Is there a way to find out when a USB flash drive has been last used (on any computer)?

I have a USB flash drive and I believed someone else may have plugged it in their computer and copied some files.

Using my Mac, how do I know when was the last time my usb flash drive was plugged in?


The best evidence you could get is to inspect the last access time of the files in question, or perhaps the last access time of the top-level directory on the file system.

But first, a bit of background. A USB flash drive would be treated by the computer much like a disk. The drive (or, more precisely, the main partition within the drive) would be formatted as a filesystem. Most flash media come formatted out of the box with a VFAT filesystem, which is a lowest-common-denominator solution that works with nearly all devices, including OS X, Windows, Linux, and digital cameras. The next most likely alternatives to VFAT would be HFS+ (the native file system of OS X, which Windows doesn't support at all) or NTFS (the native file system of Windows, supported by any version of Windows released this century, but which has just read-only support in OS X, and is rarely supported on digital cameras).

That background is relevant because different filesystems store the last access time differently. I'm going to work with the assumption that your USB stick is formatted with VFAT. This is important because VFAT filesystems only store the last access date, not the time of day. That would be the best evidence you could hope to collect, assuming that everything else goes right.

To see last access dates in the Finder,

  1. Switch to List view (View → as List (⌘2))
  2. Show the View Options dialog (View → Show View Options (⌘J))
  3. Select "Date Last Opened"

Alternatively, instead of using the Finder, you could use the Terminal to run

stat -x /Volumes/USB-Stick-Name/Path/To/File

to see the Access time of a particular file.


There are some important caveats, though!

First, the act of plugging in the media on your Mac will cause it to be automatically mounted, thus altering the last access time of the top-level directory (and perhaps destroying even more evidence than that). A forensic analysis should require precautions such as mounting the media in read-only mode. Therefore, you would have to suppress the auto-mounting behaviour of OS X, which is not that easy.

Second, your suspected coworker / spy could have taken a similar countermeasure of mounting the media read-only, thus leaving no timestamp as evidence. (There is also no guarantee that the computer that the spy used had its clock set accurately, which would cast doubt on the validity of any timestamp.)

The moral of the story is, if you have any sensitive information to be stored on removable media, encrypt it! The easiest solution would be to use FileVault 2. Note, however, that such encryption would make the USB stick unreadable on any machine other than a Mac.


Mount your USB device ReadOnly

For this the easiest way consists in installing Disk Arbitrator and configuring it so as to only mount any device as read-only.

Disk-Arbitrator_setting

The Disk-Arbitrator menu bar icon should switch to red.

Plug in your USB device. There is now no risk that you inadvertantly modify any access time on it.

Search for access times

Let's say that your USB device is mounted as suspicious_USB.

Open a Terminal or xterm window. Let's say that you are sure that you didn't mount your USB device on any computer since 20 days. Within your command line window, run the following commands:

cd /Volumes/suspicious_USB
/usr/bin/sudo find . -atime -21 -exec ls -dluT {} \;

This command will display you any file (even hidden ones) that any operating system might have opened within less than 21 days. The output of this command will display you the detailed last access time of any read or simply touched file or folder. For example this command will show you that a folder was simply opened. THis command will show you that Spotlight ran on your USB key.

If you find anything, you will know when your USB was read.

Limitation of waranty

If our suspected colleague or attackant is as skilled as to read this document and to understand how to use it, he might have mounted your USB device read-only too. Hence he would have left it clean of any access time modification.

In this case I have absolutely no method to show that some file was read on your USB device :(.