How might one verify that a file has been copied?
TL;DR: In many cases, you can see whether the file was accessed; however, it is impossible to tell whether a copy was made or not.
It seems that atime
would be updated when using cp
(unless noatime
is in effect); however, doing any other read operation (like grep somestring $filename
) would also touch the file.
In most installs (without a ton of auditing), it is not possible to find out why exactly the file was read, and whether the process reading the file also wrote a copy of the data elsewhere (to USB? to socket? to RAM?).
Moreover, this only concerns online, unprivileged attacks. If I have physical access, I could reboot into a live-CD distro, mount the partition read only, copy anything off it (or even make a full-disk image) and there would be no marks on the partition (except the incremented mount counter).
Related videos on Youtube
polslinux
Updated on September 18, 2022Comments
-
polslinux over 1 year
Is there a way to make sure that a file has been copied to a USB drive?
(Ex: I have a file secret.db and I suppose that my friend has copied it into his USB drive. With
stat $filename
I cannot see the updated a/c/m/time becausecp
doesn't update the timestamps).Is there a way to know that or is it impossible?
I'm using Ubuntu 12.04 with Bash v4.
-
Huygens about 12 yearsIf you have a file that could be copied to a USB drive, it could also be read. If its name is secret.db and it can be read by others, then it is no longer a secret! You should use an cipher container (such as EcryptFS or TrueCrypt) to keep your secret file a secret. Then it will give a hard time to your "friend" to read your secret even if they can get a copy of it!
-
invert about 12 yearsYour question is not very clear. Are you trying to ask whether you can tell if somebody made a copy of your file?
-
polslinux about 12 years@Huygens yes, in fact i use encfs :) This is only a question that I have asked myself.
-
polslinux about 12 years@Wesley yes, this is what i want to do :)
-
Gilles 'SO- stop being evil' about 12 yearsIt's as easy to tell as whether someone has taken a picture of your house.
-
-
polslinux about 12 yearsI've done some testing and the "cp" command doesn't update the a/c/m/time :(
-
Osama khodroj about 12 yearsA copy shouldn't modify create or modify times, that's expected behavior. As for access time: is the partition mounted with
noatime
orrelatime
option? That would give the results you describe. (IIRC, many distros mountext
partitions withrelatime
by default) -
polslinux about 12 yearsMy home partition is mounted as:
UUID=675e8177-c75b-402d-aaea-c0e5ee929a28 /home ext4 defaults,user_xattr 0 2
-
Osama khodroj about 12 yearsQuoth
man mount
: "relatime Update inode access times relative to modify or change time. Access time is only updated if the previous access time was earlier than the current modify or change time. Since Linux 2.6.30, the kernel defaults to the behavior provided by this option (unless noatime was specified), and the strictatime option is required to obtain traditional semantics. In addition, since Linux 2.6.30, the file's last access time is always updated if it is more than 1 day old." That's yourdefaults
at work, right there. -
polslinux about 12 yearsAaaah ok! I've understand! Thanks a lot man :)
-
invert about 12 yearsGood answer to include mounting the drive as read-only. Seems like you are out of luck @polslinux. Best to secure your files with encrypted containers in this case, matey :-) more info
-
polslinux about 12 years@Wesley ahaha yes yes in fact i use gpg ;) it's just a personal curiosity. :D
-
invert about 12 yearsNothing bad with a dose of curiosity mixed with paranoia ;) My
/home
andswap
are LUKS encrypted, steps posted here. On my little netbook I don't even notice performance hits. Just FYI :) -
Ned64 about 3 yearsThe question was how to determine if a file has been read. You are trying to detect changes to a file (write access) IIUC.