Mixing
How to detect when files from my USB was copied to another PC?
Clash Royale CLAN TAG#URR8PPP
up vote
9
down vote
favorite
I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?
detection usb-drive
edited 11 mins ago
Braiam
15815
asked yesterday
Harry Sattar
5814
New contributor
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
 |Â
show 1 more comment
up vote
9
down vote
favorite
I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?
detection usb-drive
edited 11 mins ago
Braiam
15815
asked yesterday
Harry Sattar
5814
New contributor
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
47
If he's a friend can you go analog and just ask him?
– HashHazard
yesterday
3
@HashHazard for sure he will deny
– Harry Sattar
yesterday
8
@HarrySattar unless he doesn't deny it. If he says "yes" then you know.
– schroeder♦
yesterday
25
@HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
– Nelson
19 hours ago
12
@HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
– tudor
15 hours ago
 |Â
show 1 more comment
up vote
9
down vote
favorite
up vote
9
down vote
favorite
I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?
detection usb-drive
edited 11 mins ago
Braiam
15815
asked yesterday
Harry Sattar
5814
New contributor
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?
detection usb-drive
detection usb-drive
edited 11 mins ago
Braiam
15815
asked yesterday
Harry Sattar
5814
New contributor
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 11 mins ago
Braiam
15815
asked yesterday
Harry Sattar
5814
New contributor
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 11 mins ago
Braiam
15815
edited 11 mins ago
Braiam
15815
edited 11 mins ago
Braiam
15815
15815
asked yesterday
Harry Sattar
5814
New contributor
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Harry Sattar
5814
asked yesterday
Harry Sattar
5814
5814
New contributor
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Harry Sattar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
47
If he's a friend can you go analog and just ask him?
– HashHazard
yesterday
3
@HashHazard for sure he will deny
– Harry Sattar
yesterday
8
@HarrySattar unless he doesn't deny it. If he says "yes" then you know.
– schroeder♦
yesterday
25
@HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
– Nelson
19 hours ago
12
@HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
– tudor
15 hours ago
 |Â
show 1 more comment
47
If he's a friend can you go analog and just ask him?
– HashHazard
yesterday
3
@HashHazard for sure he will deny
– Harry Sattar
yesterday
8
@HarrySattar unless he doesn't deny it. If he says "yes" then you know.
– schroeder♦
yesterday
25
@HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
– Nelson
19 hours ago
12
@HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
– tudor
15 hours ago
47
47
If he's a friend can you go analog and just ask him?
– HashHazard
yesterday
If he's a friend can you go analog and just ask him?
– HashHazard
yesterday
3
3
@HashHazard for sure he will deny
– Harry Sattar
yesterday
@HashHazard for sure he will deny
– Harry Sattar
yesterday
8
8
@HarrySattar unless he doesn't deny it. If he says "yes" then you know.
– schroeder♦
yesterday
@HarrySattar unless he doesn't deny it. If he says "yes" then you know.
– schroeder♦
yesterday
25
25
@HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
– Nelson
19 hours ago
@HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
– Nelson
19 hours ago
12
12
@HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
– tudor
15 hours ago
@HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
– tudor
15 hours ago
 |Â
show 1 more comment
5 Answers
5
active
oldest
votes
up vote
38
down vote
No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.
But there will be no way to determine, by looking at the USB, if the files were copied.
answered yesterday
schroeder♦
66.7k25141178
2
There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
– schroeder♦
yesterday
4
This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
– David Foerster
yesterday
4
@DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
– schroeder♦
yesterday
5
@DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
– Tobia Tesan
yesterday
1
@BenVoigt that makes WAY more sense - thanks!
– schroeder♦
22 hours ago
 |Â
show 5 more comments
up vote
21
down vote
There is no way to be sure by strictly technical means.
On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.
On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.
So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.
answered 19 hours ago
IMil
30114
New contributor
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
3
down vote
It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).
If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.
Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.
In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.
answered 12 hours ago
Toby Speight
834313
If you know what the Windows equivalent ofls -luis, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
– Toby Speight
11 hours ago
The Windows equivalent ofls -luisdir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
– Jules
7 hours ago
1
TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
– Toby Speight
7 hours ago
add a comment |Â
up vote
2
down vote
You could try dir /T:A and compare with dir /T:C
/T TimeField Specify the time field displayed
and used for sorting. TimeField may be any of the
following letters.
C : Creation time.
A : Last access time.
W : Last write time.
For instance, when you use the option "/T:C," the
time listed is when the file was created.
Refer: https://www.computerhope.com/dirhlp.htm
answered 9 hours ago
Chris Paul
211
New contributor
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
1
down vote
By default, there will be no record of such activity.
When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.
Per Microsoft's documentation:
NTFS also permits last access time updates to be disabled. Last access
time is not updated on NTFS volumes by default.
Your friend could copy any file(s), and I would not expect the "last access" date to change.
In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.
An Inconclusive Method
The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.
Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.
Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.
answered 3 hours ago
DoubleD
1,907118
add a comment |Â
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
38
down vote
No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.
But there will be no way to determine, by looking at the USB, if the files were copied.
answered yesterday
schroeder♦
66.7k25141178
2
There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
– schroeder♦
yesterday
4
This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
– David Foerster
yesterday
4
@DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
– schroeder♦
yesterday
5
@DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
– Tobia Tesan
yesterday
1
@BenVoigt that makes WAY more sense - thanks!
– schroeder♦
22 hours ago
 |Â
show 5 more comments
up vote
38
down vote
No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.
But there will be no way to determine, by looking at the USB, if the files were copied.
answered yesterday
schroeder♦
66.7k25141178
2
There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
– schroeder♦
yesterday
4
This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
– David Foerster
yesterday
4
@DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
– schroeder♦
yesterday
5
@DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
– Tobia Tesan
yesterday
1
@BenVoigt that makes WAY more sense - thanks!
– schroeder♦
22 hours ago
 |Â
show 5 more comments
up vote
38
down vote
up vote
38
down vote
No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.
But there will be no way to determine, by looking at the USB, if the files were copied.
answered yesterday
schroeder♦
66.7k25141178
No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.
But there will be no way to determine, by looking at the USB, if the files were copied.
answered yesterday
schroeder♦
66.7k25141178
edited yesterday
answered yesterday
schroeder♦
66.7k25141178
answered yesterday
schroeder♦
66.7k25141178
answered yesterday
schroeder♦
66.7k25141178
66.7k25141178
2
There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
– schroeder♦
yesterday
4
This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
– David Foerster
yesterday
4
@DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
– schroeder♦
yesterday
5
@DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
– Tobia Tesan
yesterday
1
@BenVoigt that makes WAY more sense - thanks!
– schroeder♦
22 hours ago
 |Â
show 5 more comments
2
There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
– schroeder♦
yesterday
4
This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
– David Foerster
yesterday
4
@DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
– schroeder♦
yesterday
5
@DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
– Tobia Tesan
yesterday
1
@BenVoigt that makes WAY more sense - thanks!
– schroeder♦
22 hours ago
2
2
There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
– schroeder♦
yesterday
There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems.
– schroeder♦
yesterday
4
4
This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
– David Foerster
yesterday
This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it.
– David Foerster
yesterday
4
4
@DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
– schroeder♦
yesterday
@DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely".
– schroeder♦
yesterday
5
5
@DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
– Tobia Tesan
yesterday
@DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only.
– Tobia Tesan
yesterday
1
1
@BenVoigt that makes WAY more sense - thanks!
– schroeder♦
22 hours ago
@BenVoigt that makes WAY more sense - thanks!
– schroeder♦
22 hours ago
 |Â
show 5 more comments
up vote
21
down vote
There is no way to be sure by strictly technical means.
On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.
On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.
So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.
answered 19 hours ago
IMil
30114
New contributor
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
21
down vote
There is no way to be sure by strictly technical means.
On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.
On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.
So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.
answered 19 hours ago
IMil
30114
New contributor
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
21
down vote
up vote
21
down vote
There is no way to be sure by strictly technical means.
On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.
On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.
So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.
answered 19 hours ago
IMil
30114
New contributor
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
There is no way to be sure by strictly technical means.
On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.
On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.
So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.
answered 19 hours ago
IMil
30114
New contributor
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 19 hours ago
IMil
30114
New contributor
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 19 hours ago
IMil
30114
answered 19 hours ago
IMil
30114
30114
New contributor
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
IMil is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
add a comment |Â
up vote
3
down vote
It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).
If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.
Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.
In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.
answered 12 hours ago
Toby Speight
834313
If you know what the Windows equivalent ofls -luis, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
– Toby Speight
11 hours ago
The Windows equivalent ofls -luisdir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
– Jules
7 hours ago
1
TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
– Toby Speight
7 hours ago
add a comment |Â
up vote
3
down vote
It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).
If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.
Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.
In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.
answered 12 hours ago
Toby Speight
834313
If you know what the Windows equivalent ofls -luis, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
– Toby Speight
11 hours ago
The Windows equivalent ofls -luisdir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
– Jules
7 hours ago
1
TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
– Toby Speight
7 hours ago
add a comment |Â
up vote
3
down vote
up vote
3
down vote
It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).
If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.
Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.
In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.
answered 12 hours ago
Toby Speight
834313
It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).
If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.
Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.
In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.
answered 12 hours ago
Toby Speight
834313
edited 7 hours ago
answered 12 hours ago
Toby Speight
834313
answered 12 hours ago
Toby Speight
834313
answered 12 hours ago
Toby Speight
834313
834313
If you know what the Windows equivalent ofls -luis, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
– Toby Speight
11 hours ago
The Windows equivalent ofls -luisdir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
– Jules
7 hours ago
1
TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
– Toby Speight
7 hours ago
add a comment |Â
If you know what the Windows equivalent ofls -luis, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).
