How to find if the a person has accessed any sensitive documents from my PC in my absence


I use windows 7 and I forgot to lock my PC and  came after 30 minutes and  i saw my friend using my PC. I had sensitive information on a doc which had all the admin and Network  passwords. Iam bit worried if he had opened this document and viewed during my absence.

Is there a way to find out if he had opened that particular document  during this instant of time.

Who is Participating?
mo_patelConnect With a Mentor Commented:
like Run5k says this is the only way.

But moving forwards what you can do is enable auditing on the folder where you keep all your sensitive documents.  Then maybe look at free SEIM tools so you can correlate these events into meaningful threads.  (this is if you want to go down the best practise route)

you can then create threads for file access, file edit, file delete and so on.

So any time there is access it is logged, so even if anyone access it even without you knowing it still logged and you can view.
Run5kConnect With a Mentor Commented:
You should be able to check your Recent Items list at the following location:


Once you have navigated there, sort by the Date Modified column to see which files were accessed most recently.
Rich RumbleConnect With a Mentor Security SamuraiCommented:
The problem in this situation is, you were looking at it, and he/she was using your computer as you, so it'd be very difficult to tell what the other person did and what you were doing, unless your clock/watch is synced well to your computer's clock. And you'd have to know exactly when you stepped away and came back.
You should note that M$ word/excel create temporary files in the directory they are run from, so someone can copy them when you open a document, and even recover them after you close using an Undelete utility. If you have such data, keep it encrypted in a TrueCrypt folder so that doesn't leave behind such a mess. However while the TC container is open, it looks just like any other drive would so if the person has permission to that folder/drive they could recover or copy the temp file office creates, but when you close that folder/drive no one can see what was there.
We use physical access to sensitive passwords, which we generate and never use a human memorable one. We have a lock box, 2 keys which remain with 2 people at all times (typically the On-Call persons). You can also use password safes, we use them in case of who knows what. Each person is responsible for their safe, and no passwords are shared. Each person has their own usernames and passwords, but those usernames and passwords are equal in terms of access. We can audit admin-2's use of his high priv account, and admin-3's because we know they have certain usernames, and they maintain the access to their safe. No one knows the domain admin password, it's in the safe, and if that get's lost, we have a lot of recovery to do, but that is the trade off we decided on.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.