Is there a way to make sure that a file has been copied to a USB drive?
(Ex: I have a file secret.db and I suppose that my friend has copied it into his USB drive. With stat $filename
I cannot see the updated a/c/m/time because cp
doesn't update the timestamps).
Is there a way to know that or is it impossible?
I'm using Ubuntu 12.04 with Bash v4.
Best Answer
TL;DR: In many cases, you can see whether the file was accessed; however, it is impossible to tell whether a copy was made or not.
It seems that
atime
would be updated when usingcp
(unlessnoatime
is in effect); however, doing any other read operation (likegrep somestring $filename
) would also touch the file.In most installs (without a ton of auditing), it is not possible to find out why exactly the file was read, and whether the process reading the file also wrote a copy of the data elsewhere (to USB? to socket? to RAM?).
Moreover, this only concerns online, unprivileged attacks. If I have physical access, I could reboot into a live-CD distro, mount the partition read only, copy anything off it (or even make a full-disk image) and there would be no marks on the partition (except the incremented mount counter).