How to identify if files have been copied to an external device Examine the file access history To be thorough, you need to look at two different user activity areas: User activity logs currently available through Windows Recovered deleted or purged activity logs In these logs you can see the files a user opened. If the user opened suspect files from an external device and those files match the names of files from a source computer, the files may be the same. You may also see *.lnk (shortcut) files that have been linked to an external device. Last 10 Authors and Locations Microsoft Windows 2003 Word documents track what we refer to as "Last 10 Authors and Locations." This information can be invaluable when trying to identify additional computers or locations where the files may be stored. For a more in-depth discussion you can review my article. There isn't, however, any clear-cut way to prove the designated files were copied in Windows without having the external device. Still, a couple other processes are available to let you see if the files were accessed from alternative locations. That knowledge could create suspicion and provide reasons for you to request the external device. A link or log that shows access to a suspect file on an external device may be enough for a judge or jury to believe that the file was copied. Jonathan P. Rowe President and CEO Pinpoint Labs www.pinpointlabs.com jon.rowe@pinpointlabs.com