“Program and program settings: When preparing the letter, WordPad for Windows is most likely used. Default settings for font, line spacing and paragraph are used. The page layout has been Letter.”
That, I think, can be inferred with good confidence from precisely measuring various font measurements, looking at how lines got broken, etc, and comparing that with a database of program defaults for a large set of OSes and programs.
“Device, operating system and video card : When designing the threat letter, a Windows PC has been used, with an operating system Windows 10 or 8.”
I guess either WordPad or the font got tweaked somewhat in that Windows version. Maybe WordPad started using ligatures more aggressively, its page width got a tiny bit wider, or, in the font, some letter shape or spacing table changed a tiny bit, or a character was added.
“The PC has had an integrated video card, Intel HD Graphics 630.”
That, for me, is the most intriguing part. Does Windows use the GPU to render fonts even if they get printed, and are there subtle differences between GPUs and their software rendering that, statistically, can be recovered from the somewhat noisy print?
Does Windows use the GPU to render fonts even if they get printed
Most cheaper printers (esp. on Windows) use the GDI protocol for printing. These printers only know how to print rasterised images, so the document is rasterised by the OS/Print driver and only this final rasterised image is sent to the printer. This is different from higher end PCL/PS printers where the document is translated into a page description language and the printer is (partially) responsible for rasterising the final document for print.
Since Windows uses the GPU to render fonts I wouldn't be surprised if the same code is used to rasterise the fonts for GDI printing.
That being said I'm very surprised they can identify the GPU just from that, unless there is some specific bug in the driver for the card which produces an obvious font rendering artefact.
Brilliant comment. Coming at this as a typographer/graphic artist and erstwhile coder, I'd bet it comes down to reverse engineering anti-aliasing algorithms. I'm not sure how it's done in Windows, but on Macs there are various levels of crispness you can set in default type as it's rasterized and if you zoom in a bit they have very clearly recognizable differences. Take the four bottom-left pixels of a capital A at 300 ppi, and compare their ink value ratios with different anti-aliasing techniques, and I bet you could get a signature of what card did the rasterization.
Gaussian blur is your friend if you wanna send a death note, I guess.
I don’t think printer drivers do anti-aliasing on text. The hardware of a printer does anti-aliasing for free.
Also, I doubt you can get conclusive evidence from a single letter. Luckily, your average random note has lot of them, even duplicated ones. I would carefully align and average out as many capital A’s as I had, and work with that.
> I don’t think printer drivers do anti-aliasing on text. The hardware of a printer does anti-aliasing for free.
You missed the explanation above why you're wrong, at least on consumer non-PostScript printers. Most cheap printers nowadays passes the buck of rasterisation to Windows (and its horrible, security headache spooler). You can even check if which is which: in Windows 10, open Settings, then Devices, select Printers & scanners, select [your name of printer], press Manage, press Printer Options (not Printing options), open the Advanced tab and then click on the Print Processor... button. If it says "winprint" then Windows handles the rasteriser.
Anti-aliasing text is of limited value at the resolutions printers can achieve. 1200+ DPI inkjets and lasers have been commonplace for over 20 years. That doesn't mean GDI variations won't influence pixels due to small numeric differences.
In that case, then it'll be purely a mechanical thing. Another thing that is still handled by the printer (unless its drivers are sophisticated, winprint isn't) is halftoning, but I'm not sure if that counts as anti-aliasing.
IDK. In the olden days, desktop printers sometimes had embedded font faces or PS1 fonts would be sent to the printer, but any vector file for large/high-res print quality had to be "ripped" or rasterized first, usually with a dedicated card. These cards definitely had signature looks and feels to them, but so did the fonts. There were differences between the way an Adobe Times New Roman would rip versus the one that came stock on your Apple IIsi.
Pinpointing a version of Windows, if it was printed from a stock OS font, could be as simple as comparing tiny differences in the vector files and knowing if one pixel would rasterize at 60% black versus 50%. To the extent that the rip goes through a graphics card, it would be knowing whether that card rendered the 60% as 58% or 62%.