– Toby Speight
11 hours ago
The Windows equivalent ofls -luisdir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.
– Jules
7 hours ago
1
TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
– Toby Speight
7 hours ago
If you know what the Windows equivalent of
ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).– Toby Speight
11 hours ago
If you know what the Windows equivalent of
ls -lu is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons).– Toby Speight
11 hours ago
The Windows equivalent of
ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.– Jules
7 hours ago
The Windows equivalent of
ls -lu is dir /ta, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS.– Jules
7 hours ago
1
1
TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
– Toby Speight
7 hours ago
TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering.
– Toby Speight
7 hours ago
add a comment |Â
up vote
2
down vote
You could try dir /T:A and compare with dir /T:C
/T TimeField Specify the time field displayed
and used for sorting. TimeField may be any of the
following letters.
C : Creation time.
A : Last access time.
W : Last write time.
For instance, when you use the option "/T:C," the
time listed is when the file was created.
Refer: https://www.computerhope.com/dirhlp.htm
answered 9 hours ago
Chris Paul
211
New contributor
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
2
down vote
You could try dir /T:A and compare with dir /T:C
/T TimeField Specify the time field displayed
and used for sorting. TimeField may be any of the
following letters.
C : Creation time.
A : Last access time.
W : Last write time.
For instance, when you use the option "/T:C," the
time listed is when the file was created.
Refer: https://www.computerhope.com/dirhlp.htm
answered 9 hours ago
Chris Paul
211
New contributor
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
2
down vote
up vote
2
down vote
You could try dir /T:A and compare with dir /T:C
/T TimeField Specify the time field displayed
and used for sorting. TimeField may be any of the
following letters.
C : Creation time.
A : Last access time.
W : Last write time.
For instance, when you use the option "/T:C," the
time listed is when the file was created.
Refer: https://www.computerhope.com/dirhlp.htm
answered 9 hours ago
Chris Paul
211
New contributor
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
You could try dir /T:A and compare with dir /T:C
/T TimeField Specify the time field displayed
and used for sorting. TimeField may be any of the
following letters.
C : Creation time.
A : Last access time.
W : Last write time.
For instance, when you use the option "/T:C," the
time listed is when the file was created.
Refer: https://www.computerhope.com/dirhlp.htm
answered 9 hours ago
Chris Paul
211
New contributor
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 hours ago
Chris Paul
211
New contributor
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 hours ago
Chris Paul
211
answered 9 hours ago
Chris Paul
211
211
New contributor
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Chris Paul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
add a comment |Â
up vote
1
down vote
By default, there will be no record of such activity.
When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.
Per Microsoft's documentation:
NTFS also permits last access time updates to be disabled. Last access
time is not updated on NTFS volumes by default.
Your friend could copy any file(s), and I would not expect the "last access" date to change.
In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.
An Inconclusive Method
The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.
Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.
Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.
answered 3 hours ago
DoubleD
1,907118
add a comment |Â
up vote
1
down vote
By default, there will be no record of such activity.
When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.
Per Microsoft's documentation:
NTFS also permits last access time updates to be disabled. Last access
time is not updated on NTFS volumes by default.
Your friend could copy any file(s), and I would not expect the "last access" date to change.
In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.
An Inconclusive Method
The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.
Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.
Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.
answered 3 hours ago
DoubleD
1,907118
add a comment |Â
up vote
1
down vote
up vote
1
down vote
By default, there will be no record of such activity.
When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.
Per Microsoft's documentation:
NTFS also permits last access time updates to be disabled. Last access
time is not updated on NTFS volumes by default.
Your friend could copy any file(s), and I would not expect the "last access" date to change.
In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.
An Inconclusive Method
The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.
Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.
Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.
answered 3 hours ago
DoubleD
1,907118
By default, there will be no record of such activity.
When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.
Per Microsoft's documentation:
NTFS also permits last access time updates to be disabled. Last access
time is not updated on NTFS volumes by default.
Your friend could copy any file(s), and I would not expect the "last access" date to change.
In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.
An Inconclusive Method
The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.
Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.
Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.
answered 3 hours ago
DoubleD
1,907118
edited 3 hours ago
answered 3 hours ago
DoubleD
1,907118
answered 3 hours ago
DoubleD
1,907118
answered 3 hours ago
DoubleD
1,907118
1,907118
add a comment |Â
add a comment |Â
Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.
Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.
Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.
Harry Sattar is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f195482%2fhow-to-detect-when-files-from-my-usb-was-copied-to-another-pc%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
47
If he's a friend can you go analog and just ask him?
– HashHazard
yesterday
3
@HashHazard for sure he will deny
– Harry Sattar
yesterday
8
@HarrySattar unless he doesn't deny it. If he says "yes" then you know.
– schroeder♦
yesterday
25
@HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done absolutely nothing wrong, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you completely made up.
– Nelson
19 hours ago
12
@HarrySattar I'd say "Should I ask him?" is a question better suited to interpersonal.stackexchange.com
– tudor
15 hours ago