Look in the Recent Files information... which is displayed on the Start -> Documents listing from the Task Bar. The Recent Documents are also in the folder (which is really what is displayed on the task bar) - C:\Winnt\Profiles\<the profile of interest>\Recent Hope this helps. NT does leave a trace of the last few files touched. --------------------------------------------------------- Michael S Hines | Phone 765-494-5875 Purdue University | FAX 765-496-1380 Management Information | Email mshinesat_private OS/390 Systems Programmer | Certifications: 1061 Freehafer Hall | CIA, CISA, CFE, CDP West Lafayette, IN 47907-1061 | -----Original Message----- From: phil_curranat_private [mailto:phil_curranat_private] Sent: Tuesday, May 29, 2001 6:38 AM To: forensicsat_private Subject: Determining if someone copied file to a: drive I have been tasked to determine if some has copied a file to the a: drive. My system information is as follows: NT Workstation, SP6a, auditing is NOT on. Without auditing turned on, is there a method I can use to determine if a user copied files to the floppy drive (a:)? I am not aware of any way to do this. Any help is greatly appreciated. v/r Phil Curran ********************************************************************** This e-mail and any files transmitted with it may contain confidential information and is intended solely for use by the individual to whom it is addressed. If you received this e-mail in error, please notify the sender, do not disclose its contents to others and delete it from your system. **********************************************************************
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 07:26:07 PDT