I'm pretty sure if you scale it down, the printer driver will do an extra layer of downsampling and add its own anti-aliasing; but the printer hardware doesn't do that, it just sprays the dots it's told to spray, and in general the drivers replicate the pixels that are sent from Photoshop or in this case, MS Word, which uses something like QuickDraw used to be on a Mac, an embedded system process, to rasterize the fonts.
Depends on the tolerance of what you're trying to hide. If the goal is just to obliterate the way something was previously anti-aliased, or make it trigger tons of false-positives, then a small blur and not relying on the inbuilt rasterization would probably do the trick.
Prior to this it had never occurred to me. But yeah, more randomness. Noise filter and blur, then a bit more noise, then photograph it, print the photo, scan it on another device, put it in the washing machine, leave it on the porch for a week and repeat.
Mostly... It's a low pass filter, so if the information - anti aliasing techniques in this case - is concentrated in high frequency, it'll be wiped out.
Could also be by design, similar to printer identification dots. Have the artifacting vary every so slightly from one GPU to another. Then again, I feel (emotional statement, not of fact) that this would be known by now if it was a thing.
I was reading these comments while simultaneously trying to get some work done. I was taking a screenshot of some settings to show to a coworker for verification and immediately noticed something was off about the screenshot. It looked nothing like the screen! Apparently screenshots on Win10 with HDR is kind of funny. It looks like everything is neon. Like the standard HN orange banner looks like a yellow highlighter. Funny thing is, if I take the screenshot from my non-HDR monitor, it looks as expected.
So...evidently from a sample of me, I can tell from which monitor a screenshot was taken...
This could all be deflection. All name-brand printers (in the US at least and probably everywhere) watermark printed pages with yellow dots that identify the printer serial number. If the printer is purchased with a credit card and the SN is scanned, there is a perfect trail from your printed page to the person who bought it. I suspect if that method was used they still may want to claim these other fingerprinting methods to avoid spreading the word about printers.
One other way this trail can be made is simply by installing the drivers. For example I noticed that when you complete the driver installation for a Brother color laser printer, the installer opens the default browser and navigates to brother.com/something/SERIAL_NO_OF_PRINTER. I am assuming that on the other end they're capturing the IP, fingerprinting the browser, and logging it all forever.
The implication is that only color printers are affected.
"The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters."
> are there subtle differences between GPUs and their software rendering that, statistically, can be recovered from the somewhat noisy print?
I'm not sure these days when most GPUs are IEEE-754-compliant. But back in the mid to late 2000's I worked on a GPU renderer for video editing and we had a few filters that gave noticeably different results on different GPUs. One filter did a hard black and white threshold, then blurred the result, did another hard threshold, etc., in a loop. Because of differences in precision of the floating point values (24-bit on AMD at the time, if I recall correctly), the thresholds could produce minor differences that got magnified by the blurring, and then created new thresholds with minor differences, etc.
Even if all the GPUs are using IEEE-754 floats, there are driver differences that can cause the results to be slightly different, too. Like a simple GLSL mix() function could be implemented as result = x * a + y * (1 - a) (where x and y are 2 input pixels and a is the alpha of x). Or it could be implemented more efficiently as result = a * (x - y) + y. Doing the same math in a slightly different way can sometimes lead to slight differences in intermediate results which compound in the final result. So yeah, it may be possible to tease out some of these things by examining something like font rendering.
That seems to be the norm with a lot of, um, creative criminal forensics.
Bite mark identification was used forever until blown up by particularly shameless grifting, and has never been shown to work as practiced. [1]
Tennessee still uses dowsing rods. [2]
Fingerprinting as practiced is a bundle of folk practice, guesses, and some science. Quality varies wildly. [3]
Fiber analysis, lie detectors, spatter analysis and many more techniques are all crap. When one bogus method is finally found legally unreliable, cops and prosecutors find a new one.
