Hi, first time here so I need your help; today we recovered a stolen USB HardDisk and we want to know if there is a way to find if some information had been copied o deleted from the HD to another device and the dates of those operations.
Hope someone can help
Regards
Since I can't tell from your profile, do you have any forensic experience? This sounds to be a criminal matter, but can you confirm? In any case, for purposes of court action, you will want to confer with someone trained in computer forensics and who uses the proper tools and processes. Can you give more details on this matter? For example, is this your own hard drive, etc?
Hi, first time here so I need your help; today we recovered a stolen USB HardDisk and we want to know if there is a way to find if some information had been copied o deleted from the HD to another device and the dates of those operations.
There's really no way to tell definitively that something was copied from the media.
Depending on the file system to which the device was formatted, the system that the device was connected to, and *how* files were deleted, you may have some luck there.
It is possible that you could find circumstantial evidence that that USB flash had contained certain files when it was attached, and that these files had been opened AFTER being copied to the local hard drive. But, as Harlan has pointed out, this would be circumstantial, at best, and not definitive. Also, it would require a great deal of luck in that the user would have had to done certain things to make such "logging" possible, such as resizing the window which displays the device/folder contents.
There is no mechanism by which current versions of Windows logs copying of files from device to device, except/unless it was done by a backup program.
As for deletions, that is another matter, especially when dealing with flash devices.
Basically what you can do now before you get expert advice is to secure the exhibit and obtain a forensic image using a writeblocker.
If u have tools like encase or ftk, you can start off by filtering for files with date/time after the alleged theft.
then again, all these are circumstantial and we can't prove if the files have been copied to the suspect's computer unless you have the suspect's computer to perform some form of comparison analysis.
