some brief
messages (‘Contacting Printer’; ‘Preparing page (...) of (...)’;
‘Sending to Printer’). However, depending on how long the
print job is, these messages may be barely visible or last for
several seconds.
After the job has been sent to the printer, the printing menu
disappears and the application returns to its previous state.
At this point, invoking the list of recently used applications,
by double-clicking the device “Home” button, reveals a Print
Center application (Figure 1, (b)). Unless the user somehow
knows this application has started running in background, it
may be difficult for him to find it, since no active feedback
is provided during the printing process, thus being invisible at
casual glance.
Opening the Print Center application, the user can see the
list of running and pending printing jobs, check their details
and cancel them (Figure 1, (c)). When the last job finishes,
i.e. the moment the printer ejects the last page, the application
closes, and does not appear anymore in the list of recently
used applications. As far as it is known, there is no way to
open the Print Center as a standalone application. It is only
executed while there are jobs being printed.
From a technical standpoint, the AirPrint service is known
to use the standard IPP protocol at network level for printer
management, and Bonjour/Zeroconf [10] for service discovery.
A comprehensive description of the printing architecture and
its underlaying API in iOS devices can be found in [11].
III. A NALYSIS OF FORENSIC TRACES
This section presents the preliminary information that must
be considered before more in-depth forensic investigation may
proceed. Mainly, assessing which traces are left by the AirPrint
subsystem, how they can be discovered, how they behave and
which useful information can be obtained from them. All this
information was discovered through some basic experiments.
A. Preliminary setup
The following equipment was used for all the analysis and
tests throughout this paper:
1) iOS devices: iPhone 3G (8 GB, iOS 4.2.1, multitasking
enabled) and iPhone 4 (16 GB, iOS 4.3.3 and 5.0.0),
both jailbroken with redsn0w.
2) AirPrint-enabled printer: HP Photosmart 5510.
3) Two laptops with 802.11 wireless connectivity.
The iPhone 3G was used so that it would be possible to
dump and analyze the filesystem without being affected by
the filesystem encryption policy enforced on newer devices.
Nevertheless, Bedrune and Sigwald published details about
iOS data protection, and shortly after they released the tools
and source code capable of breaking this encryption [12]. The
device was jailbroken in order to gain root access, and install
an SSH server and basic UNIX tools.
Given that iOS enforces the device to run only code signed
by Apple (downloaded from the App Store), the process of
jailbreaking was used in the tests to bypass that restriction in
order to have full access to the devices and be able to run
shell commands on them. The jailbreak process is exempted
from prosecution under the anti-circumvention section of the
704
U.S. Digital Millenium Copyright Act [13], and it has been
very useful for forensic research in the past [14], [15].
The AirPrint feature depends on the multitasking capabil-
ities of the device. In fact, Apple disabled these feature for
some devices in iOS 4 alleging performance issues. However,
it is possible to enable them during the jailbreak process
using the redsn0w tool [16]. By doing so, the chosen device
became the perfect testbed for the experiments: a small device
(its 8 GB take about 3 hours to transfer via wi-fi), with no
encryption, that supports AirPrint. The iPhone 4 was used to
confirm that some of the findings still applied on newer devices
and under iOS version 5.
For both environmental and budget issues, the best efforts
were made to reduce costs and waste. Paper was reused by
printing once and again over the same pages, and the life
of print cartridges was extended well beyond the limits of
readability. Some printers complain on low ink and refuse to
continue printing even when they are still giving pretty decent
results; luckily, the chosen model kept printing for a long time
after the cartridge was empty, and only then it presented a
message warning about the warranty issues when continuing
printing with empty cartridges. Nevertheless, it is probably
obvious that it was necessary to throw away quite a lot of paper
during the experiments, as well as quite a few ink cartridges.
Anyway, resources were recycled as much as possible.
B. Forensic traces left by AirPrint
Once a root shell is executed, it is possible to invoke
several commands before, during and after printing, comparing
the results in order to look for remarkable differences. The
following commands were executed in the iOS devices:
1) find / -type (b,c,d,f,l,p,s) for listing, re-
spectively, all the block special devices, character special
devices, directories, regular files, symbolic links, FIFOs,
and sockets, in the filesystem.
