How do I find the Log of Activities?


Dec 31, 2006
24
0
#1
I help an eldery neighbor once in a while and when he runs into problems, I asked him, if he downloaded something or install something, his reply is I dont remember.

In reading John Vacca's book on Compter Forensics, he indicated that you can read the log of activities, files made or deleted. But he didnt say how to do it. I would imagine its in the command prompt.

My neighbor has Windows Xp


Any help is appreciated.
 

Prickaerts

Administrator
Jan 2, 2006
765
0
#2
Hi Cooljoe,

Your question could be answered by an entire book in itself.

When venturing into a forenic investigation involving digital evidence first priority is to secure the evidence in a forensically sound fashion. Unless necessary try to do your investigation on a copy of the drive, not the drive itself. You could use encase of DD or FTK-imager to "acquire" the drive.

Next you would use forensic software to do the actual investigation on the image/copy. FTK, Encase, Autopsy-Sleuthkit, Etc...

Regarding your question, since re-reading I realized you want to just check on possible software changes. Check the Windows system event logs, new installation would be logged. Restore points and/or create timestamps of folders as a indication of new programs. More options, but this is what comes to mind in short notice.

Chris
 

ulairi

New Member
Jan 16, 2007
42
0
#3
cooljoe815 said:
I help an eldery neighbor once in a while and when he runs into problems, I asked him, if he downloaded something or install something, his reply is I dont remember.

In reading John Vacca's book on Compter Forensics, he indicated that you can read the log of activities, files made or deleted. But he didnt say how to do it. I would imagine its in the command prompt.

My neighbor has Windows Xp


Any help is appreciated.
Unfortunately, there is no standard way for software to log its own actions in the Windows world. That's the bad news.
Beyond what Prickaerts has already mentioned, here are some suggestions:

1) Using a tool like "HijackThis", you can generate a log of of most of the things which automatically start (be it a service or something in the registry's Run/RunOnce or similar entries). The next time you ponder what has changed, you could re-run the tool and compare the logs.

2) Security Task Manager (Shareware tool): will list processes much like the Windows' built-in program by the similar name would. It will also allow you to designate what is a known good program. So, when you wonder what else is running, run the tool and whatever is not something you've marked can be investigated.

Depending on how your neighbor uses the computer, it may be possible to do the best thing: get him to use a non-admin account to do his daily work. That way, either by accident or by malicious intent (courtesy of Yet-Another-IE-Exploit or whatnot), whatever is compromised during his logong session is a lot less likely to destoy the whole system. Throw in a simple, USB Flash-drive based backups or some such, and it may be just what you need.

Note: if you do decide to go this route, the up-front support costs are higher in that you'd need to see what he does normally and verify that it works under a non-Admin level user.

A decent anti-virus (commercial or free), and something specifically meant for dealing with spybot and such should complete the picture.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu