Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I tell if someone has copied my files?

Question: Is there a way to find out if someone has copied your files? I sent my computer in for repair and became very suspicious about the people doing the work. Is there a way to find out if my files have been copied in any way?


Seriously, that’s the complete answer.

I’ll explain a little why that is, but the bottom line is that, no, it is impossible to determine if someone has copied your files.

Become a Patron of Ask Leo! and go ad-free!

“Copied your files” can be many things

To your computer, copying a file is exactly the same as reading the file, or using it in any other way.

The contents of the file are simply read from the disk and then used somehow: perhaps as input to a program, perhaps displayed on the screen, or perhaps copied to another location.

The problem here is that the computer doesn’t know, care, or, most importantly, record the difference. All it does is read the file from disk.

“Last accessed” isn’t helpful

There may be a property associated with the files on your hard disk called “Last accessed”. Like the “Last modified” date and time associated with the file, “Last accessed” is intended to indicate when the file was last used (or copied or read, since those are all the same).

There are several problems with “Last accessed”:

  • It’s only present on some filesystems, like NTFS. If your disk is formatted with any of the FAT filesystems, for example, then the property isn’t present at all.
  • Files are being accessed all the time. Be it the system-search indexing service, your anti-malware tools, or other services running on your machine, the “Last accessed” time on a file could be set to something recent for a variety of reasons that have nothing to do with what you or anyone else actually did.
  • “Last accessed” is often turned off for performance reasons. Since the information is actually stored on disk with the files it refers to, the disk must be written to in order to update the “Last accessed” time each time a file is read.

Trust Me!“Last accessed” is just not reliable information.

Auditing could help, but not really

As I’ve discussed in earlier articles, Windows includes an extensive security auditing feature that can be used to track what programs are run on your machine. My belief is that auditing could be enabled to record additional information, such as what files were accessed, and perhaps by what program.

Here, too, there are problems:

  • Auditing must be enabled before you need it; it cannot recover information that was not recorded.
  • Extensive auditing can have a dramatically negative impact on system performance, perhaps to the point of making the machine unusable in any practical sense.
  • Your technician would likely notice it.

So in theory, while you could set up a machine to collect the information you’re looking for, pragmatically it’s not really a solution to your problem.

It’s all about trust

Clearly, you don’t trust the people who worked on your computer.

The real problem here is that computer technicians need deep and detailed access to your computer to do their work. That implies you must trust them if you want them to fix or work on your computer – there’s simply no alternative.

If you don’t trust them, don’t give them your computer to work on.

Avoiding the problem is really the only practical solution.

Find someone you do trust instead.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio


17 comments on “Can I tell if someone has copied my files?”

  1. There is another problem with the last accessed field: Displaying the file’s name in the esplorer does count as an access as well as the act of looking at it’s properties to know when is was last accessed.
    So, most of the time, when you look at that information, the time reported is now.

  2. Leo, your last comment about finding someone you can trust is right on. I’ve been in the industry as a field engineer and tech for over 35 years, and consider myself a professional. I’d never consider copying anything from someone’s computer without their permission. But I know that there are unscrupulous folks out there, because I’ve had more than one tech tell me they copied music, movies, and photos from a PC they were working on. So if your gut tells you that the person or company is not honest and trustworthy, run, do not walk, out their door and find someone else. Caveat emptor – Let the buyer beware.

  3. The files could/should be encrypted, then let them copy … now they have to figure out how to get into them. As Leo has stated before, the stuff on our computers are, for the most part, simply not interesting to others.

  4. Most techs have better things to do that to read or open customer files. As a courtesy, I often do a full image backup after repairs are completed for the few clients I have that don’t do their own. They are kept for a while and then deleted. The only time I ever looked at a client’s files was when he refused to pay the bill. It really is a matter of trust.

  5. And the technician may copy them to another disk, to safeguard your property, should it turn out that your PC is unrepairable – ie he may be doing you a favour, particularly if you don’t do back-ups yourself.

    Again it is trust.
    Say it was an HDD problem.

    Simply (attempting to) boot it, may be the “last straw” – hence, if possible, copying all the appropriate user files to another disk before any real work is started, may be the only way of preserving all of your (many) years of work, research etc.

    If you consider their contents to be worthy of encrypting particularly, then you should be backing them up “in the first place” – BUT to at least two separate places, outside of that PC, long before any problems involving repairs etc arise.

    I do this, using redundant HDDs from other PCs etc.

    Also with very specific data such as Family History (started 1989), I occasionally write to CDs etc, for sending to “remote” relatives around the globe, partly as an informal (very) remote archiving and partly to give them access to my work should they wish to pursue their particular branches.

    • I’ll echo this sentiment: when I work on friends computers (yeah, I do that too :-) ), when there’s an issue the first thing I do is an image backup. That shouldn’t surprise anyone, I suspect. However I do keep it in reserve for “a while” for two reasons: after returning the computer to use, to be able to answer the inevitable “What happened to my file”, and to be able to further investigate any remaining issues if needed without necessarily needing direct access to the actual machine again. Naturally I trust myself, and apparently my friends do too. But to the point: there are often legitimate reasons a trustworthy technician might take a snapshot and keep it for “a while” – so simply doing that is not necessarily a sign of evil intent.

      • In the case described here where a hard drive or other hardware is suspect, I will boot from a CD and copy only the data, desktop, favorites, etc. to an external drive before beginning diagnoses. This way if something blows, I have the customer’s data ready to be put onto a new hard drive or computer. Even if they did their own backup, this doubly ensures nothing is lost. Yes, I let them know I will do it as a precaution.

  6. I almost always copy their files just in case everything goes South.
    One lady is going to be happy that I did because her relitive did a format and she lost many years of pictures.
    I didn’t delete them because she is a friend but everybody elses gets deleted unless I know the people will be back in a couple of months for me to clean out all the nasty bugs. As far as snooping goes I think everybody does a little when they first start but as time goes by you just couldn’t be bothered.

  7. A few years ago I bought a new Accer from BEST BUY within 2 weeks the hard drive craped out I took it them after a week of getting it back someone called me to see if I wanted to pay to have the information extracted from my old disk I said no I asked who had my Hard Drive they hung up on me I called Aceer they said BEST BUY did it in house I went to them. Nobody Knows Nothing. I am it was new and there was no valuable info in it.

  8. There’s a very simple solution for this problem. You can create a single partition only for your personal data and files. After, encrypt it using TrueCrypt or Bitlocker. From now one, every time you start your PC, simply mount the drive and be happy. When your PC was sent to maintenance, no one will can access your files without mount the drive.

    • Sadly they’ll still be able to potentially access temporary files, the swap files, history and other remnants of information still left on C:. Assuming they’re motivated enough, that is.

  9. I say if they are that suspicious of someone copying their files, then move the files to an external drive before giving access to the technician and put your mind to rest know there is nothing to be copied.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.