HDD used previously, am i right?

No it doesn't.

For a quick check look at all the files in your own Windows\System 32\Config folder, show the 'Date Created' column and then order them by this column. Unless you have a particularly old hard drive, there should be plenty of files which have files created dates previous to the manufacture of your hard disk.

Put the suspect drive's serial number into Google or search for it within the drive manufacturer's web site. When was the drive first made available?

Have you examined the internet history? How far does it go back? Any pages in the cache which show dates, such as the BBC News page or fragments of dated web mail?

Why are there files in there that have created dates which are prior to the manufacture of the hard drive?

I have searched google and the Western Digital website with the serial number "WMAM9DY63619" and discovered nothing from this.

If I do some of your work for you can I have some of your fee? wink

Do a simple experiment for one explanation

1. Create a file somewhere on your network. Note its creation date.
2. Drag it to your PC. Note its creation date.

Do a simple experiment for one explanation

1. Create a file somewhere on your network. Note its creation date.
2. Drag it to your PC. Note its creation date.

Why bother with the experiment? The answer is here
http//support.microsoft.com/?kbid=299648

Now, back to the original question
"…i need to identify if the drive has been used prior to the time the user claims, before November last year which is when the computer using the drive was "newly" purchased. "

This is a somewhat open and nebulous requirement, don't you think? After all, what does "was the drive used" mean? Was the drive *used* and then moved from another system? Was the drive being *used*, then was it completely wiped and the current OS installed?

One of the best ways I've seen to track activity on a drive is to parse the UserAssist keys…if you find dated entries predating the time that the user states that the use of the drive started, then you've got your info…

HTH,

Harlan

Do a simple experiment for one explanation

1. Create a file somewhere on your network. Note its creation date.
2. Drag it to your PC. Note its creation date.

Why bother with the experiment? The answer is here
http//support.microsoft.com/?kbid=299648

Personally, I find if I do it myself and see the results for myself then I am more likely to understand it and remember it than if I just read about it.

BTW, got your book last week. Very good!

Jonathan,

Thanks. Now, if I could just get someone who's read or used it to post a review, or just post their thoughts somewhere where others could see (and I could link to).

BTW…there's nothing wrong with doing it yourself to demonstrate this…

Look at $volume, $mft etc - that should nail the earliest timeframe you're looking for.

At that point you can say that the current _volume_ wasn't used before this time…..

If I do some of your work for you can I have some of your fee? wink

Do a simple experiment for one explanation

1. Create a file somewhere on your network. Note its creation date.
2. Drag it to your PC. Note its creation date.

I thought i would try this out and yeah the created time changes and so does the accessed time but the modified time stays the same, but how does this answer his question?

The file i first created had an updated created time when i moved it but i don't see how this experiment shows that the files created time could be set to a time BEFORE its original creation. There is something obvious i am missing??….

If I do some of your work for you can I have some of your fee? wink

Do a simple experiment for one explanation

1. Create a file somewhere on your network. Note its creation date.
2. Drag it to your PC. Note its creation date.

I thought i would try this out and yeah the created time changes and so does the accessed time but the modified time stays the same, but how does this answer his question?

The file i first created had an updated created time when i moved it but i don't see how this experiment shows that the files created time could be set to a time BEFORE its original creation. There is something obvious i am missing??….

On a NTFS system if you simply copy a file the created time will be updated but if you move it (which can you do by cutting and pasting or by dragging as in my example) then the created time will remain the same. It doesn't answer Add0's question directly - I would need access to the case itself to attempt that - but gives him/her an example of a situation in which the created time of a file can predate the existence of the medium it is now present on.