Solved

What files were accessed or modified

Posted on 2007-12-05
19
151 Views
Last Modified: 2010-08-05
Yesterday, someone has logged into my computer. I wanted to see if possible what files were accessed/modified.  I am using Windows 2000, with service pack 4.
0
Comment
Question by:jjrr007
  • 9
  • 8
  • 2
19 Comments
 
LVL 32

Expert Comment

by:and235100
ID: 20411429
You really need to enable auditing on the files/folders to make this easy (for the future)
http://support.microsoft.com/kb/310399
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/audittn.mspx

Otherwise - you would probably have to use a third-party tool to make it easy.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411504
Thanks.  These links tell me how to enable auditing (I believe audting is already enabled).  What I'm interested in knowing is how to view what files were accessed/modied.  Could you please let me know a bit more about that?
0
 
LVL 32

Expert Comment

by:and235100
ID: 20411544
You can lookup the entries in the Security section of the Event log.
(start, run, type eventvwr <hit enter>)

If file auditing was enabled - you should see entries corresponding to when files were accessed - either Success (permission granted) or Denied (permission rejected).
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:jjrr007
ID: 20411727
When you say event log, do you mean Event Viewer?
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411740
I see event viewer in Administrative Tools.  Could I look there?  Thanks.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20411825
Yes - same thing.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411912
Thanks.  I have that enabled.  What and where in there should I look for?
0
 
LVL 26

Expert Comment

by:souseran
ID: 20411986
You could also use Start | Search | For Files or Folders | All files or folders.

In "All or part of the file name" type *.*
In "Look in" make sure the drives you're interested in are selected.
There are additional options you can configure. One of them is "When was it modified?" Check the option for "Specify dates" and enter the date(s) of interest.
Under "More advanced options" select "Search subfolders." If you want to be thorough, you can also select "Search system folders" and "Search hidden files and folders" These are usually operating system files though, and some of them are routinely accessed by program processes. Assuming you're only interested in data files, "Search subfolders" should be sufficient.

The results of this search should give you all files that meet your criteria.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20412086
Click on Security in the left-hand column, and you can r-click the Security object, and Filter the results - so that you only see entries during a specified period - i.e. when you think the "offense" occurred.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20412145
Thanks Souseran,
Will this search also tell me if a file was opened, but not modified?  Also, will this search tell me if a file was copied?  My assumption is that it will only tell me if a document was saved- is that right?

Thanks and235100,
I can go to Event Viewer.  I don't know where what to do from there. Could you please let me know?

0
 
LVL 32

Expert Comment

by:and235100
ID: 20412259
Take a look at the two screenshots here for the options you need to select:
https://filedb.experts-exchange.com/incoming/ee-stuff/6006-image1-2.GIF
https://filedb.experts-exchange.com/incoming/ee-stuff/6007-image2-2.GIF
(login with your EE username and password)
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20412704
and235100,

Thanks. When I tried to filter the records by the username, I don't see any records for that individual.  yet, I that they logged in to the computer- by going to "documents and settings"- I see the username. I'm not allowed to filter by date-  that appears to be "locked down".  Is this information saved somewhere in a log file?  
0
 
LVL 26

Expert Comment

by:souseran
ID: 20413229
@jjrr007,

That search will only tell you if files were *modified.* It will also include any files that were created or saved during the period of interest, or on a particular date if your search is for one date only. To learn whether the files were *accessed*, follow the instructions provided by and235100.

If you follow both sets of instructions, some of the same files should appear in both the Event Viewer data and the Search data.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20413578
Thanks for your time everyone.

You are right.  With the search- I can only see if a file is saved (modified)

Using the Event Viewer, I searched by the date and was able to see some events.  However, I can't see if a file was accessed or opened using the Event Viewer.  Maybe I'm doing something wrong.  What steps should I take to view if a file was opened or copied in Event Viewer?
0
 
LVL 32

Accepted Solution

by:
and235100 earned 500 total points
ID: 20414336
You need to enable the correct auditing events on each file/folder you want to audit.
R-click the folder, select Properties, click on the Security tab, click Advanced, then click on the Auditing tab.
Add in the events that you want logged - i.e. "traverse folder contents", Success (if the user should not be accessing that object, but has the necessary rights) or Failure (if the user has no permission, but tries to get to the resource anyway)

Bear in mind - if the user is a domain admin - he/she can delete the records - and there is little point to audit a domain admin account - as they can remove the auditing.

Hope that helps.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20426726
This helps.  What I want to do is place Auditing on the entire C hard drive.  For the other folders on a different drive, I want it set-up so only I can access it.  

1. Can I do the same steps you mentioned above on the entire C drive for auditing?
2. If someone does try to go into a drive or folder with auditing, where in Event Viewer do  the results appear?
3.  How do I set-up the other folder (on a different drive) so only I can access it?

Thanks!


0
 
LVL 32

Expert Comment

by:and235100
ID: 20426940
1. Yes
2. You can view the logged entries in the security log
http://support.microsoft.com/kb/308427
3. You can set permissions so that you have Full Control on a folder - and no-one else will be able to access it.
http://www.windowsitlibrary.com/Content/592/1.html gives you some background on the options available to you.
0
 
LVL 1

Author Closing Comment

by:jjrr007
ID: 31412837
Thanks a lot.  You have quite a bit of knowledge on this.  
0
 
LVL 32

Expert Comment

by:and235100
ID: 20433697
Glad that I could help.
Thank you.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question