Detecting theft of data - folder / files transfered from MacBook to USB

I know this is similar to another question posted here a while ago:

Did someone copy files from my Mac?

but the problem is slightly different and the answers don't help in my case.

I need to know with a 100% certainty whether data from a MacBook laptop has been copied onto a USB key. I suspect that sensitive folders and files were copied. The question is would forensics be able to know whether copies were made and exactly what folders and files were copied?Assume also that the time it was done for appx. 1 month ago.

Surely there must be some sort of way to know what files / folder and how large it was was copied?


TL;DR: With a standard install of macOS it isn't possible to determine with any certainty whether data has been copied from the Mac onto an USB or network device


This is one of those questions where it's "a duplicate but not a duplicate because the answer doesn't work for me."

Here's a quick summary that addresses your question of whether or not you can detect if someone copied your files (to a USB):

  • You don't actually know if the file was copied. The problem with the answer from the linked question (and what makes this not a dupe) is that it only tells you if the file was accessed, not if it was copied to another location. To elaborate, if the person double clicked on the file and closed it it would show it was accessed. This is why you can't have your "100% certainty" (or even 50% certainty) as you state.

  • The logs don't record this activity. There will be nothing in the logs because even if you look through all the system logs, it will only show that a USB device was attached/detached. It doesn't tell you what was done with that USB device.

To do this and to have proof positive that this activity occurred, you need to enable Auditing and this is accomplished with OpenBSM. Understand, it's not turned on by default because it would generate tons of log entries using up system resources as it monitors activities. From a system resource perspective, auditing is an "expensive" function to perform.

The problem with this and the linked question is that you're looking for an audit trail post hoc. This is like wanting to have security camera footage of a break in when the security cameras weren't installed and operating prior to the breach.