It's probably meant as a lead, not as evidence. Given that this is a kidnapping, likely murder case, there's probably tons of evidence if you're looking at the right guy.
And I'm wondering about that, because we know the criminal must have been a pretty hard-core cryptocurrency nut. There aren't THAT many of them in Norway (they've already concluded they are a fluent Norwegian speaker).
My main concern is that this seems to be a precise lead. It might be unconsciously considered close to a real fingerprint.
Instead of facing it just as a lead, it might influence investigators to, consciously or not, build confidence in framing a (wrong) person and and end up building a compelling case against them.
I'm thinking of the actual kidnapper/killer. The husband has an alibi for the time of the disappearance. The suspicion against him was that he commissioned the disappearance of his wife, not that he did it himself.
Presumably it is to aid in finding the equipment used. Once they find the equipment and can positively identify it, they can use other evidence to establish to probable user of that equipment.
As for malicious actors, wouldn't that be a risk for most forms of evidence? Likewise, wouldn't many of the techniques used to establish the validity of other forms of physical evidence be applicable when these techniques are used?
If there’s only one PC in a sea of Macs then it’s a good way to narrow it down. Even better if you can use the application characteristics to determine that someone was using a particular app at a particular time, then initiated a print. It’s not irrefutable evidence, but it’s someone that tells police that a specific event occurred, for which the suspect would be compelled to provide a reasonable response.
Europe doesn’t use letter-sized paper, they use A4. I rather doubt that printer drivers installed on a Norwegian computer default to an unusable paper size.
We use the same printers and printer drivers as everyone else in the world. So it does actually default to Letter, and you usually have to change it upon first install. I guess it all comes down to who wrote the printer driver.
I have news for you - the "PC LOAD LETTER" meme works all around the world. Printers and drivers a generally quite dumb about this, and default to Letter format (and this does not make any sense, obviously).
I'm actually surprised they could narrow it down even that much. The skylake and coffeelake iGPUs always seemed basically identical to the kabylake one.
I would guess there must be forensic tools to detect this stuff, that the Norwegian police don't just have the best experts in Windows and printers in the world who then went through all the various systems, but that there should be a database of these variations somewhere and tools you can use to analyze a printed output to figure out where and what it was produced by, so what are these tools is my question.
In the end, it’s statistics, yes. Maybe, a Mac running a windows VM could produce similar output, or somebody could run Linux, copy over the specific fonts from Windows 8, tweak font rendering to match Windows (e.g. in when to use type hints), fiddle with line spacing and page width until their LibreOffice or abiword produces the same line breaks and spacing, etc, but that somebody would try to do that is quite unlikely to start with and also may be very hard to accomplish (and that’s something experts could have tried to do. If so, they could testify about the difficulty of pulling it off)
⇒ I don’t think it’s fair to call this speculation, let alone pure speculation.
So it looks like both printer's fingerprinting and windows "fingerprinting" can both be fooled by simply making a B/W photocopy at local FedEx. Perhaps do copy of a copy of a copy 5 times and you should be good to go!
I assume a lot of that information comes from the Machine Identification Code [0], the "yellow dots" emitted by almost all printers.
There's a number of encoding schemes [1], though most of those only identify the printer - they don't go far enough to identify the graphics card or OS where it originated. That's a new capability - if it's being accurately relayed here.
Indeed if they had the identification code they would have been able to pinpoint the model and serial number of the printer, but they haven't released that information -- only that it is a HP printer with HP 302 or 304 model ink cartridges, which I assume is based on analysis of the chemical composition of the ink.
To my knowledge only laser printers participate in the MIC scheme. While the boundaries of the program are somewhat unknown, just from a technical perspective inkjets generally struggle to produce low enough coverage for the marks to not be pretty visible to the eye (bleed of inkjet inks prevents high-pitch halftoning performed by laser printers to produce very low coverage).
Identifying the graphics card/OS doesn't sound impossible.
