How to detect when files from my USB was copied to another PC?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
9
down vote

favorite
1












I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?










share|improve this question









New contributor




Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 47




    If he's a friend can you go analog and just ask him?
    – HashHazard
    yesterday






  • 3




    @HashHazard for sure he will deny
    – Harry Sattar
    yesterday






  • 8




    @HarrySattar unless he doesn't deny it. If he says "yes" then you know.
    – schroeder♦
    yesterday






  • 25




    @HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
    – Nelson
    19 hours ago







  • 12




    @HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
    – tudor
    15 hours ago














up vote
9
down vote

favorite
1












I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?










share|improve this question









New contributor




Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 47




    If he's a friend can you go analog and just ask him?
    – HashHazard
    yesterday






  • 3




    @HashHazard for sure he will deny
    – Harry Sattar
    yesterday






  • 8




    @HarrySattar unless he doesn't deny it. If he says "yes" then you know.
    – schroeder♦
    yesterday






  • 25




    @HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
    – Nelson
    19 hours ago







  • 12




    @HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
    – tudor
    15 hours ago












up vote
9
down vote

favorite
1









up vote
9
down vote

favorite
1






1





I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?










share|improve this question









New contributor




Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?







detection usb-drive






share|improve this question









New contributor




Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 11 mins ago









Braiam

15815




15815






New contributor




Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









Harry Sattar

5814




5814




New contributor




Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 47




    If he's a friend can you go analog and just ask him?
    – HashHazard
    yesterday






  • 3




    @HashHazard for sure he will deny
    – Harry Sattar
    yesterday






  • 8




    @HarrySattar unless he doesn't deny it. If he says "yes" then you know.
    – schroeder♦
    yesterday






  • 25




    @HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
    – Nelson
    19 hours ago







  • 12




    @HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
    – tudor
    15 hours ago












  • 47




    If he's a friend can you go analog and just ask him?
    – HashHazard
    yesterday






  • 3




    @HashHazard for sure he will deny
    – Harry Sattar
    yesterday






  • 8




    @HarrySattar unless he doesn't deny it. If he says "yes" then you know.
    – schroeder♦
    yesterday






  • 25




    @HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
    – Nelson
    19 hours ago







  • 12




    @HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
    – tudor
    15 hours ago







47




47




If he's a friend can you go analog and just ask him?
– HashHazard
yesterday




If he's a friend can you go analog and just ask him?
– HashHazard
yesterday




3




3




@HashHazard for sure he will deny
– Harry Sattar
yesterday




@HashHazard for sure he will deny
– Harry Sattar
yesterday




8




8




@HarrySattar unless he doesn't deny it. If he says "yes" then you know.
– schroeder♦
yesterday




@HarrySattar unless he doesn't deny it. If he says "yes" then you know.
– schroeder♦
yesterday




25




25




@HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
– Nelson
19 hours ago





@HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
– Nelson
19 hours ago





12




12




@HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
– tudor
15 hours ago




@HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
– tudor
15 hours ago










5 Answers
5






active

oldest

votes

















up vote
38
down vote













No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.



But there will be no way to determine, by looking at the USB, if the files were copied.






share|improve this answer


















  • 2




    There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
    – schroeder♦
    yesterday






  • 4




    This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
    – David Foerster
    yesterday






  • 4




    @DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
    – schroeder♦
    yesterday







  • 5




    @DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
    – Tobia Tesan
    yesterday






  • 1




    @BenVoigt that makes WAY more sense - thanks!
    – schroeder♦
    22 hours ago

















up vote
21
down vote













There is no way to be sure by strictly technical means.



On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.



On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.



So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.






share|improve this answer








New contributor




IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    3
    down vote













    It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).



    If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.



    Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.



    In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.






    share|improve this answer






















    • If you know what the Windows equivalent of ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
      – Toby Speight
      11 hours ago











    • The Windows equivalent of ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
      – Jules
      7 hours ago






    • 1




      TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
      – Toby Speight
      7 hours ago

















    up vote
    2
    down vote













    You could try dir /T:A and compare with dir /T:C



    /T TimeField Specify the time field displayed 
    and used for sorting. TimeField may be any of the
    following letters.

    C : Creation time.
    A : Last access time.
    W : Last write time.

    For instance, when you use the option "/T:C," the
    time listed is when the file was created.


    Refer: https://www.computerhope.com/dirhlp.htm






    share|improve this answer








    New contributor




    Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.
























      up vote
      1
      down vote













      By default, there will be no record of such activity.



      When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.



      Per Microsoft's documentation:




      NTFS also permits last access time updates to be disabled. Last access
      time is not updated on NTFS volumes by default.




      Your friend could copy any file(s), and I would not expect the "last access" date to change.



      In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.



      An Inconclusive Method



      The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.



      Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.



      Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.






      share|improve this answer






















        Your Answer







        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "162"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        convertImagesToLinks: false,
        noModals: false,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );






        Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.









