I do not have a "security password" as a requirement to access my
laptop computer. The laptop's operating system is Windows XP
Professional. I was out of town for a period of 2 weeks and left my
computer at home. I have reason to believe that someone turned on the
computer during that time, and may have copied data from the computer.
They may have been clever about it in an attempt to avoid detection,
for example, once the computer booted, they may have changed the
computer's clock say to a time 3 months before the unauthorized
access, and then after completing their deed, changed the clock back
to the current time. They may have done a normal shutdown of Windows
or perhaps they thought they could better hide their trail by powering
down without a normal shut down.  I have reason to believe the person
involved would try to hide their tracks.  Since only one person had
access to my computer during the 2 week period, I really only need to
determine if the computer was turned on at all during the 2 weeks in
question.

In effort to determine whether this happened, I have 3 questions: (1)
Does Windows XP maintain a log file that dutifully records the date
and time of each Windows boot, and/or the date and time of each
Windows shut down?  If so, how would I access that log? If that log
showed a boot or a shut down during the 2 week period that I was out
of town, I would know at least that the computer had been turned on
without my authorization.   If Windows does not keep a log file, is
there any other way I could detect the suspected unauthorized use? (2)
As I noted earlier the suspected perpetrator may have changed the
clock during the time they used the computer and then changed it back
before shutdown. Is there a log kept by Windows of the date and time
that the clock has been reset? If so how would I access the log? (3)
If a file is copied to a CD or an external hard drive, does Windows XP
keep any internal log of the copying?  If so, how would I access the
"copy" log.

Finally, what is the best way for me to set a password requirement as
a condition to gain access to my laptop so that this will not happen
in the future.

Thank you for your help.

Here are the steps I would suggest to investigate as to whether your
computer was compromised.


1) Check System History

If the offender was clever- they probably erased it, but it's worth
checking if you haven't already.

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prde_ffs_zrji.asp
"Using the History Folder and History View

The Windows XP Professional History folder integrates Web links and
network shares, so users have access to their navigation history no
matter where they view the History folder. Users can sort the History
folder by the following categories: By Date, By Site, By Most Visited,
or By Order Visited Today.

You can also select the History view from the toolbar in Windows
Explorer, which tracks the history of all Web sites and documents
opened. In this view you can sort by location or by date used, or
search the history list, using option buttons."

2. Checking for internet use (if you computer was ready for web access)

Check the history on web browsers.

Also, click START, then Search then "For Files and Folders". Next
click "All Files and Folders" then type in index.dat in the "All or
part of the file name" box. Under the "Look in" option choose "My
Computer". Then click "More advanced options" and check off "Search
system folders" as well as "Search hidden files and folders".

3. Search for files and folders modified in the date range that you were gone.

Search every file on the disk for these dates.If you find your
documents, they were nosing around in those. The sooner you do this
after an invasion,
the more reliable it will be as these files can be overwritten by your own use. 

4. Detecting Unauthorized Access Using the Secrity Log
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/core/iidetsc.htm

"   1. Click Start, point to Settings, click Control Panel,
double-click Administrative Tools, then double-click Computer
Management.
   2. Expand System Tools.
   3. Expand Event Viewer.
   4. Select Security Log.

   5. Inspect the logs for suspicious security events, including the following:
          * Invalid logon attempts.
          * Failed use of privileges.
          * Failed attempts to access and modify .bat or .cmd files.
          * Attempts to alter security privileges or the audit log.
          * Attempts to shut down the server."


5. Check Log Files

Go to Start>Settings>Control Panel or just Start>Control Panel
depending on which view you are using.  Then, if using the new view in
XP go to Performance and monitoring>Administrative Tools or if in
classic view, just click on Administrative tools.  Then start the
Event Viewer. Check all of the logs for the times that you were gone.

6. Auditing

You can monitor many different types of events on a Windows XP
Professional?based system, including user actions such as logging on
and logging off, and the success and failure of key application
events. Administrators need to monitor these events to track security,
system performance, and application errors.
   
How To Audit User Access of Files, Folders, and Printers in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310399&Product=winxp

Advanced Auditing
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_xutj.asp


*Setting Up a Password

Control Panel>User Accounts>then you will see a link Create A New Account
click on that name the account then you will have the option to Limited
Access or Administrative Rights.

*Lock Your Computer When Gone

Create a Shortcut to Lock Your Computer
http://www.microsoft.com/windowsxp/using/security/learnmore/tips/schnoll1.mspx

*Microsoft Security Settings for XP Pro
http://www.microsoft.com/windowsxp/using/security/data/default.mspx

*Monitoring Software Downloads
http://www.gfn.org/tucows/systemmonitoring95.html

and
http://www.sysinternals.com/ntw2k/utilities.shtml

http://www.gfn.org/tucows/preview/324300.html
"This security utility allows you to track the login and logout dates
and times, for all of the users on your network, from a single
workstation. It includes a report generator and a login alert feature
to notify you by e-mail when a particular user logs into your system.
It also allows you to see what files a particular user has open and
what users have a particular file open."


Google Search Strategy
XP professional, security, log files

I hope this helps. Please request clarification if you need further assistance.

-Anthony (adiloren-ga)

---

Clarification of Answer by adiloren-ga on 27 Sep 2004 21:52 PDT

sl7-ga,

Thanks the kind comments, high rating and the generous tip. I very
much appreciate it. I'm glad I could help.

Best regards,
Anthony

Thank you for an excellent job.  I have been out of town and I am
sorry it took so long for me to get back to you.

If you have 2000 or XP with NTFS on the harddrive, there is absolutely
no reason you should not be encrypting your important information. If
someone were to copy the harddrive, they would have a very difficult
time reading what that data was without knowing the passwords to the
accounts they belong to.
Second, to make things even more difficult you should have at least
set the two supervisor passwords in the BIOS which would have added
another level of security and complicated the process. As mentioned
above, Windows keeps 3 logs. Security, Application, and System logs.
These can be found in the event viewer in any copy of NT.

As mentioned above, control panel, Administrative tools, event viewer
would be an excellent way to check this.

I have events listed for my computer use today.  Some of these events
would have happened before I even get a chance to change the system
clock.

These events would be difficult to modify unless the suspected user is
an expert in IT.

Good luck.

sl7-ga,

Thanks the kind comments, high rating and the generous tip. I very
much appreciate it. I'm glad I could help.

Best regards,
Anthony