Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I Tell If Someone Has Copied My Files?

Nope.

For all practical purposes, it's impossible to tell if someone has copied your files after the fact.
A computer technician in a busy computer repair shop, glancing over their shoulder with a suspicious expression. The laptop screen shows a progress bar for file transfer. The background includes tools and other computer tech equipment, emphasizing the repair setting.
(Image: DALL-E 3)
Question: Is there a way to find out if someone has copied your files? I sent my computer in for repair and became very suspicious about the people doing the work. Is there a way to find out if my files have been copied in any way?

No.

Seriously, that’s the complete answer.

I’ll explain why, but the bottom line is that no, it is impossible to determine if someone has copied your files.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Telling if someone copied your files

It’s impossible to determine if someone has copied your files. Computers treat copying the same as reading, so no distinct record is kept. Even advanced auditing set up beforehand isn’t practical because of performance impacts and potential detection by the technician. Trust your technician or find one you do.

“Copied your files” can be many things

To your computer, copying a file is exactly the same as reading the file or using it in any other way.

The contents of the file are read from the disk and then used somehow: perhaps as input to a program, displayed on the screen, or copied to another location.

The problem is that the computer doesn’t know, care, or, most importantly, record the difference. All it does is read the file from disk.

“Last accessed” isn’t helpful

Many files have a property associated with them called “Last accessed”. Like the “Last modified” date and time associated with the file, “Last accessed” should indicate when the file was last used (or copied or read, since those are all the same to the computer).

There are several problems with “Last accessed”.

  • It’s only present on some filesystems, like NTFS. If your disk is formatted with any of the FAT filesystems, for example, then the property isn’t present at all.
  • Files are being accessed all the time. Be it the system-search indexing service, your anti-malware tools, or other services running on your machine, the “Last accessed” time on a file changes for a variety of reasons that have nothing to do with what you or anyone else did.
  • “Last accessed” is often turned off for performance reasons. Since the information is stored on disk with the files it refers to, the disk must be written to in order to update it each time a file is read.

“Last accessed” is just not reliable information.

Auditing could help, but not really

As I’ve discussed in earlier articles, Windows includes an extensive security auditing feature that can track what programs are run on your machine. I believe you could enable auditing to record additional information, such as what files were accessed and perhaps by what program.

Here, too, there are problems.

  • Auditing must be enabled before you need it; it cannot recover information that was not recorded.
  • Extensive auditing can have a dramatically negative impact on system performance, perhaps to the point of making the machine unusable in any practical sense.
  • Your technician would likely notice it.

So in theory, while you could set up a machine to collect the information you’re looking for, pragmatically it’s not a solution to your problem.

Do this

It’s all about trust, and it’s clear you don’t trust the people who worked on your computer.

Computer technicians need deep and detailed access to your computer to do their work. That implies you must trust them if you want them to fix or work on your computer; there’s simply no alternative.

If you don’t trust them, don’t give them your computer to work on. Find someone you trust.

Avoiding the problem is the only practical solution.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

21 comments on “Can I Tell If Someone Has Copied My Files?”

  1. There is another problem with the last accessed field: Displaying the file’s name in the esplorer does count as an access as well as the act of looking at it’s properties to know when is was last accessed.
    So, most of the time, when you look at that information, the time reported is now.

    Reply
  2. Leo, your last comment about finding someone you can trust is right on. I’ve been in the industry as a field engineer and tech for over 35 years, and consider myself a professional. I’d never consider copying anything from someone’s computer without their permission. But I know that there are unscrupulous folks out there, because I’ve had more than one tech tell me they copied music, movies, and photos from a PC they were working on. So if your gut tells you that the person or company is not honest and trustworthy, run, do not walk, out their door and find someone else. Caveat emptor – Let the buyer beware.

    Reply
  3. The files could/should be encrypted, then let them copy … now they have to figure out how to get into them. As Leo has stated before, the stuff on our computers are, for the most part, simply not interesting to others.

    Reply
  4. Most techs have better things to do that to read or open customer files. As a courtesy, I often do a full image backup after repairs are completed for the few clients I have that don’t do their own. They are kept for a while and then deleted. The only time I ever looked at a client’s files was when he refused to pay the bill. It really is a matter of trust.

    Reply
  5. And the technician may copy them to another disk, to safeguard your property, should it turn out that your PC is unrepairable – ie he may be doing you a favour, particularly if you don’t do back-ups yourself.