2) netstat -an -f inet for listing any current net-
work connections. This would show active client-server
activity, as well as inactive servers awaiting for incoming
petitions.
3) ps aux for getting information about running pro-
cesses.
By reviewing the lists of files and directories generated
with the find commands explained above, it was observed
that, when a device prints via AirPrint for the first time, the
following folder is created:
/var/mobile/Library/com.apple.printd/
The moment a document is sent to printing, a new file
named 1.pdf is created under this folder. After running
additional tests, it was confirmed that this PDF file exists in
disk only while the document is being printed. The moment
the printer ejects the last page and considers the job finished,
the PDF file is deleted. This is also the moment at which the
Print Center application disappears from the list of recently
used applications.
Printing some documents and copying the resulting tempo-
rary PDF files to another location before their deletion, and
then examining them, is enough to find that these files are
regular PDF files with the same content that is being sent to
the printer (no matter whether it was originally in PDF format
or not). Hence, an obvious trace is being left in the filesystem,
and it reflects exactly what was printed.
It must be noted that, in some of the preliminary tests,
before the physical printer was available, a virtual PDF printer
was setup in a Mac computer and shared, making it look like
an AirPrint printer. It worked as expected, it was possible to
print to it from an iPhone, as well as an iPad. However, the
printing of the document (in this case, the generation of a
file in the hard drive of the Mac) was much shorter than the
actual printing of a page through a real printer, with real ink
and paper. This greatly reduces the chances of the temporary
files being flushed to physical disk from the buffer cache
in the iOS device before deletion, and hence their chances
of recoverability. Therefore, to obtain accurate results, the
experiments need to be performed with a real printer.
C. Properties of the AirPrint temporary files
From the execution of the different tests, the following rules
were observed:
1) For every print job sent via AirPrint, a file with the name
of 1.pdf is created in the directory
/var/mobile/Library/com.apple.printd/
2) This file is in PDF format, containing the document sent
to the printer. This observed behavior is consistent across
internal iOS applications (Mail, Safari) as well as third
party ones (GoodReader, Papers, Keynote...) The only
exception found is the iOS Photos app, which seems not
to generate any temporary files on disk when printing,
thus not leaving these traces.
3) The file 1.pdf is deleted as soon as the printing job
finishes. The timing observed indicates that this happens
not just after finishing the task of submitting the job to
the physical printer, but after the document has been
completely printed.
4) When one job is being printed, subsequent jobs arriving
to the queue generate files named 2.pdf, 3.pdf, etc.
The behavior observed suggests that in iOS 4 the counter
resets as soon as the queue is empty (if a new job arrives
later it will be named 1.pdf again), whereas in iOS 5
the counter seems to keep increasing (each new job gets
a higher number even if the queue is empty) until the
device reboots.
5) When a job asks for more than one copy of the same
document, the temporary PDF file contains only one
copy of it. There is probably a command, sent from the
device to the printer, indicating the number of copies
wanted.
6) When a page range is specified, the temporary PDF file
contains only this page range. There is an exception
when some applications print files that are themselves
PDFs, which is studied later in Section III-D.
705
very useful for forensic research in the past [14], [15].
The AirPrint feature depends on the multitasking capabil-
ities of the device. In fact, Apple disabled these feature for
some devices in iOS 4 alleging performance issues. However,
it is possible to enable them during the jailbreak process
using the redsn0w tool [16]. By doing so, the chosen device
became the perfect testbed for the experiments: a small device
(its 8 GB take about 3 hours to transfer via wi-fi), with no
encryption, that supports AirPrint. The iPhone 4 was used to
confirm that some of the findings still applied on newer devices
and under iOS version 5.
For both environmental and budget issues, the best efforts
were made to reduce costs and waste. Paper was reused by
printing once and again over the same pages, and the life
of print cartridges was extended well beyond the limits of
readability. Some printers complain on low ink and refuse to
continue printing even when they are still giving pretty decent
results; luckily, the chosen model kept printing for a long time
after the cartridge was empty, and only then it presented a
message warning about the warranty issues when continuing
printing with empty cartridges. Nevertheless, it is probably
obvious that it was necessary to throw away quite a lot of paper
during the experiments, as well as quite a few ink cartridges.
