35

I accidentally gave my USB to my friend and then I realized it had some important files of mine. Is there any way I can know if he got something from the USB?

Kevin
  • 151
  • 5
Harry Sattar
  • 499
  • 1
  • 4
  • 5
  • 109
    If he's a **friend** can you go analog and just ask him? – HashHazard Oct 10 '18 at 17:35
  • 6
    @HashHazard for sure he will deny – Harry Sattar Oct 10 '18 at 19:59
  • 17
    @HarrySattar unless he doesn't deny it. If he says "yes" then you know. – schroeder Oct 10 '18 at 20:57
  • 63
    @HarrySattar Just remember it's fairly toxic to assume your friends will lie to your face. This is on you. If your friend had done **absolutely nothing wrong**, you're already assuming he had copied your files and will lie about it, which is, based on current information, a situation you **completely made up**. – Nelson Oct 11 '18 at 01:20
  • 3
    @Nelson Actually in those files I had my final project. Which he was struggling to create. And I know him he will take advantage of that mistake.Still should I ask him? – Harry Sattar Oct 11 '18 at 05:25
  • @Kyslik and what if you aim to publish that project as a Product of your startup. I have that project everywhere I could save. – Harry Sattar Oct 12 '18 at 14:32
  • Quick note in case this gets thrown over to Interpersonal.SE from @tudor's comment. We don't accept "What should I do?" questions over there, so "Should I ask him?" would likely get closed. That being said, "How can I ask a friend if he copied some sensitive information when I lent him my USB?" would fit right in. – scohe001 Oct 12 '18 at 20:29
  • Some applications routinely store the user's name, etc. in the document properties. If your files include that, your friend may not know to look. If he copies your work, makes some content changes, and claims the files are his own work, you'd still be able to see properties when you look. This approach relies on lots of assumptions ... – donjuedo Oct 12 '18 at 21:41

5 Answers5

83

No logs are recorded on the USB itself around file accesses. At best, you might know if the files were changed by looking at the file timestamps, which can sometimes happen just by opening them, depending on the program opening them.

But there will be no way to determine, by looking at the USB, if the files were copied.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • No timestamps are there. Can I get the history what folders were opened and when?? – Harry Sattar Oct 10 '18 at 17:01
  • 3
    There will be timestamps in the metadata of the files (right click and choose "Properties" or choose the "Details" view in File Explorer). Those other file activities you ask about are not recorded in Windows file systems. – schroeder Oct 10 '18 at 17:03
  • 8
    This assumes that your friend didn’t reset the access time stamp afterwards which is trivial if you care about it. – David Foerster Oct 10 '18 at 20:27
  • 9
    @DavidFoerster hence the "at best". And even I had to look it up since you mentioned it, so I'm not sure that "trivial" can equate to "likely". – schroeder Oct 10 '18 at 20:32
  • My comment was less of a criticism of your answer and more of a clarification for OP and other readers. :-) Triviality is often in the eye of the beholder. My maths professor would often call omitted parts of a solution "trivial" meaning "you may need to look it up but you should have little trouble understanding this part". – David Foerster Oct 10 '18 at 20:35
  • 10
    @DavidFoerster assuming, more importantly, that the friend didn't have the foresight of mounting the drive read-only. – Tobia Tesan Oct 10 '18 at 21:00
  • 1
    Testing a USB stick here on Windows 7, I can see a *date*, but not a time for "accessed" under file properties (unlike a local disk or network share, where "accessed" has a time as well. But previews can set the accessed time anyway. – Chris H Oct 11 '18 at 12:14
  • 1
    Also note that there are registry settings in Windows (and options that can be set under Linux) that disable updating of access timestamps, so they absolutely cannot be relied upon. – Jules Oct 11 '18 at 13:32
  • 5
    I'd suggest adding to this answer: *do not attempt to view access timestamps using Explorer*. Just opening the folder containing the files with Explorer can cause it to read the files in order to produce a preview image, thus losing the access time information. Use a command prompt and `dir /ta` to get the information. But as pointed out by TobySpeight below, FAT filesystems (which is almost certainly what's on the device) don't track update times anyway, so the information almost certainly doesn't exist. – Jules Oct 11 '18 at 13:44
  • 1
    @Jules but that also means that the friend could just have opened the device in explorer in order to put something on there, so the changed access timestamps do not prove that anything was copied. – eMBee Oct 14 '18 at 15:06
52

There is no way to be sure by strictly technical means.

