[ParanoiaFilter] How can I tell if someone has accessed or opened a file on my computer?
I realize I'm being excessively paranoid about this, but MeFi has a lot of people handy with computers, so I figured I'd ask.
Around a week ago, I left my computer unattended for five minutes or so to go use the bathroom. It was logged in and I don't have a screensaver. When I came back, nobody appeared to have used it.
However, after a few days, as I opened a particular file on my computer, I began to wonder if anyone could have accessed it. This particular file had been copied over from another computer, and had never been opened on this computer before.
Unfortunately, opening the file screwed up the "Last Accessed" date. I was able to check that the "Last Accessed" date of all the other files in the folder and sister folders (it's one of several subfolders of a larger folder) was normal (just the date that I copied them over). However, I still wanted to make sure that this file hadn't been accessed.
I checked "My Recent Documents" for the .lnk file, and found that the .lnk had been created at the exact time that I opened it. However, it's easy to delete entries in "My Recent Documents", so I still wasn't completely sure. The behavior of .lnk files is kind of weird - I tried opening files, deleting their .lnks, and opening them again, and found that the creation date for the new .lnk was sometimes the time of the 2nd opening and sometimes the time of the 1st opening (despite that one having been deleted).
After messing around in Local Settings, I found a "History" folder and realized that IE actually logs file-opening activity not only in IE, but also just doing things on my own computer! Sure enough, there was no entry in the IE history for that file other than when I opened it. I even used an index.dat viewer, but I found that IE history items that I deleted in the browser did not show up in the index.dat. So IE history items can be deleted too.
I ran a deleted file recovery program and was unable to find any deleted .lnk or index.dat files of interest. I tried deleting some random .lnk files from My Recent Documents, but they wouldn't show up even after doing a full scan (and this is moments after deleting them). I'm not exactly sure what happens to deleted IE History entries, though I imagine they wouldn't become an entire deleted file.
Anyhow, typing this out has been pretty embarrassing, as I realize how ridiculously paranoid I'm being, but I'd still like to hear if there's any other way to prove that this file
was not accessed before I accessed it. Thanks.
Subscribe
#1: someone saw you leave, and immediately jumped on the computer unobserved;
#2: that someone knew exactly the file they were looking for, and where to find it;
#3: they were able to open it and get useful information out of it, perhaps printing it, perhaps just reading it;
#4: they knew how to remove the recent documents link *and* the history entry evidence;
#5: they managed to do this in the few minutes you were gone and without anyone else noticing.
That's highly unlikely. If you're talking about a work computer, the IT guys are likely free to roam on your hard drive at will, so you shouldn't be so worried about someone pulling off what you just suggested. On the other hand, if it's a home computer, you should know if someone has the necessary knowledge.
So you can't really prove nobody ever looked at it -- what about capturing your network packets while you were transferring it? -- but the likelihood seems very very low.
Time to set a password-protected screensaver and learn the keypress sequence to lock your computer when you walk away, by the way.
posted by davejay at 8:59 PM on May 5