Solved

How can I see if a file has been copied to an external device?

Posted on 2008-10-08
13
1,837 Views
Last Modified: 2012-06-27
One of our users left the company. His manager suspects that he gave some confidential files to our business rival. He wants me to check the laptop for files that have been copied to an external device.
Is there any way to do this?
Thanks.
0
Comment
Question by:elkep
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 4

Expert Comment

by:Chris James
ID: 22668585
Check the creation/modification/access date on the files that may have been copied by going into the file properties.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22668871
When you're viewing files in explorer, view > details, it will give you the date when the file was last modified.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22668913
Sorry, for the duplication, ignore my post.
0
 

Author Comment

by:elkep
ID: 22668937
I could do that but that is no proof. And also, there are lots of files.
0
 
LVL 4

Expert Comment

by:Chris James
ID: 22669015
Why isn't it proof?  it clearly shows the times on the timestamp.

What you can do is CD into the directory through CMD

and do a DIR listing on the contents of the directory and send the output to a file.


ex..

dir > C:\file.txt

If you go to CMD and type DIR /? it will give you a list of switches and options you can use to filter out specific information such as creation date, ex... /T  (time field)    C is for Creation, A is for last Accessed, and W is for last written.

Hope this helps.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22669092
>>> And also, there are lots of files.<<<

When viewing them via file properties you can only see each file, but in explorer, when you rightclick anywhere on the right pane and click View > Details, and you can see all the files and their 'last modified' dates in one page.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 33

Expert Comment

by:MikeKane
ID: 22669121
The modify date of the file is not proof the file was copied.  For all he knows, the file was opened, a comma was added, then saved back to the original file name.  

I don't think you can get this type of historical info unless you had a process in place to monitor the file usage already.  

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22669149
No, not a proof of course.
I don't know if there's anyway to prove that a file has been copied.
0
 
LVL 23

Assisted Solution

by:Danny Child
Danny Child earned 100 total points
ID: 22669446
We have some software in use called Sanctuary, which used to be from SecureWave, who have become Lumension
http://www.lumension.com
 - it blocks access to all removable media - USB, Floppy, CD, fitting a 2nd hard disk, scanners, iPods, , mobiles, PDAs, the works.

Perhaps this is a case in point for your organisation to consider using it....

Of course, you'll also need to block access to Hotmail and other file-sharing sites too.  And keep some solid logs of (supposedly legitimate) email traffic too.
0
 
LVL 4

Assisted Solution

by:Chris James
Chris James earned 100 total points
ID: 22669512
rpggamergirl:  there is proof, ever hear of a honey pot before? They run software that monitors hard disk activity and file activity, etc.

It is possible.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 300 total points
ID: 22669736
Like I said, It is possible, but it requires a solution setup up before the incident.  You can't go back to pull historicals with a 3rd party prior to the date the 3rd party was installed.  

Unless you have this setup already,  I don't see a way to get this info now.


0
 
LVL 4

Expert Comment

by:Chris James
ID: 22669775
MikeKane:  Yea, that's 100% true.
0
 

Author Closing Comment

by:elkep
ID: 31504213
Thank you all for your answers. Indeed, you need a 3rd party software already installed if you want to prove anything. Maybe the Sanctuary Software is an option here.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now