They figured out it was Wordpad (presumably based on line breaking or similar) which narrows it down to Windows, and the graphics drivers probably subtly affect the font rendering in the same way that can be used for canvas fingerprinting.
That said, Windows 8 or 10 using Wordpad and Intel integrated graphics doesn't exactly narrow it down.
The printer, which was likely bought with a credit card and whose serial number was documented when purchased or when installing drivers that phone home with IP address, location, etc.
This reads so much like Lee Child's Without Fail / Jack Reacher (2008) - which I'm currently re-reading. Analysing a printed threat:
‘It’s a Hewlett-Packard laser. They can tell by the toner chemistry. Can’t tell which model, because all their black-and-white lasers use the same basic toner powder. The typeface is Times New Roman, from Microsoft Works 4.5 for Windows 95, fourteen point, printed bold.’
’Typefaces tend to change very subtly between different word processors. The software writers fiddle with the kerning, which is the spacing between individual letters, as opposed to the spacing between words. If you look long enough, you can kind of sense it. Then you can measure it and identify the program. ...’
(Edit: Limited the amount of quoted text a bit; I believe a few lines is fine/fair use. Loving the series re-read after the TV show, and that I bought them on Kindle originally!).
Police have been doing this since the days of typewriters. If you're a whistleblower with sensitive information, assume your printing device has a unique identifier. This is how Reality Winner was caught, when she leaked info about Russian interference in US elections.
If you're in a highly secure environment, it's even possible the content itself may be a unique identifier. I could imagine a sensitive document having grammatical alterations unique to each recipient.
Journalists should consider this before publishing unredacted copies of leaked documents.
Zoom does something like this. They'll embed unique information into the meeting and meeting audio. I've also heard that the arrangement of the participants can also be a watermark but I don't have a source for that.
Yep, the article I linked includes screenshots of the Admin panel and hyperlinks to a few Zoom support pages.
I wonder how well the audio fingerprint works over telephone. On one hand, it certainly won't have the same frequency range as a laptop speaker, but on the other hand so few people join by dialing in, it may end up obvious who the leaker is.
"Police have been doing this since the days of typewriters."
Well, that the typewriters and today the printers are unique, sure.
But here they seem to claim(I do not speak the articles language) that they could identify the computer that send the document. Which is a very bold and new claim, I think.
1) Printers leave a unique "invisible" watermark; similar to the way you can hide an image within an image. The naked eye can see it, but it's there.
2) Aside from that the printer itself has a unique fingerprint, similar to how keyboards do (i.e., AI can pick the difference in the sound of each key and with that audio can translate your typing into letters / words).
3) Networked printers phone home; with snippets. Again, similar to the way some smart TVs send screenshots.
Perhaps not every printer does all of the above, and some not at all, but enough do or might.
Finally, law enforcement explanations like the article's to me are suspect. For example, how often do we hear that a random-y car stop led to a sizable drug bust? So of all the thousands of car going up Rt 95 the police randomly picked one with loads of drugs? What are the odds?
Moral of the story, if (federal) law enforcement has "insider information" they're not going to share that with the public.
>Moral of the story, if (federal) law enforcement has "insider information" they're not going to share that with the public.
I agree: all I've learned is to make a doc on my oldest laptop, multi-paged and-fonted, have it printed at different public (paid or library) sources and then cobble them together and post them from a random place (not taking my phone there, either).
From what I've anec-heard, those 'rando' car stop/ mega busts are politely arranged so the cops get their bust, but the real mega-shipments sail on by, untouched.
Everybody gets a payday, even the Prison system!
*the captured mules get to live rent free for a whilem so there's that, for them.
Yeah, the last part was very much tongue-in-cheek since the difficulties of mailing anonymously are definitely much more complicated than “just mail it.”
I expect Youtube or Netflix to know what I've watched but the screenshots mean they can analyze everything you view, even stuff that has never touched the internet. Who would ever imagine their TV does that, that's insane!
