Hi
I was curious if there is a way to do a forensic analysis of an external drive that may prove that data was either copied on/from to it from/to certain sources?

Cheers  

Hi,

Do you have access to the system you think it attached to?
You could look for signs of mass copy buy matching up the last time the drive was introduced vs last modified date / access date.  

I think the answer to your question maybe No.

One area to investigate could be the creation time of files. The creation time is when a file was created or copied to a drive.

If a file has a modied date of 1st of the month, but creation date of 5th of the month this would indicate an existing file was copied to the drive on the 5th.

For reading a file, the access date may be of use - but often this is not updated. It could also be changed by a anti virus scan.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

The problem is I only have access to the external drive. I know it's a long shot to actually tie it down, but I was hoping if anyone knew a way to get this information.  

If you want to tie this external drive to a specific system by ONLY conducting analysis on the external drive itself, the answer is no.

You would absolutely need some type data to correlate with the potential computer systems data was copied to/from. The list of possibilities in this case COULD be numerous depending on what's available on the external drive and also still present on the system of interest.  

Long shot, but if you, against all odds, found a shortcut that pointed to a file on the original system, the metadata could point to the system.

That's all I got.  

- twjolson

Long shot, but if you, against all odds, found a shortcut that pointed to a file on the original system, the metadata could point to the system.

Would you mind elaborating on this hypothesis?