         

        draft saved


        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195482%2fhow-to-detect-when-files-from-my-usb-was-copied-to-another-pc%23new-answer', 'question_page');

        );

        Post as a guest






























        5 Answers
        5






        active

        oldest

        votes








        5 Answers
        5






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes








        up vote
        38
        down vote













        No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.



        But there will be no way to determine, by looking at the USB, if the files were copied.






        share|improve this answer


















        • 2




          There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
          – schroeder♦
          yesterday






        • 4




          This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
          – David Foerster
          yesterday






        • 4




          @DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
          – schroeder♦
          yesterday







        • 5




          @DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
          – Tobia Tesan
          yesterday






        • 1




          @BenVoigt that makes WAY more sense - thanks!
          – schroeder♦
          22 hours ago














        up vote
        38
        down vote













        No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.



        But there will be no way to determine, by looking at the USB, if the files were copied.






        share|improve this answer


















        • 2




          There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
          – schroeder♦
          yesterday






        • 4




          This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
          – David Foerster
          yesterday






        • 4




          @DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
          – schroeder♦
          yesterday







        • 5




          @DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
          – Tobia Tesan
          yesterday






        • 1




          @BenVoigt that makes WAY more sense - thanks!
          – schroeder♦
          22 hours ago












        up vote
        38
        down vote










        up vote
        38
        down vote









        No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.



        But there will be no way to determine, by looking at the USB, if the files were copied.






        share|improve this answer














        No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.



        But there will be no way to determine, by looking at the USB, if the files were copied.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited yesterday

























        answered yesterday









        schroeder♦

        66.7k25141178




        66.7k25141178







        • 2




          There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
          – schroeder♦
          yesterday






        • 4




          This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
          – David Foerster
          yesterday






        • 4




          @DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
          – schroeder♦
          yesterday







        • 5




          @DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
          – Tobia Tesan
          yesterday






        • 1




          @BenVoigt that makes WAY more sense - thanks!
          – schroeder♦
          22 hours ago












        • 2




          There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
          – schroeder♦
          yesterday






        • 4




          This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
          – David Foerster
          yesterday






        • 4




          @DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
          – schroeder♦
          yesterday







        • 5




          @DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
          – Tobia Tesan
          yesterday






        • 1




          @BenVoigt that makes WAY more sense - thanks!
          – schroeder♦
          22 hours ago







        2




        2




        There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
        – schroeder♦
        yesterday




        There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
        – schroeder♦
        yesterday




        4




        4




        This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
        – David Foerster
        yesterday




        This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
        – David Foerster
        yesterday




        4




        4




        @DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
        – schroeder♦
        yesterday





        @DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
        – schroeder♦
        yesterday





        5




        5




        @DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
        – Tobia Tesan
        yesterday




        @DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
        – Tobia Tesan
        yesterday




        1




        1




        @BenVoigt that makes WAY more sense - thanks!
        – schroeder♦
        22 hours ago




        @BenVoigt that makes WAY more sense - thanks!
        – schroeder♦
        22 hours ago












        up vote
        21
        down vote













        There is no way to be sure by strictly technical means.



        On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.



        On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.



        So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.






        share|improve this answer








        New contributor




        IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





















          up vote
          21
          down vote













          There is no way to be sure by strictly technical means.



          On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.



          On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.



          So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.






          share|improve this answer








          New contributor




          IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.



















            up vote
            21
            down vote










            up vote
            21
            down vote









            There is no way to be sure by strictly technical means.



            On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.



            On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.



            So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.






            share|improve this answer








            New contributor




            IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            There is no way to be sure by strictly technical means.



            On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.



            On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.



            So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.







            share|improve this answer








            New contributor




            IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            share|improve this answer



            share|improve this answer






            New contributor




            IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            answered 19 hours ago









            IMil

            30114




            30114




            New contributor




            IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





            New contributor





            IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.






            IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.




















                up vote
                3
                down vote













                It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).



                If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.



                Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.



                In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.






                share|improve this answer






















                • If you know what the Windows equivalent of ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
                  – Toby Speight
                  11 hours ago











                • The Windows equivalent of ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
                  – Jules
                  7 hours ago






                • 1




                  TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
                  – Toby Speight
                  7 hours ago














                up vote
                3
                down vote













                It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).



                If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.



                Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.



                In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.






                share|improve this answer






















                • If you know what the Windows equivalent of ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
                  – Toby Speight
                  11 hours ago











                • The Windows equivalent of ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
                  – Jules
                  7 hours ago






                • 1




                  TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
                  – Toby Speight
                  7 hours ago












                up vote
                3
                down vote










                up vote
                3
                down vote









                It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).



                If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.



                Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.



                In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.






                share|improve this answer














                It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).



                If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.



                Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.



