I always feel like...somebody's watchin' MEEEEE!
May 5, 2008 8:39 PM   Subscribe

[ParanoiaFilter] How can I tell if someone has accessed or opened a file on my computer?

I realize I'm being excessively paranoid about this, but MeFi has a lot of people handy with computers, so I figured I'd ask.

Around a week ago, I left my computer unattended for five minutes or so to go use the bathroom. It was logged in and I don't have a screensaver. When I came back, nobody appeared to have used it.

However, after a few days, as I opened a particular file on my computer, I began to wonder if anyone could have accessed it. This particular file had been copied over from another computer, and had never been opened on this computer before.

Unfortunately, opening the file screwed up the "Last Accessed" date. I was able to check that the "Last Accessed" date of all the other files in the folder and sister folders (it's one of several subfolders of a larger folder) was normal (just the date that I copied them over). However, I still wanted to make sure that this file hadn't been accessed.

I checked "My Recent Documents" for the .lnk file, and found that the .lnk had been created at the exact time that I opened it. However, it's easy to delete entries in "My Recent Documents", so I still wasn't completely sure. The behavior of .lnk files is kind of weird - I tried opening files, deleting their .lnks, and opening them again, and found that the creation date for the new .lnk was sometimes the time of the 2nd opening and sometimes the time of the 1st opening (despite that one having been deleted).

After messing around in Local Settings, I found a "History" folder and realized that IE actually logs file-opening activity not only in IE, but also just doing things on my own computer! Sure enough, there was no entry in the IE history for that file other than when I opened it. I even used an index.dat viewer, but I found that IE history items that I deleted in the browser did not show up in the index.dat. So IE history items can be deleted too.

I ran a deleted file recovery program and was unable to find any deleted .lnk or index.dat files of interest. I tried deleting some random .lnk files from My Recent Documents, but they wouldn't show up even after doing a full scan (and this is moments after deleting them). I'm not exactly sure what happens to deleted IE History entries, though I imagine they wouldn't become an entire deleted file.

Anyhow, typing this out has been pretty embarrassing, as I realize how ridiculously paranoid I'm being, but I'd still like to hear if there's any other way to prove that this file was not accessed before I accessed it. Thanks.
posted by mehmet to Computers & Internet (10 answers total) 1 user marked this as a favorite
 
If you were away from your desk for five minutes, honestly five minutes, here's what you're suggesting:

#1: someone saw you leave, and immediately jumped on the computer unobserved;
#2: that someone knew exactly the file they were looking for, and where to find it;
#3: they were able to open it and get useful information out of it, perhaps printing it, perhaps just reading it;
#4: they knew how to remove the recent documents link *and* the history entry evidence;
#5: they managed to do this in the few minutes you were gone and without anyone else noticing.

That's highly unlikely. If you're talking about a work computer, the IT guys are likely free to roam on your hard drive at will, so you shouldn't be so worried about someone pulling off what you just suggested. On the other hand, if it's a home computer, you should know if someone has the necessary knowledge.

So you can't really prove nobody ever looked at it -- what about capturing your network packets while you were transferring it? -- but the likelihood seems very very low.

Time to set a password-protected screensaver and learn the keypress sequence to lock your computer when you walk away, by the way.
posted by davejay at 8:59 PM on May 5, 2008


You're trying to prove a negative. That way lies madness.

And, honestly, you need to give us some sort of hint as to why you think the file was accessed by someone other than you. Is there some reason someone would want what's in that file? The file was on at least one other computer, so if it's confidential and you're getting vibes that someone has seen the file it doesn't mean they saw it on your PC.
posted by Cyrano at 9:28 PM on May 5, 2008


You don't mention versions of windows you are running. If you are using XP Pro then you can enable auditing on files/directories, then when they are accessed it is stored in the security section of the event log. Note that it can fill up pretty quickly (and slow your machine down if you try to audit too much).

This doesn't help you after the event though.

I would also search the registry for the file name. Many programs store the last document they opened in the registry. However you opening it would probably have overwritten that info.

It would help if you would mention which application this file would open in by default. It might be worth checking the application event logs (start - control panel - administrative tools - Event Viewer), there might be something related to the file/application stored in there.
posted by Admira at 9:29 PM on May 5, 2008


All evidence points to the fact that no-one opened your file. Allowing a hunch to override all evidence is not a good direction to continue, mental health wise. My advice is to allow yourself 15 more minutes of investigation, after which you will declare this case closed, and will not pursue it any further.
posted by The Light Fantastic at 9:37 PM on May 5, 2008


There is no way to know at this point. Assume that they did access the file. Assume that anything on your computer is accessible to someone. Assume that if it can be used against you in any way, someone will find that way. Don't store anything on your computer of a personal nature.

Consider getting a password protected secure USB thumbdrive. Some of the more advanced ones can store all your application settings, bookmarks, internet browsing history. Store all your data on that and keep it with you wherever you go.
posted by indigo4963 at 6:34 AM on May 6, 2008


USB Thumb Drive: Ironkey
posted by indigo4963 at 6:37 AM on May 6, 2008 [1 favorite]


Consider this piece of evidence: the screensaver.
What is the duration which must elapse before your screensaver turns on? 5min? 10min?

If you were not gone long enough for the screensaver to re-trigger itself AFTER someone had sat down and accessed the file, then your file has not been tampered with, as to the best of my knowledge the only two ways to turn the screensaver on are: 1) for the time period to elapse, or 2) through the screensaver settings by clicking Preview (in which case you would see this dialog open when you yourself sat down).
posted by tybeet at 9:02 AM on May 6, 2008


You can't know at this point. But just for future reference, assuming you have a password on your account, press Windows + L to lock your account. Super-easy.
posted by cgomez at 10:16 AM on May 6, 2008 [1 favorite]


Response by poster: Thanks for giving me some perspective - I started to laugh when I read my post again and the first few replies. I guess I just get paranoid about these things.

The computer is my personal laptop and this was at university while working on a group project with some people I don't know very well. The files are AVIs and JPGs I made with my girlfriend. I always get paranoid about us being watched (har har), so this is probably just an extension of my phobia (although I guarantee I am not this person and this is not a joke). Come to think of it, though, there were two other guys with laptops who left the room from time to time, and I don't remember anyone jumping on them to search for personal files. I suppose finding that kind of thing is only funny when you actually know the person. It's not really a hunch, just a nagging "What if" in the back of my head.

And in the case of these files, using Windows Search or just opening a folder would trip the accessed date since it displays thumbnails for the images. So someone would have had to find the folder manually and access the exact same file I did without accessing anything else.

Maybe this is more an OCD problem than a tech problem...
posted by mehmet at 11:27 AM on May 6, 2008


@tybeet You can also call the .scr file from the run command which would activate the screensaver without any dialog box showing. However I believe the run command would leave a history unless you've set it not to.

I agree with the folks here, have a stiff drink and relax, the file has likely not been accessed (at least not as a result of this incident). Take it as a life lesson to learn how to enable quick locking of the screen so it becomes habit.
posted by genial at 11:28 AM on May 6, 2008


« Older wii repair!   |   hacked again Newer »
This thread is closed to new comments.