Has someone stolen data from my mac?

eugene h and


I understand this might seem like a deserved situation for not having a password and logging off... but I suspect someone copied important data off my macbook whilst I was away from my desk. Is there a way to tell if files or folders were dragged from my Mac onto a USB drive or a small flash thumb drive? Or perhaps someone might know how to see if any suspicious activity took place at a given point in recent time whilst the CPU should have been idle? I'd really appreciate if someone can help me perform some detective work as the data was work related.

Thanks Everyone



Are those files that you suspect were copied - actually missing (gone from that Mac?)
If someone copied those files from that Mac, that copy action would not delete the files, unless the "perpetrator" took that extra step of dragging the files to the trash, and then emptied the trash. Otherwise the files would not be changed at all.

I THINK that you would see some activity in the system.log (in the Console utility), if you have some idea of the time and date. That log won't tell you that "some idiot copied some files and removed your originals, etc, etc" - it may only show that (something) happened.
So, you would be looking for some kind of activity from about that time.
Remember, if a USB storage device is plugged in, then a file copied, then the USB device is removed, and the USB storage device is not properly ejected, then you should see "device removed improperly" errors, or something similar.

SO - what makes you suspect that someone copied a few "important" files from your Mac?

eugene h and

Thanks for the response...

It's kind of difficult to explain. Prior to nowadays I would reason that without evidence I'm being paranoid. But I have learned that instincts are often right and I have a bad gut feeling about it.

The files are still on my CPU but after the meeting when I was away someone started to submit work which suggests he had accessed my projects. That persons brother who doesn't work there remained in our private office whilst we were in the meeting. His work was very similar and the odds of that were slim unless he was copying. Its difficult to explain and I know how it might sound...

The system log does show activity during that time. But it is completely baffling and I can't make sense of it.


I don't think there's any way to absolutely prove anything through any logs - only that "something" happened.

Is your income derived from the results of the project?
Your best option is to somehow prove that work project could have only been yours.
Are there elements in the project that could only have come from your Mac? Or any part of that you can show has source material that only you possess?

But... Your first and best task is to prevent the temptation (and avoiding a repeat in the future).
Put a good password on your Mac, and use it!
Keep your own projects on a different drive/flash drive, etc.
If that's not possible, then you could keep your project in an encrypted folder. The encrypted folder would have a different password known only to you.

eugene h and

Thanks for all your help...

If there is a way to conclusively prove that 'something' happened, that would at least be enough... because during that set window of time 'nothing' should have happened at all. Even if I can't see exactly what procedures were performed... just knowing that the CPU was in use should verify my concerns. Though the evidence would hardly stand up in a court of law at least it would inform me wether or not my suspicions are correct and I could better understand the situation. Might one of the Activity Monitors cryptic messages decode the truth if I were able to make sense of them?

I will indeed be more cautious in the future and I will use a password from here on...


Chmod 760
Staff member
Console might have something. (/Applications/Utilities)
Like if something was plugged in, connected, disconnected. But not necessarily if your files would have been sent to the bad guy in webmail in private mode.
If you know the date and time you suspect the issue would have happened, and it's not hundreds of lines in Console for that time period, if in doubt, copy the contents here and we'll see if there's anything odd.