In my last post, I mentioned there are a couple of ways to identify if files have been stored on an external device. Here they are:
1) Examine the file access history – To be thorough, you need to look at two different user activity areas. 1) User activity logs currently available through Windows and 2) Recovered deleted or purged activity logs. In these logs you can see the files a user opened. If the user opened suspect files from an external device and those files match the names of files from a source computer, the files may be the same. You may also see *.lnk (shortcut) files that have been linked to an external device.
2) Last 10 Authors and Locations – Microsoft Windows 2003 Word documents track what we refer to as ‘Last 10 Authors and Locations’. This information can be invaluable when trying to identify additional computers or locations where the files may be stored. For a more in -depth discussion you can review my article.
There isn’t, however, any clear-cut way to prove the designated files were copied in Windows without having the external device. Still, a couple other processes are available to let you see if the files were accessed from alternative locations. That knowledge could create suspicion and provide reasons for you to request the external device. A link or log that shows access to a suspect file on an external device may be enough for a judge or jury to believe that the file was copied.