    Again it is trust.
    ——————-
    Say it was an HDD problem.

    Simply (attempting to) boot it, may be the “last straw” – hence, if possible, copying all the appropriate user files to another disk before any real work is started, may be the only way of preserving all of your (many) years of work, research etc.

    If you consider their contents to be worthy of encrypting particularly, then you should be backing them up “in the first place” – BUT to at least two separate places, outside of that PC, long before any problems involving repairs etc arise.

    I do this, using redundant HDDs from other PCs etc.

    Also with very specific data such as Family History (started 1989), I occasionally write to CDs etc, for sending to “remote” relatives around the globe, partly as an informal (very) remote archiving and partly to give them access to my work should they wish to pursue their particular branches.

    Reply
    • I’ll echo this sentiment: when I work on friends computers (yeah, I do that too :-) ), when there’s an issue the first thing I do is an image backup. That shouldn’t surprise anyone, I suspect. However I do keep it in reserve for “a while” for two reasons: after returning the computer to use, to be able to answer the inevitable “What happened to my file”, and to be able to further investigate any remaining issues if needed without necessarily needing direct access to the actual machine again. Naturally I trust myself, and apparently my friends do too. But to the point: there are often legitimate reasons a trustworthy technician might take a snapshot and keep it for “a while” – so simply doing that is not necessarily a sign of evil intent.

      Reply
      • In the case described here where a hard drive or other hardware is suspect, I will boot from a CD and copy only the data, desktop, favorites, etc. to an external drive before beginning diagnoses. This way if something blows, I have the customer’s data ready to be put onto a new hard drive or computer. Even if they did their own backup, this doubly ensures nothing is lost. Yes, I let them know I will do it as a precaution.

        Reply
  6. I almost always copy their files just in case everything goes South.
    One lady is going to be happy that I did because her relitive did a format and she lost many years of pictures.
    I didn’t delete them because she is a friend but everybody elses gets deleted unless I know the people will be back in a couple of months for me to clean out all the nasty bugs. As far as snooping goes I think everybody does a little when they first start but as time goes by you just couldn’t be bothered.

    Reply
  7. A few years ago I bought a new Accer from BEST BUY within 2 weeks the hard drive craped out I took it them after a week of getting it back someone called me to see if I wanted to pay to have the information extracted from my old disk I said no I asked who had my Hard Drive they hung up on me I called Aceer they said BEST BUY did it in house I went to them. Nobody Knows Nothing. I am it was new and there was no valuable info in it.

    Reply
  8. There’s a very simple solution for this problem. You can create a single partition only for your personal data and files. After, encrypt it using TrueCrypt or Bitlocker. From now one, every time you start your PC, simply mount the drive and be happy. When your PC was sent to maintenance, no one will can access your files without mount the drive.

    Reply
    • Sadly they’ll still be able to potentially access temporary files, the swap files, history and other remnants of information still left on C:. Assuming they’re motivated enough, that is.

      Reply
  9. I say if they are that suspicious of someone copying their files, then move the files to an external drive before giving access to the technician and put your mind to rest know there is nothing to be copied.

    Reply
  10. If I need to take my computer to a shop, I backup the computer and then do a clean install of Windows before hand. The shop gets involved for hardware issues, especially with my laptops. When I get the computer back from the shop, I restore the backup.
    I handle software problems on my own. I look at it as a learning experience, even when I sometimes find myself going the wrong way. There’s been more than a few times I had to restore a backup and try something else. There’s always the “nuclear” option.

    Reply
  11. All copies are not the same. If a bad guy has installed malicious software on a computer, they can copy the files off the computer over the Internet. Most every case of ransomware that we hear about happens this way. Some routers track bandwidth by device/IP address and that can show the huge amount of data being sent out to some bad server on the Internet. It amazes me how large companies never seem to notice when a huge amount of data is uploaded from their servers.

    Reply
  12. Since I’ve built all my desktop computers since my good old MS-DOS days (our first PC suffered a hard drive head crash, so I learned to build/assemble computers for myself). As a result, I handle all my hardware AND software issues myself. The only time I’ve ever paid a technician to work on a computer was to fix/replace the display on my wife’s laptop PC may years ago.

    Today, when I purchase a laptop PC, I also purchase a service manual for it too, so I have the information I need when/if I ever have to repair it.

    Ernie (Oldster)

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.