How do I check if someone accessed my computer?
I assume that you don't think that your computer has been totally compromised (to check who has been running sudo commands see /var/log/auth.log
).
It is possible to quickly find files not owned by your user in your home folder and also at what time any files were accessed by using the find
command (use -type f
for files and -type d
for directories). For the following examples, I assume that you are running from the top level of your home folder (just enter cd
to get to it), and that you do not want to search the files in the root directory.
1) To find all files NOT owned by your logged on user in your home folder, type:
find ~ -type f ! -user $USER
1.1) To find all files that do not belong to any legitimate user (they should not exist), type:
find ~ -type f -nouser
2) As files on the system have three timestamps called mtime
(file modification time), ctime
(inode change time and permissions), and atime
(file access time), these can be queried to find out how files have been modified. It is often debated which of these are the best to use, but probably the best way to find out when files were accessed or modified is to use the find
command to search atime
and mtime
, with which you specify days ago, and the additional find
options amin
and mmin
, with which you specify minutes ago.
For each of these commands, the same command switches are used: for example,-atime 1
will match those files that were accessed exactly 1 day ago; to specify more or less than, append a +
or a -
respectively. The examples below may clarify all this (specify -type d
for directories):
find ~ -type f -atime 1
find ~ -type f -amin -23
find ~ -type f -mtime 2
find ~ -type f -mmin -45
3) To combine my approaches so far, you could enter the following commands from your home folder:
- Search for files in your home directory not owned by $USER and that was last accessed less than two days ago.
find ~ -type f -atime -2 ! -user $USER
- Search for files in your home directory not owned by $USER and that was last modified less than two days ago.
find ~ -type f -mtime -2 ! -user $USER
If your computer were to have been locked, then you could check the auth log which notes each login and unlocking event with a date and time.
There is no direct way to know if someone was accessing an unlocked computer, without having a special program installed to track activity. But indirect information can be used to infer access.
Browser history for instance will often tell you what time websites were accessed. Also gnome's recently accessed files will show opened files. You can get to this by going to Unity's Dash Menu and click expand on the recently used files section:
If you need a more definitive list (including files accessed by non-gnome programs) then we would need to write a short script to detect all files with access or write times between the suspected range. Perhaps someone already has written this but I've never heard of it.