Ddram Bo :
There is no "way to check if certain files have been previously copied"
The following is taken from Windows Event viewer on my PC. A tool available to any user, not even remotely comparable to forensic tools. I've removed the computer name and filename:
- System
- Provider
[ Name] Microsoft Office 14 Alerts
- EventID 300
[ Qualifiers] 0
Level 4
Task 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2013-03-14T15:43:03.000000000Z
EventRecordID 6432
Channel OAlerts
Computer ##########
Security
- EventData
Microsoft Excel
Do you want to save the changes you made to '#######.xlsm'?
100216
14.0.6029.1000
Also, you can check Windows Registry entries, to see if any external storage devices where connected to the PC and if you export these entries to .txt files, you even get the date and time they were created, giving you the actual time the USB drive was plugged in.
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_HTC&Prod_Android_Phone&Rev_0100\7&1d1638a1&0&HT09EPY03591&0\Device Parameters
Class Name: <NO CLASS>
Last Write Time: 26/5/2013 - 11:21 pm"
This is also from my PC, showing the connection of a smartphone as a USB disk some months ago. Inside the registry key, is even more info on the device.
So, if I was investigating for this specific filename and saw this log (and cross-reference it with registry entries at the same date and time), I woud assume that if there was an attempt to alter or save the file, it would very likely be on another device. Get it? The file seems like it was COPIED. I'm certain that there are other more sofisticated methods of coming to the same conclusion. You'd be surprised how much info you can get just from system event logs. Even if nothing is explicitly mentioned, just by studying the user's behaviour you can see a lot of things. I found these entries manually and copied them but there is software that can scan the registry and other system logs, parsing information depending on specific criteria.
About the whole "HDD smashing" thing... English is not my native language but really, I don't think my post was that hard to understand. I know what formatting actually does, so do the manufacturers (hence the hammer suggestion in the camera manual). It IS a caveman approach but it's the easiest and chepest. Don't forget, apart from the actual files, you also destroy all that other "incriminating data" from your system logs... I've also done my share of data recovery, so i'm not talking completely out of my ass here
I know that in this day and age, files copies (especially if they go online) almost never go away. What I said was that it is not always pointless to destroy a drive. It depends on how each case is handled and how much info you get about what happened, before you destroy the drives. As I said, destroying the drive before a thourough investigation is almost certainly a stupid move.