On the one hand, if your friend has antivirus software installed, it would probably scan your USB stick as soon as it was plugged in their machine; and this would be completely indistinguishable from data being read as a part of copy operation.

On another hand, if they would like to cover their tracks, there are many ways to reset the timestamps, and to prevent their change in the first place.

So... ask them? Get access to their machine and check for the copies your files (if they agree)? Tell them that your data was sensitive and kindly ask to delete it if they accidentally copied it? These might be the questions for Interpersonal and Law SE's; security-wise, your data are already compromised.

IMil
  • 1,081
  • 1
  • 7
  • 7
12

It depends on what kind of filesystem is on the disk. Most filesystems retain an access time that can be viewed with ls -lu, provided the "friend" mounted the filesystem read/write. (Note: apparently Windows OSes have no equivalent to ls -lu, so this won't be useful if that's what you have).

If the "friend" mounted the filesystem read-only (or with noatime or similar options), or the disk has a filesystem that doesn't store access times (notably FAT and derivatives), or he covered his tracks by using utime() after reading, then you won't see this evidence.

Alternatively, you might get a "false positive" if something on his system read the file autonomously (e.g. for generating summaries, or looking for malware), but he didn't see the contents or copy the files.

In the end, what little information that is recorded on the media tells you very little about whether the information was accessed, and if so, how it was accessed.

Toby Speight
  • 1,214
  • 9
  • 17
  • If you know what the Windows equivalent of `ls -lu` is, then please edit it in. As I know nothing about Windows, I'm not qualified to do so. I'm not even sure that Windows can actually mount any filesystems other than its native ones (and possibly ISO 9660? But that doesn't record access times either, for obvious reasons). – Toby Speight Oct 11 '18 at 09:10
  • 4
    The Windows equivalent of `ls -lu` is `dir /ta`, although it is somewhat less likely to be useful due to the prepensity of various Windows software (including Explorer) to automatically open and scan any files of types that it recognizes in order to show previews, along with the fact that many users install "tweak" software that often recommends disabling access time updates for performance reasons. Also, as Windows by default formats removable storage devices as FAT, the information is not likely to be present in any case, unless OP intentionally formatted the device as NTFS. – Jules Oct 11 '18 at 13:40
  • 2
    TBH, it really hadn't occurred to me that it might have been in a Windows environment when I read the question. If it had even suggested that, I wouldn't have bothered answering. – Toby Speight Oct 11 '18 at 14:04
  • Also I am probably not the only one, who have in fstab set noatime for all media (for elimination of writing timestamps repeatedly, when I do not use prorams, that rely on them - mutt and like) – gilhad Oct 13 '18 at 06:48
6

You could try dir /T:A and compare with dir /T:C

/T TimeField    Specify the time field displayed 
and used for sorting. TimeField may be any of the
following letters.

  C : Creation time.
  A : Last access time.
  W : Last write time.

For instance, when you use the option "/T:C," the 
time listed is when the file was created.

Refer: https://www.computerhope.com/dirhlp.htm

Chris Paul
  • 61
  • 2
3

By default, there will be no record of such activity.

When a file is accessed or changed, either the OS or the application can update its "last write" or "last access" property.

Per Microsoft's documentation:

NTFS also permits last access time updates to be disabled. Last access time is not updated on NTFS volumes by default.

Your friend could copy any file(s), and I would not expect the "last access" date to change.

In addition, any auditing for failed/successful attempts to access files would be recorded in the Security log on his computer.

An Inconclusive Method

The only other method is checking for foreign SIDs on file/folder ACLs. If you look at the permissions on a file (on the Security tab), unresolved SIDs may appear.

Unresolved SIDs appear as long strings, such as S-1-5-21-3624371015-3360199248-30038020-3220, rather than human-readable names like SYSTEM, Network Service, or JohnSmith.

Note that foreign SIDs will only be added if he took ownership of files or modified permissions, so the absence of such SIDs does not indicate a lack of access.

DoubleD
  • 3,862
  • 1
  • 6
  • 14
  • This is the correct answer. Even if the pendrive uses NTFS (unlikely), last access times are not updated by default since Vista. – kinokijuf Oct 15 '18 at 04:47
  • @kinokijuf Right, and even if they *were* updated, it doesn't mean that the files were copied, it just means they were accessed, for example opened for viewing. – ChatterOne Oct 15 '18 at 09:36