Seriously, that’s the complete answer.
I’ll explain a little why that is, but the bottom line is that, no, it is impossible to determine if someone has copied your files.
“Copied your files” can be many things
To your computer, copying a file is exactly the same as reading the file, or using it in any other way.
The contents of the file are simply read from the disk and then used somehow: perhaps as input to a program, perhaps displayed on the screen, or perhaps copied to another location.
The problem here is that the computer doesn’t know, care, or, most importantly, record the difference. All it does is read the file from disk.
“Last accessed” isn’t helpful
There may be a property associated with the files on your hard disk called “Last accessed”. Like the “Last modified” date and time associated with the file, “Last accessed” is intended to indicate when the file was last used (or copied or read, since those are all the same).
There are several problems with “Last accessed”:
- It’s only present on some filesystems, like NTFS. If your disk is formatted with any of the FAT filesystems, for example, then the property isn’t present at all.
- Files are being accessed all the time. Be it the system-search indexing service, your anti-malware tools, or other services running on your machine, the “Last accessed” time on a file could be set to something recent for a variety of reasons that have nothing to do with what you or anyone else actually did.
- “Last accessed” is often turned off for performance reasons. Since the information is actually stored on disk with the files it refers to, the disk must be written to in order to update the “Last accessed” time each time a file is read.
“Last accessed” is just not reliable information.
Auditing could help, but not really
As I’ve discussed in earlier articles, Windows includes an extensive security auditing feature that can be used to track what programs are run on your machine. My belief is that auditing could be enabled to record additional information, such as what files were accessed, and perhaps by what program.
Here, too, there are problems:
- Auditing must be enabled before you need it; it cannot recover information that was not recorded.
- Extensive auditing can have a dramatically negative impact on system performance, perhaps to the point of making the machine unusable in any practical sense.
- Your technician would likely notice it.
So in theory, while you could set up a machine to collect the information you’re looking for, pragmatically it’s not really a solution to your problem.
It’s all about trust
Clearly, you don’t trust the people who worked on your computer.
The real problem here is that computer technicians need deep and detailed access to your computer to do their work. That implies you must trust them if you want them to fix or work on your computer – there’s simply no alternative.
If you don’t trust them, don’t give them your computer to work on.
Avoiding the problem is really the only practical solution.
Find someone you do trust instead.