OW, come on guys, if a whole disk image has been re-deployed to the disk, whatever was there before would have been overwritten, no way back.
If a raw or forensic image was used, that's correct. But it's my understanding that most of the imaging programs used for deploying standard builds/configurations (i.e. what most IT departments use) do not overwrite every sector of the drive.
-tracedf
Hi Guys,
Thanks again for all your responses, I have come to the conclusion that either the hard drive was changed, or the witness was not sure of the machine the guy was using as hes is not very technical therefore it is not likely that he was using a live operating system.
All the BIOS dates and times are correct and the previous processing uncovered data from unallocated space that had some timestamps and were dated even farther back.
Thanks for all the help though as I was able to do due diligence.
OW, come on guys, if a whole disk image has been re-deployed to the disk, whatever was there before would have been overwritten, no way back.
If a raw or forensic image was used, that's correct. But it's my understanding that most of the imaging programs used for deploying standard builds/configurations (i.e. what most IT departments use) do not overwrite every sector of the drive.
-tracedf
Sure ), but what gives?
You have no information (nor myself BTW) leading you to presume that "one of the most IT departments" is involved at all in the case, nor that one of the programs they use for OS deployment was actually employed.
It is not like a whole disk image is something that only highly specialized software can create or restore, a simple dd, available on any Linux distro would do nicely and there are hundreds of similar tools for Windows.
jaclaz
Did you check the inside the physical box for any memory devices that could have been used as an alternative boot device?
It is possible to solder a memory device directly onto the USB bus, and inside larger boxes you can just chose to NOT connect a USB cable (from the board) to an exterior port on the chassi, and use it internally instead.
Check for some kind of software's that freeze system, like "Deep Freeze" from Faronics.
A HDD (or SSD) manufacturer's drive tools might yield some interesting data, such as SeaTools if it's a Seagate drive. Haven't used it in a while but I seem to recall that it will give you some low level data on when the drive has been used, how frequently e.g. how many hours powered on and so forth. Could give you a steer on the likelihood of a drive swap - if the laptop is 5 years old, say, and the drive has only been used for a few hours that would seem highly indicative that it got swapped out when the laptop was brand new.
Apologies if someone already suggested you look at TimeStomp as a potential root cause
(http//
I thought you might be joking in your original post when you said you were "stomped" by this situation; "stomped" perhaps being a play on "stumped".