How might one verify that a file has been copied?
TL;DR: In many cases, you can see whether the file was accessed; however, it is impossible to tell whether a copy was made or not.
It seems that atime
would be updated when using cp
(unless noatime
is in effect); however, doing any other read operation (like grep somestring $filename
) would also touch the file.
In most installs (without a ton of auditing), it is not possible to find out why exactly the file was read, and whether the process reading the file also wrote a copy of the data elsewhere (to USB? to socket? to RAM?).
Moreover, this only concerns online, unprivileged attacks. If I have physical access, I could reboot into a live-CD distro, mount the partition read only, copy anything off it (or even make a full-disk image) and there would be no marks on the partition (except the incremented mount counter).