Hi, everyone
Recently, my friend took my external hard drive120 GB(without asking me from my room). I had some very important files in there(my research paper, and some personal photographs). He said that he took it for copying movies, but I really doubt that, as the previous day he was asking for my research papers. Guys, Can you please tell me a way by which I can find which files he copied from my external hard drive?
It is possibly too late, but I suggest you get a complete sector by sector copy of your drive (a DD copy or similar). This will freeze any possible evidence.
One area to investigate is the access date of your important files, by I fear you may already have looked at them, and so changed the date anyway.
It is possibly too late, but I suggest you get a complete sector by sector copy of your drive (a DD copy or similar). This will freeze any possible evidence.
One area to investigate is the access date of your important files, by I fear you may already have looked at them, and so changed the date anyway.
Thanks for the reply!! They were zipped files, so I didnt open them, just had a look at the properties, and that shows an accessed date, which was months ago. So does it mean that he didn't copy them?
Guys, Can you please tell me a way by which I can find which files he copied from my external hard drive?
Without image of the media from which the files were copied (the external HDD) and the media to which the files were copied, you won't be able to tell definitively.
Thanks for the reply!! They were zipped files, so I didnt open them, just had a look at the properties, and that shows an accessed date, which was months ago. So does it mean that he didn't copy them?
Not necessarily. It is possible to turn of the logging of last access times and some people do for performance reasons. It is also possible that the system was booted using a live CD or USB with last access times disabled and copied the files that way. You didn't say but was it Vista (last accessed time is disabled by default) or XP (need a registry change) or some other OS? Try copying a file and seeing if the last access time is updated on the source.
Did he have your password (or did you not have a password protected account)? If you suspect that the last access time is unreliable you might look at the user's registry to see if there is evidence that the file was opened.
Otherwise, you might be out of luck.