Detecting Flash Drive Access

[raybob95]

Sp I have this friend that took my flash drive without my permission for a total of 3 hours. I want to know whether or not he went snooping around in my files... but the data I have is conflicting. The NTFS access dates on the files on the flash drive indicate that it was accessed during the time he had it, evidence in my favor. However, when I went on the only computer he uses, I found nothing relating to my flash drive contents in his Windows XP recent documents folder.

I don't see how the computer I used could have saved the incorrect access times... is it possible that his computer just didn't save an entry in the recent documents folder? So, where else can I look or which piece of evidence do I trust?

 

[ex_bubblehead]

Read this: http://whereismydata.wordpress.com/2009/02/14/dates-ntfs-created-modified-accessed-written/

NTFS Access Date is not a reliable indicator of access.

 

[raybob95]

But the reason the access time isn't reliable is that is can be overwritten by applications outside of the actual user. The thing is though that the date I saw on the files was AFTER the last time I ever used the drive (Windows 7, my computer, does not write access dates, and the access date was within the window frame of when he had it), which means that it wasn't tripped by some windows process or something on my computer, it literally had to have been plugged into some computer somewhere at the access time right? I don't think that when I was using it some program could have saved a time that hadn't happened yet.

 

[ex_bubblehead]

....the reason the access time isn't reliable is that is can be overwritten by applications outside of the actual user....

You read but failed to fully understand. All someone has to do is plug the drive in on a system that has not had access times disabled and open a directory. Since virtually all PC's have an anti-virus suite installed this will result in the AV scanner scanning all the files in that directory, which triggers an update to the "Last Accessed Date". This makes that field useless as an indicator that any of the files were actually viewed. You only know that the stick was plugged into another computer, not that anything else occurred.

If you really want to protect your files you should be encrypting your drives.

 

[raybob95]

That's the point, so I know for a fact that the flash drive was at least plugged into his computer during the time that he had it.

 

[ex_bubblehead]

No. You know only that the drive was plugged into ANOTHER computer (assuming you are correct about having disabled access time updates on yours). You do not however know which one, by whom, or what, if anything, was actually accessed. Be very careful when treading these waters.

 

[raybob95]

OK.....

 

[raybob95]

Best answer selected by raybob95.