Tracing if files have been copied from a disk

McGintyMcGoo

Greetings

I have been asked if there was anyway to find out if someone has copied files off your Mac. To clarify, this person had a loan of this Mac but they may have copied some files from it. The Mac was phsically moved to another location, sop there was no network hacking involved.

From an IT point of view, I have explained that you could probably find files that were written to the disk and then deleted again using the same technology as the Gardai use to catch paedophiles, but reading files wouldn't leave a trace.

The Mac has a DVD burner on it but there is no log file showing what was burned. An external disk could easily have been connected to it at some stage and the files copied then. The Mac is running OS9.2.

Any ideas or theories on this would be really appreciated.

Cheers

McGinty

Capt'n Midnight

seeing as how this isn't in the MAC forum..

In the world of windows, you'd need Auditing turned on to see who looked at what. There is an NTFS last access datestamp, but this might as well be turned off since there is a performance hit and the files will get datestamped when backed up / virus checked ie. every day

Other ways are to look in the temp folder and the recently used documents / favorites / in the apps themselves. REST2514 can look for deleted files on NTFS / FAT - things like SDELETE / ERASER can wipe files/free space with multiple passes

If it is critical then you should clone the hard drive before powering up the MAC so any evidence will still be available.

RANT Bottom line - if some has had physical access to a computer that hasn't been locked down , they own it. Tell the people involved to put it down to experiance. I'm sick of being asked to restrict access to stuff afterwards by the same person who insisted it be granted earlier. That sort of stuff is a management issue not an IT issue /RANT ( you could install spyware like CANARY but that would be a legal minefield (DPA) if you didn't tell people as you would probably get personal info.

Only other thing I could suggest is to see if the system is "too clean" does it look like traces have been cleared ? - in the windows world the temp folder would be empty as would internet caches and the free space wiped and scandisked and defraged (and probably a system restore for good measure)

cormy

[Edit] OK I'm making a real habit out of not reading posts properly before replying to them (the advice below applies to OS X not 9.x as the original post states. Nonetheless the principle (i.e. whereby the UFS stores access times - explained below) may well ring true for what ever FileSystem type OS 9.x uses [/Edit]

<Disclaimer>
Mac users/experts feel free to shoot this one down in flames - I'm not a Mac person
</Disclaimer>

AFAIK Mac OSX is based on unix. In unix - or more specifically the UFS (Unix FileSystem type), the default behaviour is actually for the last access time to be recorded in the inode (the little 'administrative' portion of a file that stores ownership/permissions/last modified time/size etc. of the file - basically what you see when you run 'ls -l' from the command line).

This means that you should be able to tell when a file was last accessed - by running (from a command line) 'ls -lu' (the 'u' switch outputs the access time). A file copy, a backup run or other type of opening will cause this 'last accessed' value to be updated - which might help you at least know what files definitely *haven't* been copied.

Then again like I said things may be different in the Mac world (and your mac may be running something pre-OSX).