how to open files without a trace?
November 11, 2006 8:53 PM Subscribe
Does windows xp create a log of attached usb drives and files opened on them? If so, can I subvert it?
I want to be able to open some files on a windows computer that isn't mine. I don't want the administrator of the computer to see that I plugged in a flash drive or opened up files from it. I'm not trying to steal anything or infect the computer or anything, I just want to look at some stuff low-key. The admin is unlikely to have any special programs running, I just want to know if there is anything that usually records and logs this type of activity and, if there is, how I might turn it off or get around it. I'm a lifetime mac user so, while I have some idea how to use a pc, I don't know all the little ins and outs.
I want to be able to open some files on a windows computer that isn't mine. I don't want the administrator of the computer to see that I plugged in a flash drive or opened up files from it. I'm not trying to steal anything or infect the computer or anything, I just want to look at some stuff low-key. The admin is unlikely to have any special programs running, I just want to know if there is anything that usually records and logs this type of activity and, if there is, how I might turn it off or get around it. I'm a lifetime mac user so, while I have some idea how to use a pc, I don't know all the little ins and outs.
If it did, it would probably be in the Event Logs. I would assume it would show up as a hardware change, especially since my XP machine needs to install specific drivers the first time a given flash drive is used.
I must say, though - you seem very, ah, paranoid about this whole thing. I know you probably can't respond, but it cold be helpful to know what you are trying to do. There may be a better way (maybe just email it to yourself? I don't know).
posted by niles at 9:12 PM on November 11, 2006
I must say, though - you seem very, ah, paranoid about this whole thing. I know you probably can't respond, but it cold be helpful to know what you are trying to do. There may be a better way (maybe just email it to yourself? I don't know).
posted by niles at 9:12 PM on November 11, 2006
One thing to think about is the use of a linux live cd. Obviously, for that to work you'll need to be able to reboot the machine, and will possibly have to change the boot order as well.
If you suspect that your administrator will be aware enough to be investigating event logs, though, it's also possible that the files you want to look at will be encrypted or otherwise unavailable, so you might want to think about planning for that, too.
posted by Drunken_munky at 9:37 PM on November 11, 2006
If you suspect that your administrator will be aware enough to be investigating event logs, though, it's also possible that the files you want to look at will be encrypted or otherwise unavailable, so you might want to think about planning for that, too.
posted by Drunken_munky at 9:37 PM on November 11, 2006
I just connected my iPod to my PC and nothing was written to the event log, but it could be because its not the first time. I don't know that an event is written when a USB drive is inserted, but there is a record on all Windows systems of opened files. I've used this before to prove a user accessed a restricted file after they denied it.
Browse to this location: C:\Documents and Settings\username of logged on user\My Recent Documents, sort by the Date Modified column to move your files (actually they're shortcuts to your files) together and then delete anything you opened. The folder is hidden so you might need to show hidden files. In Windows Explorer, go to Tools - Folder Options - View tab - select Show hidden files and folders. If you show hidden files, hide them again when you're done. To avoid suspicion don't delete everything, just delete your files. You can check the recycle bin afterwards just to be safe, but I tried this and the files seem to have bypassed the recycle bin.
posted by bda1972 at 9:59 PM on November 11, 2006 [1 favorite]
Browse to this location: C:\Documents and Settings\username of logged on user\My Recent Documents, sort by the Date Modified column to move your files (actually they're shortcuts to your files) together and then delete anything you opened. The folder is hidden so you might need to show hidden files. In Windows Explorer, go to Tools - Folder Options - View tab - select Show hidden files and folders. If you show hidden files, hide them again when you're done. To avoid suspicion don't delete everything, just delete your files. You can check the recycle bin afterwards just to be safe, but I tried this and the files seem to have bypassed the recycle bin.
posted by bda1972 at 9:59 PM on November 11, 2006 [1 favorite]
Isn't there a date accessed stamp windows put on files? How would he/she counter that?
posted by GregX3 at 7:49 PM on November 12, 2006
posted by GregX3 at 7:49 PM on November 12, 2006
There are timestamps for date created, date modified and date accessed. If I understand the poster's question, he is only opening files that are stored on the USB drive. The only timestamps changed would be the ones on the USB drive leaving the files on the computer unchanged.
Additional tip: Most applications have their own recent documents list. If the files you're opening use programs like Word or Excel, you'll also need to figure out how to clear the history in that application. I'd tell you how but I'm pathetically unskilled with Office.
posted by bda1972 at 8:17 PM on November 13, 2006
Additional tip: Most applications have their own recent documents list. If the files you're opening use programs like Word or Excel, you'll also need to figure out how to clear the history in that application. I'd tell you how but I'm pathetically unskilled with Office.
posted by bda1972 at 8:17 PM on November 13, 2006
GregX3, to answer your question:
Modify file timestamps #1
Modify file timestamps #2
I tried the second one and it works like a charm.
posted by bda1972 at 8:24 PM on November 13, 2006
Modify file timestamps #1
Modify file timestamps #2
I tried the second one and it works like a charm.
posted by bda1972 at 8:24 PM on November 13, 2006
This thread is closed to new comments.
Some logs you can only clear as Administrator, and I think when you clear them the first event in the new log is "Event log cleared by xxx".
posted by sbutler at 9:07 PM on November 11, 2006