Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Security/ CSI work....looking for end user recent activity

  1. #1
    Member Muppet's Avatar
    Join Date
    Jan 2014
    Posts
    96
    vCash
    2756
    Points
    179,907
    Bank
    0
    Total Points
    179,907
    Donate

    Security/ CSI work....looking for end user recent activity

    We have had an incident here and the HR and Legal team have asked me to track a certian user's recent activity. They suspect a file was printed on a certain date by a certain user. I am able to track all the PCs he has accessed but I'm struggling to find the recent files hes accessed. I searched the 4 XP machines already and they do not fit the time period. I'm donw to 2 Win7 machines that show his login during the time. How do I find what files he's accessed or printed.?
    not so blue

  2. #2
    Junior Member
    Join Date
    Jan 2014
    Posts
    2,149
    vCash
    0
    Points
    424,007
    Bank
    0
    Total Points
    424,007
    Donate
    Well, I know office files you can right click properties and see what the last time it was accessed.

    I dont know how to sort by those in a search though.

    Not sure what kind of printer you have but we have a big Konica that stores recently printed documents for x amount of days so you can reprint them from the control panel without re-opening the file. If it is a desktop printer, some of them have a print report you can access by holding certain keys, but I do not think they save file names, just how many have been printed.
    Last edited by Larommi; 03-12-2014 at 04:19 PM.

  3. #3
    forum fool 3fingersalute's Avatar
    Join Date
    Jan 2014
    Posts
    545
    vCash
    0
    Points
    136,427
    Bank
    0
    Total Points
    136,427
    Donate
    Printing through a server or directly to a printer? Do you do any sort of print server logging? If not, check the web interface of the suspected printers, most of them have a job log.
    "Expose yourself to your deepest fear; after that, fear has no power, and the fear of freedom shrinks and vanishes. You are free." - Jim Morrison

  4. #4
    Junior Member
    Join Date
    Jan 2014
    Posts
    2,149
    vCash
    0
    Points
    424,007
    Bank
    0
    Total Points
    424,007
    Donate
    I was intrigued by your problem so I found this.

    http://superuser.com/questions/30652...to-access-date

    The problem is going to be, if it is a used file and someone has been on the machine it will get overwritten.

  5. #5
    Junior Member
    Join Date
    Jan 2014
    Posts
    2,149
    vCash
    0
    Points
    424,007
    Bank
    0
    Total Points
    424,007
    Donate
    Quote Originally Posted by 3fingersalute View Post
    job log.
    That is what I was looking for. I know we have some Brother printers that store those.

  6. #6
    Member Muppet's Avatar
    Join Date
    Jan 2014
    Posts
    96
    vCash
    2756
    Points
    179,907
    Bank
    0
    Total Points
    179,907
    Donate
    Quote Originally Posted by Larommi View Post
    I was intrigued by your problem so I found this.

    http://superuser.com/questions/30652...to-access-date

    The problem is going to be, if it is a used file and someone has been on the machine it will get overwritten.
    This is the type of stuff I am looking for. We can see there was a document printed on the large Canon printer on (date/time) by (username), but we cannot determine what file was printed. If I can see he had accessed the network stored file in question at, or around the same time, we can link the evidence together and discipline accordingly.
    not so blue

  7. #7
    Junior Member
    Join Date
    Jan 2014
    Posts
    2,149
    vCash
    0
    Points
    424,007
    Bank
    0
    Total Points
    424,007
    Donate
    Try checking the MRU (most recently used) in the registry.

    If he used his credentials on the computers in question, it should be in his registry profile.

    Bear in mind this is finite and will get overwirtten as well

  8. #8
    Senior Member CeeBee's Avatar
    Join Date
    Jan 2014
    Posts
    1,677
    vCash
    1792
    Points
    141,462
    Bank
    0
    Total Points
    141,462
    Donate
    Try to look for the spool file - that may give all the clues you need. Undelete will be needed but who knows...

  9. #9
    Member Muppet's Avatar
    Join Date
    Jan 2014
    Posts
    96
    vCash
    2756
    Points
    179,907
    Bank
    0
    Total Points
    179,907
    Donate
    Quote Originally Posted by CeeBee View Post
    Try to look for the spool file - that may give all the clues you need. Undelete will be needed but who knows...

    can you elaborate on this? undelete ?
    not so blue

  10. #10
    forum fool 3fingersalute's Avatar
    Join Date
    Jan 2014
    Posts
    545
    vCash
    0
    Points
    136,427
    Bank
    0
    Total Points
    136,427
    Donate
    Quote Originally Posted by Muppet View Post
    can you elaborate on this? undelete ?
    http://answers.microsoft.com/en-us/w...2-8fece7f20acc
    "Expose yourself to your deepest fear; after that, fear has no power, and the fear of freedom shrinks and vanishes. You are free." - Jim Morrison

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •