If anything does appear, it would be in the event log (right click My Computer -> Manage -> Event Logs). It wouldn't show opened files, but it will probably generate events for the insertion/removal of the USB device.

Some logs you can only clear as Administrator, and I think when you clear them the first event in the new log is "Event log cleared by xxx".
posted by sbutler at 9:07 PM on November 11, 2006

If it did, it would probably be in the Event Logs. I would assume it would show up as a hardware change, especially since my XP machine needs to install specific drivers the first time a given flash drive is used.

I must say, though - you seem very, ah, paranoid about this whole thing. I know you probably can't respond, but it cold be helpful to know what you are trying to do. There may be a better way (maybe just email it to yourself? I don't know).
posted by niles at 9:12 PM on November 11, 2006

One thing to think about is the use of a linux live cd. Obviously, for that to work you'll need to be able to reboot the machine, and will possibly have to change the boot order as well.

If you suspect that your administrator will be aware enough to be investigating event logs, though, it's also possible that the files you want to look at will be encrypted or otherwise unavailable, so you might want to think about planning for that, too.
posted by Drunken_munky at 9:37 PM on November 11, 2006

I just connected my iPod to my PC and nothing was written to the event log, but it could be because its not the first time. I don't know that an event is written when a USB drive is inserted, but there is a record on all Windows systems of opened files. I've used this before to prove a user accessed a restricted file after they denied it.

Browse to this location: C:\Documents and Settings\username of logged on user\My Recent Documents, sort by the Date Modified column to move your files (actually they're shortcuts to your files) together and then delete anything you opened. The folder is hidden so you might need to show hidden files. In Windows Explorer, go to Tools - Folder Options - View tab - select Show hidden files and folders. If you show hidden files, hide them again when you're done. To avoid suspicion don't delete everything, just delete your files. You can check the recycle bin afterwards just to be safe, but I tried this and the files seem to have bypassed the recycle bin.
posted by bda1972 at 9:59 PM on November 11, 2006 [1 favorite]

Isn't there a date accessed stamp windows put on files? How would he/she counter that?
posted by GregX3 at 7:49 PM on November 12, 2006

There are timestamps for date created, date modified and date accessed. If I understand the poster's question, he is only opening files that are stored on the USB drive. The only timestamps changed would be the ones on the USB drive leaving the files on the computer unchanged.

Additional tip: Most applications have their own recent documents list. If the files you're opening use programs like Word or Excel, you'll also need to figure out how to clear the history in that application. I'd tell you how but I'm pathetically unskilled with Office.
posted by bda1972 at 8:17 PM on November 13, 2006

GregX3, to answer your question:
Modify file timestamps #1
Modify file timestamps #2
I tried the second one and it works like a charm.
posted by bda1972 at 8:24 PM on November 13, 2006

This thread is closed to new comments.