The bigger issue is that even if you accept the USB2 transfer, you can't make any real conclusions. Was the USB transfer from victim machine to external storage or from attacker machine to external storage.
There will be distinctly different patterns for the dates transferring in different ways. Suppose the source is a shared network drive. From share to external USB thumbdrive will have a different fingerprint than from external USB thumbdrive to single local SATA.
Also, you can likely detect what OS was used ( well Linux or Windows ) due to differences in copy order as well as speed.
In theory such analysis can be done on the Sony data and tell us something more interesting than is known so far.
I don't think there are any existing tools that analyze date stamps and determine anything quite on this level... Purely because it is rare to have such a huge such of files.
Also, you can likely detect what OS was used ( well Linux or Windows ) due to differences in copy order as well as speed.
In theory such analysis can be done on the Sony data and tell us something more interesting than is known so far.
I don't think there are any existing tools that analyze date stamps and determine anything quite on this level... Purely because it is rare to have such a huge such of files.