Data has been "lost" from one of my networked PC's.
I have analysed the hard drive & that of the shared Server and "recovered" deleted or otherwise "lost" files. This appears to have worked inasmuch that it recovered data which had been deleted over a considerable period of time before and after the "lost" data was created, yet there is no sign whatsoever of the lost data having been saved to the drives.
Perhaps the data might have been saved to a USB stick, rather than the hard drive or Server and I am wondering if (and if so, how difficult is it) evidence can be obtained which would show the date and time a USB drive has been employed and (even better) whether such might detail the contents (or at least the filenames and types) of data that was saved in this way?
Would Windows event viewer reveal any or all of this and how would we go about isolating USB drive activity etc., through this means, if so?
Or is there another software utility which might help?
Any advice gratefully received, please?