Anyway, resources were recycled as much as possible.
B. Forensic traces left by AirPrint
Once a root shell is executed, it is possible to invoke
several commands before, during and after printing, comparing
the results in order to look for remarkable differences. The
following commands were executed in the iOS devices:
1) find / -type (b,c,d,f,l,p,s) for listing, re-
spectively, all the block special devices, character special
devices, directories, regular files, symbolic links, FIFOs,
and sockets, in the filesystem.
2) netstat -an -f inet for listing any current net-
work connections. This would show active client-server
activity, as well as inactive servers awaiting for incoming
petitions.
3) ps aux for getting information about running pro-
cesses.
By reviewing the lists of files and directories generated
with the find commands explained above, it was observed
that, when a device prints via AirPrint for the first time, the
following folder is created:
/var/mobile/Library/com.apple.printd/
The moment a document is sent to printing, a new file
named 1.pdf is created under this folder. After running
additional tests, it was confirmed that this PDF file exists in
disk only while the document is being printed. The moment
the printer ejects the last page and considers the job finished,
the PDF file is deleted. This is also the moment at which the
Print Center application disappears from the list of recently
used applications.
Printing some documents and copying the resulting tempo-
rary PDF files to another location before their deletion, and
then examining them, is enough to find that these files are
regular PDF files with the same content that is being sent to
the printer (no matter whether it was originally in PDF format
or not). Hence, an obvious trace is being left in the filesystem,
and it reflects exactly what was printed.
It must be noted that, in some of the preliminary tests,
before the physical printer was available, a virtual PDF printer
was setup in a Mac computer and shared, making it look like
an AirPrint printer. It worked as expected, it was possible to
print to it from an iPhone, as well as an iPad. However, the
printing of the document (in this case, the generation of a
file in the hard drive of the Mac) was much shorter than the
actual printing of a page through a real printer, with real ink
and paper. This greatly reduces the chances of the temporary
files being flushed to physical disk from the buffer cache
in the iOS device before deletion, and hence their chances
of recoverability. Therefore, to obtain accurate results, the
experiments need to be performed with a real printer.
C. Properties of the AirPrint temporary files
From the execution of the different tests, the following rules
were observed:
1) For every print job sent via AirPrint, a file with the name
of 1.pdf is created in the directory
/var/mobile/Library/com.apple.printd/
2) This file is in PDF format, containing the document sent
to the printer. This observed behavior is consistent across
internal iOS applications (Mail, Safari) as well as third
party ones (GoodReader, Papers, Keynote...) The only
exception found is the iOS Photos app, which seems not
to generate any temporary files on disk when printing,
thus not leaving these traces.
3) The file 1.pdf is deleted as soon as the printing job
finishes. The timing observed indicates that this happens
not just after finishing the task of submitting the job to
the physical printer, but after the document has been
completely printed.
4) When one job is being printed, subsequent jobs arriving
to the queue generate files named 2.pdf, 3.pdf, etc.
The behavior observed suggests that in iOS 4 the counter
resets as soon as the queue is empty (if a new job arrives
later it will be named 1.pdf again), whereas in iOS 5
the counter seems to keep increasing (each new job gets
a higher number even if the queue is empty) until the
device reboots.
5) When a job asks for more than one copy of the same
document, the temporary PDF file contains only one
copy of it. There is probably a command, sent from the
device to the printer, indicating the number of copies
wanted.
6) When a page range is specified, the temporary PDF file
contains only this page range. There is an exception
when some applications print files that are themselves
PDFs, which is studied later in Section III-D.
705
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Article Review of Apple IOS 4 | Documentlg...
|8
|1665
|45
Evaluating Digital Forensic Options for iPadlg...
|17
|6364
|25
Digital Forensic Technology: Evidence Recovery and Challengeslg...
|10
|2858
|94
History of Android Operating Systemlg...
|3
|913
|340
Forensic analysis of Kik messenger on iOS deviceslg...
|15
|11413
|45
Computer Forensic Analysis 2022lg...
|15
|1541
|23