Is it possible for me to find out if someone has turned on / used my computer? Let’s say I turn it off in the morning. Can I check when I get home whether someone has turned it on and done anything with it? Logs of some kind, perhaps? I use Windows 2000, if that helps.
When you get home, do a file search for any files modified the same day. When the search is complete, check the time signatures.
If you’re the administrator and your account is password protected (and you assume that nobody has tampered with your logs) then you can check the event logs and see if it went through a startup sequence anytime between x and y. You can also write a batch file that appends a day- or time-stamp to a text file on startup in a hidden or password-protected directory.
If you’re extremely paranoid and your hard drives are SMART capable, you can get a freeware monitoring tool to read the SMART variables stored in the control circuitry of your hard drive. I believe that the hard drive actually keeps track of how many times it’s been powered on. Once you learn what the count is, it would take a cunning and dedicated opponent to deceive you.
You could also use a dab of spit and stick a hair to the mouse cord, power button, or one of your machine’s innumerable fans. A scrap of paper hanging precariously from the power supply’s blower fan will probably go unnoticed, too.
There are system monitors you can install that keep track of system actions and keystrokes. I have Ghost keylogger running on my PC because I had contractors working in my house for three weeks earlier this year and I suspected they were on my computer instead of doing what I was paying them for. In fact I had forgotten about it until I saw this thread. I just opened up the log file and here’s some of the data from when I turned the PC on when I got home this afternoon (the XXXXXX and YYYYYY are substituted for my logon name and computer name cuz y’all don’t need to know that 
:
###############################
# Tue Nov 09 16:33:23 2004
# Ghost Keylogger has started.
###############################
[ ** USER XXXXXX on COMPUTER YYYYYY ** ]
[Preview] - Tue Nov 09 16:33:23 2004
[Mixed Content] - Tue Nov 09 16:34:06 2004
[Program Manager] - Tue Nov 09 16:35:12 2004
[Windows Explorer] - Tue Nov 09 16:35:12 2004
[] - Tue Nov 09 16:35:25 2004
[Program Manager] - Tue Nov 09 16:35:26 2004
[Moving...] - Tue Nov 09 16:35:30 2004
[Confirm File Move] - Tue Nov 09 16:35:30 2004
[Moving...] - Tue Nov 09 16:35:50 2004
[Program Manager] - Tue Nov 09 16:38:01 2004
[F:\] - Tue Nov 09 16:38:12 2004
[Program Manager] - Tue Nov 09 16:38:12 2004
[] - Tue Nov 09 16:38:57 2004
[] - Tue Nov 09 16:38:57 2004
[Program Manager] - Tue Nov 09 16:38:59 2004
[Mixed Content] - Tue Nov 09 16:39:26 2004
[Program Manager] - Tue Nov 09 16:39:30 2004
[Windows Explorer] - Tue Nov 09 16:39:30 2004
[Program Manager] - Tue Nov 09 16:39:39 2004
[Windows Explorer] - Tue Nov 09 16:39:40 2004
[F:\] - Tue Nov 09 16:39:43 2004
[C:\Documents and Settings\XXXXXX\Desktop\Visio 2000 Professional] - Tue Nov 09 16:39:57 2004
[F:\Visio 2000 Professional] - Tue Nov 09 16:39:59 2004
[C:\Documents and Settings\XXXXXX\Desktop\Visio 2000 Professional\Install1] - Tue Nov 09 16:40:08 2004
[F:\Visio 2000 Professional\Install2\BIN2] - Tue Nov 09 16:40:15 2004
[Straight Dope Message Board - powered by vBulletin - Microsoft Internet Explorer] - Tue Nov 09 20:12:12 2004
{ http://boards.straightdope.com/sdmb/ }
[MSN Hotmail - Inbox - Microsoft Internet Explorer] - Tue Nov 09 20:41:05 2004
{ http://by2fd.bay2.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001&curmbox=F000000001&a }
[Compose: (no subject)] - Mon Nov 08 08:37:43 2004
[Keys]
{
Sean,
Alas, the du<Backspace>istance. Ce'st<Backspace><Backspace><Backspace><Backspace>'est true, but isn't it great that we live in an age...
So you can see when I logged on, that I moved some files around, launched Visio, went to some silly message board and checked my hotmail.
The only disadvantage of this particular application is that it costs $50 and Spybot reports that’s running if anybody does a system scan.
Just in case…
To start Event Viewer in Windows 2000, click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
It is easy to clear the entire event log but that itself would alert you that someone had accessed it. I’ve never had Win2K, but removing individual entries in XP needs someone with way better than average skills. How skilled are the possible suspects?
So what if someone runs Spybot? If they do nothing about it, Ghost Keylogger will report the intrusion. If they attempt to delete GK, the absence of it will give them away as well.
I just mentioned it as a caution for those who might be living with their partners. I know I’d have some words for my partner if I ran spybot and found out that a keylogger was running.
When you log into your computer, an entry is made in a log.
**from ** “The Secrets of the Illuminati”
It’s also a useful piece of information for a parent of a computer-savvy 13yo. I’ve been looking for a keylogger to install on her computer as a way of monitoring what she does on the Internet, but she also runs Spybot on a regular basis to clean off the adware her computer absorbs behind her back.
Look for hickies on the monitor…
Sorry, I couldn’t help myself.
Depending on what you are suspicious of, a low-tech solution might be to just count the tissues before you leave.
She is obviously more computer-savvy than most managers at many places I’ve worked. Or most computer users in general – Dell recently said that 1/6th of their support calls are due to spyware/adware, not any hardware problems at all.
-
-
- Not in the same league as a key-logger, but anyway–you could install an FTP server (I am thinking in particular of FileZilla FTP here) as a service and turn the log file option on. Every time the computer is booted the FTP server comes up, and it will add a timestamped entry into the log file. If you never set a shared directory it’s not much of a security hazard. Filezilla FTP server is a free (open-source) download.
~
- Not in the same league as a key-logger, but anyway–you could install an FTP server (I am thinking in particular of FileZilla FTP here) as a service and turn the log file option on. Every time the computer is booted the FTP server comes up, and it will add a timestamped entry into the log file. If you never set a shared directory it’s not much of a security hazard. Filezilla FTP server is a free (open-source) download.
-
I assume that you’ve thought of this already, but on the off chance that you haven’t…
If you want to actually prevent anyone from using your computer in your absence (rather than just knowing if it’s been used), you can always enable the BIOS boot password. Of course, this won’t prevent a particularly computer-savvy user from resetting the BIOS, but that’s not something that the average Joe tends to know how to do.