|
Posted by Sebastian Gottschalk on July 22, 2006, 8:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Moe wrote:
> if one is reading an NTFS file for purposes of
> viewing or copying, what evidence is there that
> it was accessed ?
- updated last access time if left enabled by default
- access denial permission if auditing was enabled
- copy action is object tracking was enabled
However, most guys would simply boot from a Linux CD or put the harddisk
somewhere else to copy the raw content.
In that case, on would get some last boot time information from BIOS, or
see the scratches on the hardware.
No, isn't reliable. Just everything they can tell that nothing obvious
has been recorded. They really don't know if actually some careful
copying has taken place.
| 
XML site map