All the other details are fairly straightforward (toner, envelope, paper, etc) that can be nailed down with enough legwork, but I am wondering how they possibly had figured out the GPU of machine.
- Are there certain rendering artifacts that can be seen on printed glyphs that give clues to the GPU?
- Or, are they going by heuristics here? (I.e. it was XYZ GPU, because it was a common machine that at the time that would be running Win 8 or 10)
This is an ongoing investigation, the police don't have to be truthful in their releases. It might be a guess, it might be because they're already fairly sure who did it or is an accomplice and want to create pressure. They might know it for entirely different reasons than analyzing a piece of paper.
On the surface it seems like a very strange assertion.
Even if there were subtle GDI rendering differences -- which I doubt -- it is hard to believe that a printout would let them positively identify Intel HD Graphics 630 specifically, as opposed to say HD Graphics 610 or 615 which are slightly slower clocked versions of the same GPU released at the same time and which almost definitely use the same drivers and GDI rendering system.
But if the information comes from elsewhere, as in already having a suspect and knowing what computer they used -- they should reasonably have given more information from the same source -- CPU model, etc.
I can't imagine a possible way to leak only GPU info -- unless GDI or the Intel drivers has some secret mechanism for intentionally rendering some sort of subtle identification code onto printer output.
You’re assuming extreme precision and competence. I’m guessing they have an incomplete database of GPU samples and a fuzzy result came back like “86% match to Intel 630,” and that’s what they published.
If you only knew how much the Norwegian police are blasted these days for over-stepping boundaries in searches of persons, and their interpretation of reasonable cause for home searches, and their ties to the private drug cop association NNPF (and reluctance to release membership details)
Like, the "State Attorney" (Riksadvokatsembetet) had to issue a clarification that busting someone with a joint in the street is NOT reasonable cause to search their home for more, please stop doing that you morons, also don't lift people's testicles to see if they have hidden something there thank you.
All the while more violent and serious shit is being ignored.
Don't pretend to laugh when you are angry. Of course you're right police are not great here either, just recently there was a case with punitive cavity searches etc. Police are also complaining about harassment online and ostracism offline (gee, I wonder why?)
But the fact that they are complaining about these things shows they're not quite as unrestricted as police in other parts of the world. Lying is one of the areas there is a difference: Norwegian police aren't allowed to e.g. lie to a suspect that his friend has already confessed. Which isn't to say they won't, but cases can get thrown out over it.
So it's a stretch to think that the police are lying to the public about the positive evidence they have. Lying by omission, maybe, perhaps being wrong, hell yes, but making up things out of whole cloth in public in just to gather information would be new ground for Norwegian police.
I'm not Norwegian, but I spent the last 20 years working for a Norwegian company, and spent a lot of time in Norway as a result.
Norway is a beautiful, modern country, and while the older generation is still fairly religious (and racist to some degree), overall it's pretty liberal. It's a really nice place, and I considered moving there more than once.
The Norwegian police may have some warts, but they are held to a much, much higher standard than police in the US.
Honestly, there is no comparison between US police and those in any part of Europe or Scandinavian - we don't have paramilitary-style police busting down doors with flashbangs and automatic weapons blazing, police officers regularly murdering people, or anything like the overt fabrication of "evidence" that some US PDs seem to think is a sport to see how much they can get away with.
Sibling comment's points about police- and judicial excesses in the case of drug-related crime, however, are very much relevant. It's hard to consider the darker parts of Norwegian culture and mindset from a Western perspective, as it takes on shapes that are largely unfamiliar in Western culture. Criticism against Norwegian society looks more like criticism against collectivist societies, where out-of-the-norm non-violent behavior is sometimes harshly punished.
I do agree that our police cannot be compared to the US "out of control" situation, where both its conduct and its excessive use of violence is extreme and avoids judicial oversight. But that's not to say it goes clear of criticism from a systemic perspective.