                In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 7 hours ago

























                answered 12 hours ago









                Toby Speight

                834313




                834313











                • If you know what the Windows equivalent of ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
                  – Toby Speight
                  11 hours ago











                • The Windows equivalent of ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
                  – Jules
                  7 hours ago






                • 1




                  TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
                  – Toby Speight
                  7 hours ago
















                • If you know what the Windows equivalent of ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
                  – Toby Speight
                  11 hours ago











                • The Windows equivalent of ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
                  – Jules
                  7 hours ago






                • 1




                  TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
                  – Toby Speight
                  7 hours ago















                If you know what the Windows equivalent of ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
                – Toby Speight
                11 hours ago





                If you know what the Windows equivalent of ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
                – Toby Speight
                11 hours ago













                The Windows equivalent of ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
                – Jules
                7 hours ago




                The Windows equivalent of ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
                – Jules
                7 hours ago




                1




                1




                TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
                – Toby Speight
                7 hours ago




                TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
                – Toby Speight
                7 hours ago










                up vote
                2
                down vote













                You could try dir /T:A and compare with dir /T:C



                /T TimeField Specify the time field displayed 
                and used for sorting. TimeField may be any of the
                following letters.

                C : Creation time.
                A : Last access time.
                W : Last write time.

                For instance, when you use the option "/T:C," the
                time listed is when the file was created.


                Refer: https://www.computerhope.com/dirhlp.htm






                share|improve this answer








                New contributor




                Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





















                  up vote
                  2
                  down vote













                  You could try dir /T:A and compare with dir /T:C



                  /T TimeField Specify the time field displayed 
                  and used for sorting. TimeField may be any of the
                  following letters.

                  C : Creation time.
                  A : Last access time.
                  W : Last write time.

                  For instance, when you use the option "/T:C," the
                  time listed is when the file was created.


                  Refer: https://www.computerhope.com/dirhlp.htm






                  share|improve this answer








                  New contributor




                  Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.



















                    up vote
                    2
                    down vote










                    up vote
                    2
                    down vote









                    You could try dir /T:A and compare with dir /T:C



                    /T TimeField Specify the time field displayed 
                    and used for sorting. TimeField may be any of the
                    following letters.

                    C : Creation time.
                    A : Last access time.
                    W : Last write time.

                    For instance, when you use the option "/T:C," the
                    time listed is when the file was created.


                    Refer: https://www.computerhope.com/dirhlp.htm






                    share|improve this answer








                    New contributor




                    Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    You could try dir /T:A and compare with dir /T:C



                    /T TimeField Specify the time field displayed 
                    and used for sorting. TimeField may be any of the
                    following letters.

                    C : Creation time.
                    A : Last access time.
                    W : Last write time.

                    For instance, when you use the option "/T:C," the
                    time listed is when the file was created.


                    Refer: https://www.computerhope.com/dirhlp.htm







                    share|improve this answer








                    New contributor




                    Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    share|improve this answer



                    share|improve this answer






                    New contributor




                    Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    answered 9 hours ago









                    Chris Paul

                    211




                    211




                    New contributor




                    Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.





                    New contributor





                    Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.






                    Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.




















                        up vote
                        1
                        down vote













                        By default, there will be no record of such activity.



                        When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.



                        Per Microsoft's documentation:




                        NTFS also permits last access time updates to be disabled. Last access
                        time is not updated on NTFS volumes by default.




                        Your friend could copy any file(s), and I would not expect the "last access" date to change.



                        In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.



                        An Inconclusive Method



                        The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.



                        Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.



                        Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.






                        share|improve this answer


























                          up vote
                          1
                          down vote













                          By default, there will be no record of such activity.



                          When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.



                          Per Microsoft's documentation:




                          NTFS also permits last access time updates to be disabled. Last access
                          time is not updated on NTFS volumes by default.




                          Your friend could copy any file(s), and I would not expect the "last access" date to change.



                          In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.



                          An Inconclusive Method



                          The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.



                          Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.



                          Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.






                          share|improve this answer
























                            up vote
                            1
                            down vote










                            up vote
                            1
                            down vote









                            By default, there will be no record of such activity.



                            When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.



                            Per Microsoft's documentation:




                            NTFS also permits last access time updates to be disabled. Last access
                            time is not updated on NTFS volumes by default.




                            Your friend could copy any file(s), and I would not expect the "last access" date to change.



                            In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.



                            An Inconclusive Method



                            The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.



                            Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.



                            Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.






                            share|improve this answer














                            By default, there will be no record of such activity.



                            When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.



                            Per Microsoft's documentation:




                            NTFS also permits last access time updates to be disabled. Last access
                            time is not updated on NTFS volumes by default.




                            Your friend could copy any file(s), and I would not expect the "last access" date to change.



                            In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.



                            An Inconclusive Method



                            The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.



                            Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.



                            Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.







                            share|improve this answer














                            share|improve this answer



                            share|improve this answer








                            edited 3 hours ago

























                            answered 3 hours ago









                            DoubleD

                            1,907118




                            1,907118




















                                Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.









                                 

                                draft saved


                                draft discarded


















                                Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.












                                Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.











                                Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.













                                 


                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195482%2fhow-to-detect-when-files-from-my-usb-was-copied-to-another-pc%23new-answer', 'question_page');

                                );

                                Post as a guest













































































                                Comments

                                Popular posts from this blog

                                Long meetings (6-7 hours a day): Being “babysat” by supervisor

                                What does second last employer means? [closed]

                                One-line joke