Flash Drive Copy Detection

TL;DR

Yes, you can set up a flash drive to detect if files are copied from it, but it’s not foolproof. This guide explains how using batch scripts and file monitoring. It won’t prevent copying, only log it.

How to Detect File Copies From a Flash Drive

1. Understand the Limitations: This method relies on the AutoRun feature (often disabled for security reasons) or manually running a script. If someone copies files using a Linux system or by directly imaging the drive, this won’t detect it. It also doesn’t prevent copying; it only records it.
2. Create a Batch Script: This script will monitor the flash drive for changes and log them to a file.

   @echo off
   setlocal
   set "logFile=copy_log.txt"
   echo %date% %time% - Monitoring started >> "%logFile%"
   :loop
   dir /s /a-d "%~dp0" /b > temp_files.txt
   for %%f in (temp_files.txt) do (
     if exist "%%f" (
       echo %date% %time% - File accessed: %%f >> "%logFile%"
     )
   )
   del temp_files.txt
   timeout /t 5 /nobreak > nul
   goto loop
   endlocal
   

   Save this script as a file named, for example, monitor.bat on the root of your flash drive.

3. Enable AutoRun (If Safe and Possible): AutoRun automatically runs a program when the drive is connected. Be very careful with this! It’s a security risk if you don’t trust the source of the drive.
   • Create an autorun.inf file on the root of your flash drive with the following content:

     [autorun]
     open=monitor.bat
     icon=your_icon.ico  ;Optional - replace with a suitable icon
     label=Your Drive Label ; Optional - change to something descriptive
     

   • Important Security Note: AutoRun is often disabled by default in modern Windows versions for security reasons. Enabling it significantly increases the risk of malware infection if you connect the drive to an untrusted computer. Consider skipping this step and using manual execution instead.
4. Manual Execution (Recommended): If AutoRun isn’t enabled or you prefer a safer approach:
   • Connect the flash drive to your computer.
   • Open File Explorer, navigate to the flash drive, and double-click monitor.bat to run it. A command window will open, indicating that monitoring has started.
5. Test the Script: Copy a file from the flash drive to another location on your computer. Check the copy_log.txt file on the flash drive. You should see an entry recording the copy operation with the date and time.
6. View the Log File: The copy_log.txt file will contain a record of all files accessed (and therefore likely copied) from the drive since the script was started. Open it with Notepad or any text editor to review the logs.
7. Stopping the Script: To stop the monitoring, close the command window running monitor.bat.

Important Considerations

• False Positives: The script records file *access*, not necessarily copying. Simply viewing a file will also be logged.
• Security Risks of AutoRun: As mentioned, enabling AutoRun is risky. Only use it if you fully trust the drive and the computer it’s connected to.
• Bypassing Detection: A user can easily bypass this detection by copying files using methods that don’t trigger file access in the same way (e.g., disk imaging software, Linux commands).
• Antivirus Software: Some antivirus programs might flag the script as suspicious due to its monitoring activity.