There are ongoing debates and investigations concerning effectively punitive cavity searches against persons suspected of having smoked a joint, using suspected drug use as a pretext for invasive home searches, immediate confiscation of drivers' licenses after reports of one-off marijuana use (no judicial process involved), involuntary commitment to somatic hospital followed by coerced drug testing in pregnant women after (flimsily) suspected drug use, punitive home searches against drug reform activists and more.
The most high-profile of the two latter cases were conducted against women who visibly participated in democratic debate for reforming our drug laws, and participation in said debate was documented in writing as probable cause for having the woman involuntarily committed by the police.
All but the very last example is strongly suspected to be systemic; it has happened with regularity. And the problems are so obvious that the conduct clearly has a high degree of political support, although "should we systematically jail marijuana smokers and degrade them by probing their vagina or rectum in the police station" has never featured in a debate preceding the elections for Parliament.
Also plenty of criticism regarding the democratic role of a private drug law activist organization (NNPF) that's effectively both part of the police force and a central partner in the bureaucratic process for determining what drug policy should be democratically enacted.
> participation in said debate was documented in writing as probable cause for having the woman involuntarily committed by the police.
No. If this is the case from just before Christmas, the media reporting was extremely biased as the health services cannot comment due to privacy. However, the woman posted her letter on Twitter (now deleted but still available at the internet archive) and it was, in my opinion, justified. (1) The woman had a history of drug use, (2) her mother had reported concerns regarding the woman's drug use and asked the health services to consider involuntary treatment the same year as the woman became pregnant, (3) the woman did not meet her GP after becoming pregnant, (4) the woman did not respond when the health services approached her to evaluate her drug use voluntarily, (5) the woman moved to another municipality (which may have been interpreted as an attempt to "escape" from them), (6) the woman did not approach the health services in her new municipality to follow up her pregnancy.
In light of the two previous reports of concern and the use of drugs, [the woman]'s information about pregnancy, [her] lack of contact with her GP during pregnancy, [the authorities] found cause for concern. [...] The decision was made on the basis that she has orally informed [the authorities] and confirmed to [the authorities] that she is pregnant and the severity of which drugs (including cannabis, MDMA, LSD) that she has stated that she uses in the newspaper and Social Media. Use of these drugs is not compatible with pregnancy. There is no information on how far she has come in her pregnancy or that she has followed up regular pregnancy controls. [...] The municipality considers that it is overwhelmingly probable that the mother's drug intake will be harmful to the fetus
The national guidelines highlight that the fetus should have priority - "the care of the fetus takes precedence over the care of the woman" - and that
Pregnant women with substance abuse problems are in a special position and the consequences for the fetus can be serious if the municipality spends too much time considering the use of coercion. The municipality must therefore not spend unnecessarily long time on assessment and testing of voluntary measures. The due diligence requirement requires quick clarifications to prevent the fetus from being exposed to an unnecessary risk of injury.
and that coercision should be considered if "the pregnant woman deliveres a positive urine sample, fails to take a urine sample or fails to make an appointment"
However, it is mentioned several times in that letter that she had been positive to drug use in her public writing and admitted to using several illegal drugs in social media. That was probably not okay, but the decision was not - by far - based on that fact alone.
What you've posted here is an excellent representative example of the form of social control in Norwegian society that I'm criticizing. It's a great contribution to the discussion.
I sort of doubt we can find agreement, since we appear to have quite different views on what basis is required for the authorities to perform this kind of incredibly invasive use of force against a citizen that isn't even suspected of having broken a law. This is not suspicion in the legal sense -- it's a possibility or a worry.
I'm not able to draw the conclusions you are from the part of the letter you've quoted. None of what is mentioned there is evidence -- she has publicly stated that she's been using certain illegal drugs on numerous occasions, that she's advocated for legal reform regarding drug use and that she is pregnant. She has declined seeing a publicly-provided doctor wrt. the pregnancy.
None of this is an indication of drug use!!
