7 Ways to Tell If Someone had Copied Files On Your Computer

You suspect someone has accessed and checked on your laptop or desktop computer and probably copied files from it. You want to prove if your files are actually copied and if tracing of the person involved is possible.

This article will list down all the ways, signs and evidence to determine if your files are being copied.

How to Tell that Someone had Copied Files on Your Computer?

Here are the seven (7) tell-tale signs to tell (and prove) that someone has copied files on your computer.

1. Check the history list of attached USB devices


Whenever a USB device is plugged into a computer, the Windows operating system keeps a list of USB device history. These can be USB flash drives, USB portable hard drives, memory cards using USB adapters, etc.

This method is frequently used in the field of digital forensics by examiners who need to prove the existence of a particular device, as it can show the unique serial number of the USB device attached.

USB Detective is a digital forensics software tool that extracts USB device information, such as serial numbers, last connected timestamp, first connected timestamp, etc.

You should download the USB Detective Community version, which is free to use, and you can export the findings in an Excel format.

2. Check the Timestamp of the File


If you suspect a particular file or files within a folder have been copied, you can check the file’s properties, especially on the <Date Created> and the <Date Accessed> attribute values.

To check, right-click on the file and select <Properties>.

<Date Created> attribute can prove that a file is newly copied or created on the computer. <Date Accessed> attribute can prove that someone had opened a file previously.

You should be looking for files that had been accessed or created in the time frame that you are not using the computer.

3. Check Recent Files


Windows keep a history of recently-accessed files in the Windows menu for convenience when we need to open them again.

This feature is useful and provides a quick glance if any files have been opened while you are away.

For Windows, press the keyboard “Windows + R” to open the Run dialog box and type in “recent“.

A folder will appear to show you a list of all your recent files.

For Mac, it is called <Recents>. You can find them in your Finder app and on the left-hand pane.

4. Check the CCTV camera


Is this a residential home or a workplace environment? Does it have a CCTV camera looking at the angle of your computer?

Looking through the video footage is a sure way of identifying the person who had physical access to your computer and copied your files.

Be wary that CCTV footage recordings usually do not store for long due to overwriting and storage capacity constraints. So go in and retrieve the videos at the earliest time possible.

5. Check the Movement of Peripherals


Sometimes the most obvious signs can be where your keyboard, mouse and monitor screen are shifted.

The person may accidentally move/shift your keyboard or any other peripherals while copying files at your computer.

If you have a keen eye for where you usually place your hardware, you may notice it immediately.

6. Check Keylogger Logs


If you had previously installed a keylogger on your own computer, you could now check your logs to see all activity records, including the file copied activity.

A keylogger is commonly installed on someone’s computer to monitor keystrokes, folder access and visited websites.

But you can also install a keylogger on your own computer if you suspect someone is frequently accessing and copying your files.

You can use a keylogger like Refog to monitor all activities on your computer, take periodic snapshots, and send the images to your email address.

7. Check Audit Logs


This method requires you to check audit activity logs, and it only applies if you have previously installed and configured auditing software on your computer, probably on a company’s server.

If you have not done so, you can refer to this setup guide to enable the File and Folder Access Auditing feature in Windows Server configurations, for file copied activities.

You can also try Filesure for Windows to track who and which system process is accessing your files and what they are doing with them.

Leave a Comment

Your email address will not be published. Required fields are marked *