according to the FBI's "experts", data on the
recovered laptop was not copied.
exactly how do they know this ? (ie. what do they
look at to determine it).
if one is reading an NTFS file for purposes of
viewing or copying, what evidence is there that
it was accessed ?
Moe wrote:
> if one is reading an NTFS file for purposes of
> viewing or copying, what evidence is there that
> it was accessed ?
- updated last access time if left enabled by default
- access denial permission if auditing was enabled
- copy action is object tracking was enabled
However, most guys would simply boot from a Linux CD or put the harddisk
somewhere else to copy the raw content.
In that case, on would get some last boot time information from BIOS, or
see the scratches on the hardware.
No, isn't reliable. Just everything they can tell that nothing obvious
has been recorded. They really don't know if actually some careful
copying has taken place.