Solved

What files were accessed or modified

Posted on 2007-12-05
19
148 Views
Last Modified: 2010-08-05
Yesterday, someone has logged into my computer. I wanted to see if possible what files were accessed/modified.  I am using Windows 2000, with service pack 4.
0
Comment
Question by:jjrr007
  • 9
  • 8
  • 2
19 Comments
 
LVL 32

Expert Comment

by:and235100
ID: 20411429
You really need to enable auditing on the files/folders to make this easy (for the future)
http://support.microsoft.com/kb/310399
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/audittn.mspx

Otherwise - you would probably have to use a third-party tool to make it easy.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411504
Thanks.  These links tell me how to enable auditing (I believe audting is already enabled).  What I'm interested in knowing is how to view what files were accessed/modied.  Could you please let me know a bit more about that?
0
 
LVL 32

Expert Comment

by:and235100
ID: 20411544
You can lookup the entries in the Security section of the Event log.
(start, run, type eventvwr <hit enter>)

If file auditing was enabled - you should see entries corresponding to when files were accessed - either Success (permission granted) or Denied (permission rejected).
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411727
When you say event log, do you mean Event Viewer?
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411740
I see event viewer in Administrative Tools.  Could I look there?  Thanks.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20411825
Yes - same thing.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411912
Thanks.  I have that enabled.  What and where in there should I look for?
0
 
LVL 26

Expert Comment

by:souseran
ID: 20411986
You could also use Start | Search | For Files or Folders | All files or folders.

In "All or part of the file name" type *.*
In "Look in" make sure the drives you're interested in are selected.
There are additional options you can configure. One of them is "When was it modified?" Check the option for "Specify dates" and enter the date(s) of interest.
Under "More advanced options" select "Search subfolders." If you want to be thorough, you can also select "Search system folders" and "Search hidden files and folders" These are usually operating system files though, and some of them are routinely accessed by program processes. Assuming you're only interested in data files, "Search subfolders" should be sufficient.

The results of this search should give you all files that meet your criteria.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20412086
Click on Security in the left-hand column, and you can r-click the Security object, and Filter the results - so that you only see entries during a specified period - i.e. when you think the "offense" occurred.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:jjrr007
ID: 20412145
Thanks Souseran,
Will this search also tell me if a file was opened, but not modified?  Also, will this search tell me if a file was copied?  My assumption is that it will only tell me if a document was saved- is that right?

Thanks and235100,
I can go to Event Viewer.  I don't know where what to do from there. Could you please let me know?

0
 
LVL 32

Expert Comment

by:and235100
ID: 20412259
Take a look at the two screenshots here for the options you need to select:
https://filedb.experts-exchange.com/incoming/ee-stuff/6006-image1-2.GIF
https://filedb.experts-exchange.com/incoming/ee-stuff/6007-image2-2.GIF
(login with your EE username and password)
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20412704
and235100,

Thanks. When I tried to filter the records by the username, I don't see any records for that individual.  yet, I that they logged in to the computer- by going to "documents and settings"- I see the username. I'm not allowed to filter by date-  that appears to be "locked down".  Is this information saved somewhere in a log file?  
0
 
LVL 26

Expert Comment

by:souseran
ID: 20413229
@jjrr007,

That search will only tell you if files were *modified.* It will also include any files that were created or saved during the period of interest, or on a particular date if your search is for one date only. To learn whether the files were *accessed*, follow the instructions provided by and235100.

If you follow both sets of instructions, some of the same files should appear in both the Event Viewer data and the Search data.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20413578
Thanks for your time everyone.

You are right.  With the search- I can only see if a file is saved (modified)

Using the Event Viewer, I searched by the date and was able to see some events.  However, I can't see if a file was accessed or opened using the Event Viewer.  Maybe I'm doing something wrong.  What steps should I take to view if a file was opened or copied in Event Viewer?
0
 
LVL 32

Accepted Solution

by:
and235100 earned 500 total points
ID: 20414336
You need to enable the correct auditing events on each file/folder you want to audit.
R-click the folder, select Properties, click on the Security tab, click Advanced, then click on the Auditing tab.
Add in the events that you want logged - i.e. "traverse folder contents", Success (if the user should not be accessing that object, but has the necessary rights) or Failure (if the user has no permission, but tries to get to the resource anyway)

Bear in mind - if the user is a domain admin - he/she can delete the records - and there is little point to audit a domain admin account - as they can remove the auditing.

Hope that helps.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20426726
This helps.  What I want to do is place Auditing on the entire C hard drive.  For the other folders on a different drive, I want it set-up so only I can access it.  

1. Can I do the same steps you mentioned above on the entire C drive for auditing?
2. If someone does try to go into a drive or folder with auditing, where in Event Viewer do  the results appear?
3.  How do I set-up the other folder (on a different drive) so only I can access it?

Thanks!


0
 
LVL 32

Expert Comment

by:and235100
ID: 20426940
1. Yes
2. You can view the logged entries in the security log
http://support.microsoft.com/kb/308427
3. You can set permissions so that you have Full Control on a folder - and no-one else will be able to access it.
http://www.windowsitlibrary.com/Content/592/1.html gives you some background on the options available to you.
0
 
LVL 1

Author Closing Comment

by:jjrr007
ID: 31412837
Thanks a lot.  You have quite a bit of knowledge on this.  
0
 
LVL 32

Expert Comment

by:and235100
ID: 20433697
Glad that I could help.
Thank you.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now