I have a USB flash drive and I believed someone else may have plugged it in their computer and copied some files.
Using my Mac, how do I know when was the last time my usb flash drive was plugged in?
Way to find out when a USB flash drive has been last used (on any computer)
filesystemSecurityusb
Related Question
- MacOS – How to query the history record of when the USB driver which has been used
- External Hard Drive last used / files copied on another computer
- Shortcut Virus: What’s the effect on a Mac
- MacOS – Did someone copy files from the Mac
- MacOS – how to find the last time I used the usb drive
- Mac – Detecting theft of data – folder / files transfered from MacBook to USB
- How to find out which kernel extension has been updated
Best Answer
The best evidence you could get is to inspect the last access time of the files in question, or perhaps the last access time of the top-level directory on the file system.
But first, a bit of background. A USB flash drive would be treated by the computer much like a disk. The drive (or, more precisely, the main partition within the drive) would be formatted as a filesystem. Most flash media come formatted out of the box with a VFAT filesystem, which is a lowest-common-denominator solution that works with nearly all devices, including OS X, Windows, Linux, and digital cameras. The next most likely alternatives to VFAT would be HFS+ (the native file system of OS X, which Windows doesn't support at all) or NTFS (the native file system of Windows, supported by any version of Windows released this century, but which has just read-only support in OS X, and is rarely supported on digital cameras).
That background is relevant because different filesystems store the last access time differently. I'm going to work with the assumption that your USB stick is formatted with VFAT. This is important because VFAT filesystems only store the last access date, not the time of day. That would be the best evidence you could hope to collect, assuming that everything else goes right.
To see last access dates in the Finder,
Alternatively, instead of using the Finder, you could use the Terminal to run
to see the Access time of a particular file.
There are some important caveats, though!
First, the act of plugging in the media on your Mac will cause it to be automatically mounted, thus altering the last access time of the top-level directory (and perhaps destroying even more evidence than that). A forensic analysis should require precautions such as mounting the media in read-only mode. Therefore, you would have to suppress the auto-mounting behaviour of OS X, which is not that easy.
Second, your suspected coworker / spy could have taken a similar countermeasure of mounting the media read-only, thus leaving no timestamp as evidence. (There is also no guarantee that the computer that the spy used had its clock set accurately, which would cast doubt on the validity of any timestamp.)
The moral of the story is, if you have any sensitive information to be stored on removable media, encrypt it! The easiest solution would be to use FileVault 2. Note, however, that such encryption would make the USB stick unreadable on any machine other than a Mac.