Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 162
  • Last Modified:

What files were accessed or modified

Yesterday, someone has logged into my computer. I wanted to see if possible what files were accessed/modified.  I am using Windows 2000, with service pack 4.
0
jjrr007
Asked:
jjrr007
  • 9
  • 8
  • 2
1 Solution
 
and235100Commented:
You really need to enable auditing on the files/folders to make this easy (for the future)
http://support.microsoft.com/kb/310399
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/audittn.mspx

Otherwise - you would probably have to use a third-party tool to make it easy.
0
 
jjrr007Author Commented:
Thanks.  These links tell me how to enable auditing (I believe audting is already enabled).  What I'm interested in knowing is how to view what files were accessed/modied.  Could you please let me know a bit more about that?
0
 
and235100Commented:
You can lookup the entries in the Security section of the Event log.
(start, run, type eventvwr <hit enter>)

If file auditing was enabled - you should see entries corresponding to when files were accessed - either Success (permission granted) or Denied (permission rejected).
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jjrr007Author Commented:
When you say event log, do you mean Event Viewer?
0
 
jjrr007Author Commented:
I see event viewer in Administrative Tools.  Could I look there?  Thanks.
0
 
and235100Commented:
Yes - same thing.
0
 
jjrr007Author Commented:
Thanks.  I have that enabled.  What and where in there should I look for?
0
 
souseranCommented:
You could also use Start | Search | For Files or Folders | All files or folders.

In "All or part of the file name" type *.*
In "Look in" make sure the drives you're interested in are selected.
There are additional options you can configure. One of them is "When was it modified?" Check the option for "Specify dates" and enter the date(s) of interest.
Under "More advanced options" select "Search subfolders." If you want to be thorough, you can also select "Search system folders" and "Search hidden files and folders" These are usually operating system files though, and some of them are routinely accessed by program processes. Assuming you're only interested in data files, "Search subfolders" should be sufficient.

The results of this search should give you all files that meet your criteria.
0
 
and235100Commented:
Click on Security in the left-hand column, and you can r-click the Security object, and Filter the results - so that you only see entries during a specified period - i.e. when you think the "offense" occurred.
0
 
jjrr007Author Commented:
Thanks Souseran,
Will this search also tell me if a file was opened, but not modified?  Also, will this search tell me if a file was copied?  My assumption is that it will only tell me if a document was saved- is that right?

Thanks and235100,
I can go to Event Viewer.  I don't know where what to do from there. Could you please let me know?

0
 
and235100Commented:
Take a look at the two screenshots here for the options you need to select:
https://filedb.experts-exchange.com/incoming/ee-stuff/6006-image1-2.GIF
https://filedb.experts-exchange.com/incoming/ee-stuff/6007-image2-2.GIF
(login with your EE username and password)
0
 
jjrr007Author Commented:
and235100,

Thanks. When I tried to filter the records by the username, I don't see any records for that individual.  yet, I that they logged in to the computer- by going to "documents and settings"- I see the username. I'm not allowed to filter by date-  that appears to be "locked down".  Is this information saved somewhere in a log file?  
0
 
souseranCommented:
@jjrr007,

That search will only tell you if files were *modified.* It will also include any files that were created or saved during the period of interest, or on a particular date if your search is for one date only. To learn whether the files were *accessed*, follow the instructions provided by and235100.

If you follow both sets of instructions, some of the same files should appear in both the Event Viewer data and the Search data.
0
 
jjrr007Author Commented:
Thanks for your time everyone.

You are right.  With the search- I can only see if a file is saved (modified)

Using the Event Viewer, I searched by the date and was able to see some events.  However, I can't see if a file was accessed or opened using the Event Viewer.  Maybe I'm doing something wrong.  What steps should I take to view if a file was opened or copied in Event Viewer?
0
 
and235100Commented:
You need to enable the correct auditing events on each file/folder you want to audit.
R-click the folder, select Properties, click on the Security tab, click Advanced, then click on the Auditing tab.
Add in the events that you want logged - i.e. "traverse folder contents", Success (if the user should not be accessing that object, but has the necessary rights) or Failure (if the user has no permission, but tries to get to the resource anyway)

Bear in mind - if the user is a domain admin - he/she can delete the records - and there is little point to audit a domain admin account - as they can remove the auditing.

Hope that helps.
0
 
jjrr007Author Commented:
This helps.  What I want to do is place Auditing on the entire C hard drive.  For the other folders on a different drive, I want it set-up so only I can access it.  

1. Can I do the same steps you mentioned above on the entire C drive for auditing?
2. If someone does try to go into a drive or folder with auditing, where in Event Viewer do  the results appear?
3.  How do I set-up the other folder (on a different drive) so only I can access it?

Thanks!


0
 
and235100Commented:
1. Yes
2. You can view the logged entries in the security log
http://support.microsoft.com/kb/308427
3. You can set permissions so that you have Full Control on a folder - and no-one else will be able to access it.
http://www.windowsitlibrary.com/Content/592/1.html gives you some background on the options available to you.
0
 
jjrr007Author Commented:
Thanks a lot.  You have quite a bit of knowledge on this.  
0
 
and235100Commented:
Glad that I could help.
Thank you.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 9
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now