Posted: Thu Mar 15, 2012 3:20 am Author: psycho Location: London Hi
I was curious if there is a way to do a forensic analysis of an external drive that may prove that data was either copied on/from to it from/to certain sources?
Posted: Thu Mar 15, 2012 4:16 am Author: dill Location: Manchester Hi,
Do you have access to the system you think it attached to?
You could look for signs of mass copy buy matching up the last time the drive was introduced vs last modified date / access date.
Posted: Thu Mar 15, 2012 4:17 am Author: mscotgrove Location: Sussex, UK I think the answer to your question maybe No.
One area to investigate could be the creation time of files. The creation time is when a file was created or copied to a drive.
If a file has a modied date of 1st of the month, but creation date of 5th of the month this would indicate an existing file was copied to the drive on the 5th.
For reading a file, the access date may be of use - but often this is not updated. It could also be changed by a anti virus scan.
Posted: Thu Mar 15, 2012 4:25 am Author: psycho Location: London The problem is I only have access to the external drive. I know it's a long shot to actually tie it down, but I was hoping if anyone knew a way to get this information.
Posted: Thu Mar 15, 2012 7:13 am Author: Infern0 Location: Virginia If you want to tie this external drive to a specific system by ONLY conducting analysis on the external drive itself, the answer is no.
You would absolutely need some type data to correlate with the potential computer systems data was copied to/from. The list of possibilities in this case COULD be numerous depending on what's available on the external drive and also still present on the system of interest.
Posted: Thu Mar 15, 2012 9:10 am Author: twjolson Location: Minnesota Long shot, but if you, against all odds, found a shortcut that pointed to a file on the original system, the metadata could point to the system.