Has My File Been Read or Copied Since the Last Time?

By Boris Loza, PhD, CISSP

Today, at the age of the rise of privacy from a second-tier concern to a front-burner issue more and more people want to protect their personal information and private data. Linux offers many ways for doing this — from a simple permission setting process to applying serious encryption technologies.

Being “privacy concerned” does not just mean to be able to protect your information but also be able to determine if your information has been accessed. Is there a way to know if somebody tried to read or copied your personal file? In this article we will show you how one can find out if this possibly had happened.

When a file is read or copied, the UNIX system must access it. It is done by open, read and close system calls. You can use this knowledge to find out whether a file has been accessed.

To check whether a file has been accessed since the last time you remember doing it, use the ls command with –lu options. Type:

$ ls –lu my.file

-rw-r — — — 1 boris staff 681 Jan 4 14:02 my.file

The output shows that the last time this file was accessed was on Jan 4 at 14:02.

To understand how the system remembers the last time the file has been accessed, we need to recall a little bit of UNIX system architecture. Each file in the UNIX system has assigned an inode. The inode stores file attributes that help the file system to maintain a file. Among them are modify, access, and change time of the file. These attributes are updated by the inode when the file is used. Because under UNIX everything is a file, all these are applied to directories as well. The modify attribute maintains state, e.g., when bytes are changed in a file, when one writes to a file, or when a file was added to or deleted from a directory. The access attribute is updated when a file is executed or opened, or when a directory is accessed. The change attribute refers to when a file mode or ownership changes, or when a file is modified.

When you access the file, let’s say with more, cat or any other command, or just simply copy the file into another directory, the access time is changed. To check whether your file has been accessed, use the ls command. For example, type:

$ ls –lu my.file

-rw-r — — — 1 boris staff 681 Jan 4 14:02 my.file

This tells us that the owner of this file is user boris who is a member of the group staff. The size of the file is 681 bytes. This file has been accessed on Jan 4 at 14:02. The –u option helps to display the time of the access, while the simple ls –l command will give you the time of the last modification:

$ ls -l my.file

-rwxr-x — — 1 a235529 staff 681 Jan 4 13:57 my.file

Similarly, ls –lc will provide the time of the last change of the file mode or of the ownership:

$ ls -lc my.file

-rwxr-x — — 1 boris staff 681 Jan 4 14:14 my.file

One can display all three time-stamps for a file (access time, modification time, and creation time) using the stat(1) command:

$ stat my.file

File: “my.file”

Size: 681 Blocks: 8 IO Block: 4096 Regular File

Device: 303h/771d Inode: 705456 Links: 1

Access: (0664/-rw-rw-r — ) Uid: ( 500/ boris) Gid: ( 10/ staff)

Access: Tue Mar 22 14:30:06 2005

Modify: Tue Mar 22 14:28:06 2005

Change: Tue Mar 22 14:28:06 2005

The output tells us that the size of my.file is 681 bytes. The owner of this file has UID 500 and group 10. This file was accessed on March 22 at 14:30:06 2005–03–22

— — — — — .

Access time (at) is Jan 4 at 14:02:35, 2002, modification (mt) is Jan 4 at 13:57:43 and change time (ct) is Jan 4 at 14:14:51.

When we access the file, let’s say with more, cat command, or just simply copy the file into another directory, the access time is changed. Note that the access time (at) is 14:31:32 now. However, both the mt (Modify) and ct (Change) times remain the same.

Displaying all three times at once is more convenient for tracing all file access/modification/change activities.

Such information is very useful for computer forensics. By capturing all three times of all files on the system, it is possible to determine what happened on a system.

Access and modification times are described in the /usr/include/utime.h file:

struct utimbuf

{

__time_t actime; /* Access time. */

__time_t modtime; /* Modification time. */

};

Before leaving for a vacation make a database of your file access and modification time:

$ stat * > my.database

By comparison this database with your files current access and modification time you would be able to tell if they were accessed.

Remember, that backup process may modify the access time of the file.

Who and Why Accessed My Files

As you can see stat does not show you who accessed the file. But being a bit creative we can construct a simple Intrusion Detection System to answer this question.

As far as for the Why part of the question, ask a user who accessed your file what her intensions was…

ps ax -o “%u %a”|grep log.txt

/usr/hackerproof> ps ax -o “%u %a”|grep log.txt

boris more /usr/hackerproof/log.txt

How to Protect my Private Information

Although, this is not in the scope of this article, we would like to mention a couple of techniques you can use to protect your files. File permissions, ACL, and encryption.

Conclusion

Be privacy concerned on a day to day basis!