>HI Vipin, >Well wht u shud check is the last access times of files using
... >Antiforensics techniques and use a tool like timestomp.exe ( >http://www.niiconsulting.com/checkmate/2006/06/timestompexe/) to >change the >aceess times of the files. >So, make sure you look for traces of such tools as well! >Hope that helps! Dear Chetan, Let me clear up a little bit on my Q. no i was worrying about a theft, someone more smarter! Like what if he mounts the disk as read only (write blocker?) & creates a bit-to-bit dump of the hdd for later inspection. In this situation what are the other evidence left on the CHIPS/MEMORY of hdd itself helpful for a forensic examiner!? The only other thing i can think of was if the OS the hdd had... had run a SMART monitoring tool that keeps a fresh LOG of SMART status of the hdd @ every shut-down of the PC (as say shutdown script) examining the "power on time" (in hrs) before & after the theft maybe the only clue i can think of! WHAT ELSE ARE OTHER THINGS LEFT TO LOOK FOR IN THIS SITUATION? Best Regards, -bipin http://www.bipin.tk
