Hands on: Check a computer's event history

In Christopher Brookmyre’s book, All Fun and Games until Someone Loses an Eye, a character with hacking skills switches on a PC, then checks the boot log to see when the machine had last been on and for how long.

She then checks the directory access records to see which folders had been accessed during the last session. So, is this far-fetched literary licence or fact?

Since the book was published in 2005, we’ll assume the PC was running Windows XP. The first part is relatively easy, except that it’s not the boot log you should be looking in but the System Event Log.

Run the Event Viewer, which you should find under Administrative Tools in Control Panel or the Start Menu, and click on System in the left pane. Resize the window so you can see the Event column in the right-hand pane.

Look for an entry of 6009 in this column – this shows when the PC was shut down or restarted. A start-up will be logged by a number of events, mostly with the code 7035, 7036 and 26, corresponding to various services and checks.

Right-clicking an event and choosing Properties shows a brief explanation, and you can find out more by clicking the link provided in the Event Properties box.

Schrödinger’s files?
Finding out when a file or folder was last accessed is more difficult. Every file and folder on a Windows PC – and this goes for both NTFS and Fat file systems – has three dates associated with it. The Date Modified is the one you see by default in Explorer or from typing ‘dir’ at a command prompt. This shows the date and time that the file was last saved.

If you open a file and save it – even without modifying it – you will usually find these changes. The creation date is the date that the file was created on disk in its current location. So if you create a new file by saving it from an application on 1 January, then copy it to another folder on 2 January, then the creation date of the copy will be 2 January but its modified date will remain as 1 January.

Some files, such as Jpeg images or Microsoft Word documents, will preserve the original creation date under Advanced properties, but this is stored within the file itself rather than in the file system. Moving, rather than copying, a file generally preserves the creation date.

If you’re not happy with the concept of something being modified before it was created, then you’re going to like the date accessed even less. You can see all three dates for a file if you right-click on it and choose Properties.

However, this counts as accessing the file, so the last accessed date changes to the current date and time. By observing the file’s properties, you change them – it seems the designers of the system were inspired by quantum physics.

If you are running Windows ME, 2000 or XP, then you can see all three dates in Explorer’s details view. In ME or 2000, go to the View menu, then ‘Choose columns’ (in XP it is View, Choose details). Tick the boxes for Date Created and Date Accessed and you’ll see the extra columns for both files and folders.

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!