[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 194
  • Last Modified:

Is there an activity log built into xp pro which will show where files have been copied etc

Hiya i hope you can help

I have reason to believe that someone is copying files from my PC to an external device.  I have discovered this by looking at my "recent documents" and files appear there with a path which does not exist on my computer.  These files are normally on the PC but in a completely different location.  I fear that someone may have copied files to an external device to which xp has assigned the letter "k".

Is there any way that I can see when this activity has taken place,and most importantly which files have been affected, perhaps within some kind of XP logs?

This is extremely important and urgent, and i would really appreciate any ideas / comments that you guys have.

thanks in advance

rob
0
robbie1974
Asked:
robbie1974
  • 8
  • 8
  • 3
1 Solution
 
Debsyl99Commented:
Hi
Is this a standalone pc or a domain client? You could enable auditing if your pc meets certain criteria:
How To Audit User Access of Files, Folders, and Printers in Windows XP
http://support.microsoft.com/?kbid=310399
Deb :)
0
 
robbie1974Author Commented:
hi

Thanks for your prompt response, this is a stand alone pc.  I have checked the link you gave....and i see it will enable me to reconfigure security policy in order to log events starting from now.  However, all the parameters were set to "no auditing" so i guess this method will not let me see historical data (simply because it was not switched on !).  

I wonder if there is another way to check recent file access?  XP does create a "My recent documents" link so presumably the data is stored somewhere.  I am mainly interested in files accessed about 2-3days ago, which may no longer appear on the recent docs list.

Thanks for your help so far Deb, any more ideas?


rob

p.s these files may be a mixture of word docs emails and spreadsheets, created using the office 2003 prof suite...dont know if this helps, just thought i would mention it.
0
 
r-kCommented:
If you know what files you're looking for, and if the files were copied, you can right-click on the cpoied file (not the original) and select "Properties" and examine the "Last Modified" dates. For moved files, look at the "Last Accessed" dates.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
robbie1974Author Commented:
Thanks for the reply r-k.

Unfortunately, i do not have access to the copied files.  What i really need to know is which files have been accessed, the when is not so important; i have been away for a few days so any activity during that period is not mine.  I wish i did not have to do this but some of the info is extremely sensitive to my business and for damage limitation purposes, knowing which files have been copied / accessed would be really helpful.

Any more comments / hints would be welcomed...
0
 
r-kCommented:
If a file has been copied, you can still look at the properties of the original file, and the "Date Last Accessed" will tell you when it was copied.

However, you would have to check on a file-by-file basis, which may be OK if you have a few dozen files or less.

The Windows Explorer does not have an option to search by "Last accessed" date, as far as I know. There might be 3rd party freeware that has such capability. That way you can search the entire disk for all files accessed between certain dates.
0
 
Debsyl99Commented:
Hi
r-k has a good idea there - I think I've found a script that may automate r-k's suggestion - give me a sec and I'll post it and you can test it.
0
 
robbie1974Author Commented:
thats sounds great guys... thanks for all your help :)
0
 
Debsyl99Commented:
Ok - paste the following into a text file and save the file as fileinfo.vbs on your root C:\ drive. (note the .vbs file extension).



Set wshShell = WScript.CreateObject("WScript.Shell")
Set objFileSys = CreateObject("Scripting.FileSystemObject")
Set objArgs = Wscript.Arguments
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set filInput = objFileSys.OpenTextFile(objArgs(0), 1)

While filInput.AtEndOfStream <> True
        strInputRecord = Lcase(Trim(Cstr (filInput.ReadLine)))
        flgPath = objFileSys.FolderExists(strTempPath)
        If flgPath = False Then
                flgFile = objFileSys.FileExists (strInputRecord)
                If flgFile = True Then
                        Set objFile = objFSO.GetFile (strInputRecord)
                        Wscript.Echo "Date created: " & objFile.DateCreated
                        Wscript.Echo "Date last accessed: " & objFile.DateLastAccessed
                        Wscript.Echo "Date last modified: " & objFile.DateLastModified
                        Wscript.Echo "Drive: " & objFile.Drive
                        Wscript.Echo "Name: " & objFile.Name
                        Wscript.Echo "Parent folder: " & objFile.ParentFolder
                        Wscript.Echo "Path: " & objFile.Path
                        Wscript.Echo "Short name: " & objFile.ShortName
                        Wscript.Echo "Short path: " & objFile.ShortPath
                        Wscript.Echo "Size: " & objFile.Size
                        Wscript.Echo "Type: " & objFile.Type
                End If
        End If
Wend
wscript.quit


From a command prompt cd to a folder you want to check for file access and then run this:

dir /b /s > C:\filelist.txt

Then run this from the command prompt:

cscript.exe fileinfo.vbs filelist.txt >C:\filedetails.txt

This *should* give you a text file on C:\ called filedetails.txt with all the info you need.

Here's the link:
http://groups.google.co.uk/group/microsoft.public.windows.server.scripting/browse_thread/thread/4fc520aa6495ff3f/ea83fb9c022493e8?lnk=st&q=script+to+enumerate+last+accessed+date+of+files&rnum=8&hl=en#ea83fb9c022493e8

Hope that helps,
Deb :))



0
 
robbie1974Author Commented:
thanks Deb

I am not at the same location as the pc in question....but im gonna head over there now; will let you know how i get on.
0
 
robbie1974Author Commented:
thought id try it at home 1st...i get this message....what have i done wrong?

Input Error: Can not find script file "C:\Documents and Settings\Rob\fileinfo.vbs".

this is in the filedetails.txt file
0
 
Debsyl99Commented:
Just remember to cd back to C:\ before you run
cscript.exe fileinfo.vbs filelist.txt >C:\filedetails.txt
This does appear to work - so long as the syntax is right. If you just copy and paste what I posted it should work. The Wscript.Echo statements are a bit of overkill - thinking about it reorganise within the body of the vb script to something like -

Wscript.Echo "Name: " & objFile.Name
Wscript.Echo "Parent folder: " & objFile.ParentFolder
Wscript.Echo "Path: " & objFile.Path
Wscript.Echo "Date created: " & objFile.DateCreated
Wscript.Echo "Date last accessed: " & objFile.DateLastAccessed
Wscript.Echo "Date last modified: " & objFile.DateLastModified
Wscript.Echo " "

It'll make it easier to read
0
 
Debsyl99Commented:
Hi you just need to save

fileinfo.vbs to the root C:\ drive
at the moment it's in C:\Documents and ettings\Rob\fileinfo.vbs and the command can't find it.
0
 
robbie1974Author Commented:
thanks deb...was my fault....i didnt cd back to c:\ before running the script .....its compiling the list now here at home..ima head over to the office now and see what i can find out....thanks for all your help so far ...will let you know how i got on
0
 
Debsyl99Commented:
Ah - of course - well good luck!
0
 
robbie1974Author Commented:
Thanks Deb ...... it worked a treat.
0
 
Debsyl99Commented:
Thanks and very glad to help -  I just think r-k should have had some credit here for coming up with the idea that the solution was based on.
Deb :))
0
 
robbie1974Author Commented:
quite true....apologies r-k....hopefully i can make it up to you another time...

...and thx once agan to you both.
0
 
r-kCommented:
Not a problem :)
In fact I am going to save the script that Deb posted, for a rainy day....
Thanks.
0
 
Debsyl99Commented:
Yes - I'm going to save it too - it's a handy one
Best wishes to you both and thanks :))
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 8
  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now