I'll admit to a fairly casual acquaintance with digital forensics, but I disagree, if for no other reason than you didn't really address all the possibilities of the scenario given. I'd be happy to hear if I am in turn missing something. Forensic analysts are good at tracing activities done from within a system, and/or by entities that don't know a lot about forensics or don't have system privileges to cover their tracks. I read noinsight's scenario as involving physical access by a skilled attacker. If one shut down the laptop, pulled out the hard drive, mounted it on another system, modified a single sector of a document that doesn't exist anywhere else (and the laptop owner isn't perceptive enough to notice the change), preserved file metadata, and placed the drive back in the laptop, what would digital forensics be able to tell you? Only the details of the system being shut down, I'd guess. Maybe if they paid tens of thousands of dollars to a specialized lab, they could find faint magnetic traces of the former contents of the changed sector, but I'm not sure that's in the scope of what you meant. If all that was done was read the drive, there'd be even less chance of determining what was read. As mentioned, the attacker might compromise the BIOS or firmware, and while that would be detectable, I think only the highest-end IR firms would look for it, let alone have the resources to identify subtle changes.
Even working within the system, I'd say many attackers can remove traces such that many investigators won't find them, by doing things like deleting created logs, restoring file metadata to its original state, and writing over the erased evidence multiple times. (This perhaps assumes root access and a consumer-grade OS in default configuration.) It might lead to a suspicious state where the system has been running for hours with no artifacts that would routinely be left, but the investigator might not be able to determine much of what was done. It might be as simple as using a browser the investigators don't check: http://www.cbsnews.com/news/casey-anthony-detectives-overloo...
Even working within the system, I'd say many attackers can remove traces such that many investigators won't find them, by doing things like deleting created logs, restoring file metadata to its original state, and writing over the erased evidence multiple times. (This perhaps assumes root access and a consumer-grade OS in default configuration.) It might lead to a suspicious state where the system has been running for hours with no artifacts that would routinely be left, but the investigator might not be able to determine much of what was done. It might be as simple as using a browser the investigators don't check: http://www.cbsnews.com/news/casey-anthony-detectives-overloo...