Question:
SOS! Answer immediately?
dr3am_s3ller
2006-03-22 02:06:34 UTC
Someone broke in my boss's office and stole the CD ROM drive from his desktop. But i cannot convince my self that this is SO SIMPLE. I doubt he actually stole some information out of the PC. How can i track what he has been doing on the PC on a specific time range. The PC has Windows XP. Can i find out? and how? Any event tracker or activity trackers available in windows itself or someother software that runs independently to know what happened in past?
Four answers:
2006-03-22 02:44:26 UTC
Stupid Advice:

Next time use an Advanced Keylogger, what tracks everyting...
commorancy
2006-03-22 10:34:23 UTC
Unfortunately, Windows logging is somewhat limited. It's pretty well left up to each application to actively log. However, chances are, they surfed the web. So, you can dig through the cache and see what files were created around the time frame you suspect.



In fact, I would run a search (Start->Search) on the OS using 'All files and folders' then choose 'When it was modified' and then select the date range you suspect. This will find all files modified and created during that range. You can then find the ones you think look suspect.



You can start the Event Viewer. Start->Run... then type in 'eventvwr' and see what events show up in System and Application. This is usually of limited value, though.



You can also look at Start->My Recent Documents to see if anything in there looks recent.



I would also open a browser and look at the browsing history and the URL history.



Newer versions of Office also show recently created documents within the application.



This is about the best I can offer.



Good luck.
2006-03-22 11:16:25 UTC
Well it's true that, by default windows doesn't log activities such as modifiying file.



But I think using Search you can have some clues.



1> Go to search, select the hard drivies in which you suspect such activity has taken place.



2> Click on "Search Options" > then click on "Date" now you can enter the date as you desired.



3> If you cna't set "Time" then search by only date.



4> Make sure that you are in detailed view. If not then go to following menu View > Detailed and



5> Now arrange the results by either "Date Accessed" or modified you can do this by View > "Choose Details ..." here you have to check "Date" "date modified" and so on for each one with date.



6> Now leave "Search for .. " text box blank & click on search.



7> Now you will see all the files modified or accessed in the date you specified



8> Now go to View > Arrange Icons by > And select whichever one you feel more relevent like "Date Accessed"



9> Now along side the date you should also notice that there is time also



10> Now this time is what you require to perform crosscheck. Note the date down & crosscheck that who Accessed the file on that time. If you can't find anyone doing that then you have reason to suspect.



Hope you find it helpful
Elysee
2006-03-22 10:09:16 UTC
Get a PC expert or programmer, they are able to look at the link. Mostly on the C drive itself.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...