?
Solved

What files were accessed or modified

Posted on 2007-12-05
19
Medium Priority
?
157 Views
Last Modified: 2010-08-05
Yesterday, someone has logged into my computer. I wanted to see if possible what files were accessed/modified.  I am using Windows 2000, with service pack 4.
0
Comment
Question by:jjrr007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 2
19 Comments
 
LVL 32

Expert Comment

by:and235100
ID: 20411429
You really need to enable auditing on the files/folders to make this easy (for the future)
http://support.microsoft.com/kb/310399
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/audittn.mspx

Otherwise - you would probably have to use a third-party tool to make it easy.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411504
Thanks.  These links tell me how to enable auditing (I believe audting is already enabled).  What I'm interested in knowing is how to view what files were accessed/modied.  Could you please let me know a bit more about that?
0
 
LVL 32

Expert Comment

by:and235100
ID: 20411544
You can lookup the entries in the Security section of the Event log.
(start, run, type eventvwr <hit enter>)

If file auditing was enabled - you should see entries corresponding to when files were accessed - either Success (permission granted) or Denied (permission rejected).
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 1

Author Comment

by:jjrr007
ID: 20411727
When you say event log, do you mean Event Viewer?
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411740
I see event viewer in Administrative Tools.  Could I look there?  Thanks.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20411825
Yes - same thing.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411912
Thanks.  I have that enabled.  What and where in there should I look for?
0
 
LVL 26

Expert Comment

by:souseran
ID: 20411986
You could also use Start | Search | For Files or Folders | All files or folders.

In "All or part of the file name" type *.*
In "Look in" make sure the drives you're interested in are selected.
There are additional options you can configure. One of them is "When was it modified?" Check the option for "Specify dates" and enter the date(s) of interest.
Under "More advanced options" select "Search subfolders." If you want to be thorough, you can also select "Search system folders" and "Search hidden files and folders" These are usually operating system files though, and some of them are routinely accessed by program processes. Assuming you're only interested in data files, "Search subfolders" should be sufficient.

The results of this search should give you all files that meet your criteria.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20412086
Click on Security in the left-hand column, and you can r-click the Security object, and Filter the results - so that you only see entries during a specified period - i.e. when you think the "offense" occurred.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20412145
Thanks Souseran,
Will this search also tell me if a file was opened, but not modified?  Also, will this search tell me if a file was copied?  My assumption is that it will only tell me if a document was saved- is that right?

Thanks and235100,
I can go to Event Viewer.  I don't know where what to do from there. Could you please let me know?

0
 
LVL 32

Expert Comment

by:and235100
ID: 20412259
Take a look at the two screenshots here for the options you need to select:
https://filedb.experts-exchange.com/incoming/ee-stuff/6006-image1-2.GIF
https://filedb.experts-exchange.com/incoming/ee-stuff/6007-image2-2.GIF
(login with your EE username and password)
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20412704
and235100,

Thanks. When I tried to filter the records by the username, I don't see any records for that individual.  yet, I that they logged in to the computer- by going to "documents and settings"- I see the username. I'm not allowed to filter by date-  that appears to be "locked down".  Is this information saved somewhere in a log file?  
0
 
LVL 26

Expert Comment

by:souseran
ID: 20413229
@jjrr007,

That search will only tell you if files were *modified.* It will also include any files that were created or saved during the period of interest, or on a particular date if your search is for one date only. To learn whether the files were *accessed*, follow the instructions provided by and235100.

If you follow both sets of instructions, some of the same files should appear in both the Event Viewer data and the Search data.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20413578
Thanks for your time everyone.

You are right.  With the search- I can only see if a file is saved (modified)

Using the Event Viewer, I searched by the date and was able to see some events.  However, I can't see if a file was accessed or opened using the Event Viewer.  Maybe I'm doing something wrong.  What steps should I take to view if a file was opened or copied in Event Viewer?
0
 
LVL 32

Accepted Solution

by:
and235100 earned 2000 total points
ID: 20414336
You need to enable the correct auditing events on each file/folder you want to audit.
R-click the folder, select Properties, click on the Security tab, click Advanced, then click on the Auditing tab.
Add in the events that you want logged - i.e. "traverse folder contents", Success (if the user should not be accessing that object, but has the necessary rights) or Failure (if the user has no permission, but tries to get to the resource anyway)

Bear in mind - if the user is a domain admin - he/she can delete the records - and there is little point to audit a domain admin account - as they can remove the auditing.

Hope that helps.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20426726
This helps.  What I want to do is place Auditing on the entire C hard drive.  For the other folders on a different drive, I want it set-up so only I can access it.  

1. Can I do the same steps you mentioned above on the entire C drive for auditing?
2. If someone does try to go into a drive or folder with auditing, where in Event Viewer do  the results appear?
3.  How do I set-up the other folder (on a different drive) so only I can access it?

Thanks!


0
 
LVL 32

Expert Comment

by:and235100
ID: 20426940
1. Yes
2. You can view the logged entries in the security log
http://support.microsoft.com/kb/308427
3. You can set permissions so that you have Full Control on a folder - and no-one else will be able to access it.
http://www.windowsitlibrary.com/Content/592/1.html gives you some background on the options available to you.
0
 
LVL 1

Author Closing Comment

by:jjrr007
ID: 31412837
Thanks a lot.  You have quite a bit of knowledge on this.  
0
 
LVL 32

Expert Comment

by:and235100
ID: 20433697
Glad that I could help.
Thank you.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question