I left my G4 unlocked because itunes was running for the stereo, I walked in to my office on someone acting funny. How can I determine if he copied files off of my Dual G4 onto a usb thumb drive, CD or DVD... Can I simply check an activity log, console or terminal?? All I need to know is if someone did anything which my system other then listen to itunes during a three hour window. Thanks in advance
PowerMac, Mac OS X (10.4)
You can't, unless he tried to copy files from an area of the system which requires a password to access, such as another account's private files or system-level folders. The home folder of the currently logged in account doesn't count.
(58413)
Thank you. so, there is nothing on the system that keeps track of what hw is accessed? What about something on the files that tell when they were last interacted with in anyway? Anything???
fyi - I was logged into my account - there are three on the system, but the files would have just been copied from mine to a usb or cd
Nothing that you can access except as noted above. The system doesn't log most accesses and copies because they don't present security issues; the login/screensaver passwords are meant to keep other people out of your personal files as opposed to logging accesses to them.
(58414)
You need to look at your system log in Console utility. Open Console in the /Applications/Utilities folder (cmd-shift-U will get you there right away), which will open with the console.log file. Click the Logs icon to reveal the other log files available, and you should find system.log right under console.log. Click system.log.
Now, in the filter window in the upper right corner of the window, type diskarbitration to filter. That will tell you if any thumb drive was connected, at least. This is the kind of thing you should find, maybe. The time stamp is important.
You may need to go back several swapped system.log versions, to be sure, so you need to then reveal the log files and folders under /var/log by clicking the triangle, then go down that list until you see eight files named system.log.0.gz through system.log.7.gz. Click each in turn and if they are not very short, filter again on diskarbitration.
Now, if you find something suspicious, you need to preserve the specific log file, as it will be rotated out by the daily maintenance. Bring up the Go to Folder dialog from Finder by the keyboard shortcut of cmd-shift-G, and type in /var/log as the name of the folder. This will bring up a folder with the log files of interest, which is normally an invisible folder. Select the log file you want to protect and duplicate it using cmd-D. Then move that duplicate to someplace safe.
You may also find CD burn information in the diskrecording.log file as well.
Message was edited by: old comm guy to add the last log file to look for.
Excellent! Thank you for the complete answer including screen shots- awesome! Any thoughts on looking at a single file to see if it has been copied? or if the system burned a disk?
ca_apple_user wrote:
Excellent! Thank you for the complete answer including screen shots- awesome! Any thoughts on looking at a single file to see if it has been copied? or if the system burned a disk?
Not sure about a file, but the DiscRecording.log file shows disc burning from Disk Utility and Finder on my log, anyway.
How can I tell if someone copied files off of my G4?
