> I understand there is a way to tell when a file was last > _read_ by a user. (as opposed to when it was created) > Does anybody know how to do this ? > under linux ? > under windows???
Since most of the answers that have appeared so far address Linux, I'll address Windows. The easiest way to view the last access time of a file is by using the command 'dir /ta'. Simply typing 'dir /?' will show the syntax of the command. I like to use Perl for this sort of thing. I have a script that collects MAC times from files: http://patriot.net/~carvdawg/perl.html Many of the scripts available here are also provided as standalone .exes on the CD I distribute when I teach my Incident Response for 2K course. Now...how to find out when the _user_ last accessed the file...that's a bit trickier, but not impossible. On my Perl page (listed above), there is a script called "FSW.PL". This is the File System Watcher...it uses the MS API to wait for File Events, and logs them. This includes creation, deletion, and modification. Now, the API doesn't specify what kind of modification is done, but you can set a flag in the Perl module that looks for last access times only. >From there, it's a simple matter to use the FSW.pl code as a base, and add some functionality...such as checking the currenly logged on user, as well as checking for any active sessions that access that particular file (ie, checking for a remote user accessing the file). Using Dave Roth's Win32::Daemon module, it would be rather simple to make the script a Windows service, and then use Perl2Exe to compile it into a standalone EXE. HTH __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com
