There are no assumptions that the user is hypothetically "smart", but the head of IT has been told that this person has given the hard disk to someone else, which exposed some classified documents to someone else. Then the hard disk was returned to the same laptop.
The hard disk had also a "safety sticker" that broke if someone opens up the hard disk, but that still isn't enough evidence.
So the scenario here is could we actually "forensically" prove that the hard disk has been removed from the Laptop or not?
as you said, In theory there is no difference between theory and practise, but in practise there is.
Yep, but if (when) we are trying to make a (logical) theory, the logic must be the same.
IF the user took the hard disk out of the laptop, he/she needed
a. (possibly, it may depend on specific models) a screwdriver
b. a not difficult (but not at all "easy" or "common") knowledge on how to disconnect the hard disk and later re-connect it properly
Since in order to simply copy some contents from a laptop there are at least three ways (in order of increasing complexity AND decreasing risk of leaving digital forensic traces )
1) simply copy the data from the booted OS to an USb device (or send it as attachment to an e-mail or uploading to some http or ftp site, etc.)
2) use a bootable external OS (IF it is possible to boot the laptop to an external OS) to do the above
3) physically disconnect the hard disk, do *something* with it then reconnect it
IF the most complex #3 was chosen/adopted THEN there must be a reason.
Two possible reasons (among the many)
r.1) the user is "smart" and uses a more complex procedure in order to avoid leaving digital traces
r.2) the user is (very) "dumb" and either knows nothing about the simpler options #1 and #2 or has a masochistic attitude to choose more difficult options.
I was exploring possibility #r.1
jaclaz