Hello -
I believe I know the answer to this already, as my understanding of the act of copying data and the associated updates to metadata (such as they are) lead me to believe that it is impossible to determine the following, given these circumstances
1. We know that data was copied from computer to an external hard-drive. We can show drive info in registry around the same time as MAC times for most of the data on the drive. Not too many doubts here.
2. But, before the drive was returned to company, they assume that person x made a copy of the data on this external drive to another media of some sort
3. I am only in possession of the "original" external hard-drive, no other computing systems.
4. Pretty positive there is NO way to look at just the objects on this drive and determine that yet another copy was made of this data - no flags or changes are made to original, only new copies.
Is that correct? Am I missing some little known artifact or metadata combination that can help make this determination?
Thank you in advance
Depending upon how it was done, there may be newer time stamps related to the second mount. This can indicate that a second copy was made.
However the reverse is NOT true. Absence of new mount information does not preclude a second copy. A write blocker would be sufficient.
Right, makes sense. What you are saying is (if I understand correctly) If the person did a very sloppy copy as it were, MAC time stamps <could possibly> have been changed to reflect that updated event, but not necessarily (they could have used a write blocker or copy tool that leaves MAC in tact). And certainly the absence of updates does not preclude that they made a copy. Pretty much what I thought.
I just wanted to be sure that there wasn't some other field or combination of points that would help show this, if all I have is the first media / no computer, no target drive, etc.
Thank you for your time.
I saw your profile said E-Discovery expert for your job.
Since you only have 2 posts and they are in this thread, could you tell everyone about yourself please.
Hello -
I believe I know the answer to this already, as my understanding of the act of copying data and the associated updates to metadata (such as they are) lead me to believe that it is impossible to determine the following, given these circumstances
1. We know that data was copied from computer to an external hard-drive. We can show drive info in registry around the same time as MAC times for most of the data on the drive. Not too many doubts here.
2. But, before the drive was returned to company, they assume that person x made a copy of the data on this external drive to another media of some sort
3. I am only in possession of the "original" external hard-drive, no other computing systems.
4. Pretty positive there is NO way to look at just the objects on this drive and determine that yet another copy was made of this data - no flags or changes are made to original, only new copies.
Is that correct? Am I missing some little known artifact or metadata combination that can help make this determination?
Thank you in advance