All - I have a client who needs to determine if a NTFS formatted external USB device was plugged in\mounted, and most crucially if any files were accessed within a specific date range.
most obviously I'd look to see if any of the MAC times for the files fall within that range… however if they do not is there anything else we could look for?
Any guidance gratefully received.
Are you trying to determine this information solely from the external USB device (do you have a forensic image)?
Do you access to the computer in question (hopefully a forensic image of its drive)?
What operating system is running on the computer in question?
Hi,
If you have the computer and it is Windows file system you can take a look to registry to check if your external media is listed and look for the lnk files created when suspect accessed to the files on the external HD.
Regards
The user shellbags would be a great source of evidence for this to see if any folders on a connected drive were accessed