No doubt, but after the fact it's very hard to detect any evidence especially if the hacker was purposely trying to cover his tracks. Maybe they can see that a USB drive was plugged in, but they won't know what may have been copied to that drive or to a network drive.

You'd be surprised at what can occasionally be found.

I think that I might be able to cover my tracks, but I'm definitely not sufficiently certain to stake my freedom on it, there's always a chance that I'd make some mistake and they happen to be more thorough than I am, and the same applies for everyone (e.g. including authors of APT's employed by the major intelligence services around the world); a 90% chance of getting some extra money on top of what he got isn't worth a 10% chance of criminal prosecution. Knowing that the machine is going to be analyzed by someone with a lot of resources is a sufficient deterrent IMHO.

Yea, if you are worried about this particular threat, you plug the hard drive into a device in read only mode, copy the data off, and put it back in your machine using a Linux live CD.

That said, Windows does keep a whole lot of information on activities in the registry and filesystem.