Re: Determine if data has been stolen from a stolen hdd.

> HI Vipin,
> Well wht u shud check is the last access times of files using 

...
> Antiforensics techniques and use a tool like timestomp.exe (
> http://www.niiconsulting.com/checkmate/2006/06/timestompexe/) to 
> change the
> aceess times of the files.
> So, make sure you look for traces of such tools as well!
> Hope that helps!

Dear Chetan,
Let me clear up a little bit on my Q.

no i was worrying about a theft, someone more smarter! Like what if he mounts 
the disk as read only (write blocker?) & creates a bit-to-bit dump of the hdd 
for later inspection. In this situation what are the other evidence left on the 
CHIPS/MEMORY of hdd itself helpful for a forensic examiner!? The only other 
thing i can think of was if the OS the hdd had... had run a SMART monitoring 
tool that keeps a fresh LOG of SMART status of the hdd @ every shut-down of the 
PC (as say shutdown script) examining the "power on time" (in hrs) before & 
after the theft maybe the only clue i can think of!

WHAT ELSE ARE OTHER THINGS LEFT TO LOOK FOR IN THIS SITUATION?

Best Regards,
-bipin
http://www.bipin.tk