Related side note. If you ask other Europeans, e.g. someone from Germany, they might tell you that Norway's system of having regular, public-sector scheduled pregnancy inspections where declining will make alarms go off...is actually pretty creepy from a privacy perspective. At least that's what my left-voting German friends told me when they had kids a few years ago. Not that the service is a bad thing, but that declining or arranging your own is considered grounds for suspicion.
There is a difference between the Norwegian (Scandinavian?) and Western mindset here that our discussion illustrates splendidly. Our society is in some ways more collectivist; there are numerous situations where the rights of the individual are put last which contrast quite markedly to other Western societies. And these rules are enforced with strict social penalties.
The same contrast can be seen in the 13 (and counting) cases where the Norwegian Child Protective Services, supported by the Norwegian Supreme Court (and obviously the laws enacted in Parliament), have had rulings against them in the Human Rights court in Strasbourg.
No, that's right. But there's a still a lot of things the police get away with, especially with respect to drug addicts, "troubled youth" and other people who don't get believed/sympathy when they complain. And then there's NNPF, a not-so independent NGO consisting of current and former narcotics police, which advocates for (and largely runs, without political approval) a much more macho tough-on-crime narcotics policy with school visits etc, interventions which have been rightly rejected by the Norwegian social science and political establishments.
It's a constant fight to make sure Norwegian police doesn't drift closer to UK/US style police, and in many ways we are losing.
> Most printers will do their own rendering, it's not often that a text document gets pre-rendered by the OS.
Without surveying the industry, I doubt that's accurate. Most inexpensive home printers sold to purchasers of Windows PCs are GDI printers. Part of the cost savings associated with those comes from using the PC to render the document.
They typically don't do watermarking. The whole justification was stopping the counterfitting of currency, since color printers can produce quite good results for near zero effort.
And you can't really use a b&w laser to print convincing notes.
> What does intrigue me is how they managed to determine the graphics card.
Cheap GDI printers use the PC for rendering. I find it a bit surprising that would give enough to identify a specific card from a printed sample, but it certainly seems plausible.
Or they do know more, but they're not releasing everything? The details they have published are not that useful in pinpointing a suspect - I mean, there are probably thousands of Norwegians who have a PC/laptop with Intel integrated graphics, Windows 8/10, an HP printer and who buy paper and envelopes from Clas Ohlson (a chain with over 200 stores).
Thousands are not that many. There's going to be a lot of people you can exclude from a crypto currency ransom/murder case planned at least 6 months in advance.
there's a lot of techniques used in such research which is not 'public knowledge' (even though a lot of techies might know them). Hence, information might purposfully be a bit vague, to give the idea they did not reach certain conclusions.
I'd expect they would, as you, know the exact model and make of the printer if it was microdots.
They can also have libraries of things printed with lots of printers to analyse the quality of print etc., and then get an estimate for example by a neural network examining artefacts. in such a case, it would never be 100% certain, but maybe 95-99% range somewhere if they do it good.
I can _imagine_ such techniques might even also get to the point where they can somewhat certainly identify other aspects of the pc like graphics cards, even though they don't know exactly how the network will draw these conclusions.
There's quite a few papers on browser fingerprinting via canvas / webgl, I assume it's similar. Here's one talking about (among other things) fonts and GPU detection:
It is fascinating to see what information can be deduced from such an artifact. Not exactly the same, but it reminded me of a story from the early days of the internet, where a serial killer was caught because a map he sent police, showing the location of a body, was generated online before being printed.
I somewhat wonder if this is a non-story and they concluded that the note was printed inside the house. Or they have a suspect in mind and they want someone close to them to call in that their computing is suspicious.
This is not quite fingerprinting, since there's nothing unique about the alleged setup.
There's quite a lot required for them to credibly show that the letter could only have been produced on a pc with "Intel HD Graphics 630". I suspect the argument is on the level of "we tried to duplicate it with some random PCs and the one with Intel HD graphics looked most similar".
But even if it is true, integrated intel GPUs are in (maybe?) a third of all windows PCs.
