Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Any way to find out what was done at a certain time on my MBP?

A

apple-ette

macrumors member
Original poster
Jul 29, 2009
94
4
It would appear that someone has snooped on my MBP. My external drive was simply unplugged (not unmounted), so I got errors about that. Is there any way that I can tell what else was done during that time (since I have a rough time range)?

What I've tried:
I have looked in Finder "All My Files" and sorted by "Date Last Opened". I didn't see anything there in the time range.
In "Recent Items" I don't see any programs that I think wasn't me.
I've looked in console (I see lots of errors about my external drive not being found, not sure what else I can look for).

Any suggestions would be helpful.
Thanks.
 
apple-ette said:
It would appear that someone has snooped on my MBP. My external drive was simply unplugged (not unmounted), so I got errors about that. Is there any way that I can tell what else was done during that time (since I have a rough time range)?

What I've tried:
I have looked in Finder "All My Files" and sorted by "Date Last Opened". I didn't see anything there in the time range.
In "Recent Items" I don't see any programs that I think wasn't me.
I've looked in console (I see lots of errors about my external drive not being found, not sure what else I can look for).

Any suggestions would be helpful.
Thanks.
Click to expand...

Was the drive actually unplugged? If so, then someone might have just grabbed your computer to look something up. You can look in Safari or Firefox history.

Theory #2 The macbook went to sleep or simply lost connection with the drive for some other reason, maybe the fault of the drive itself. Could even have been a static discharge when you sat down to use the computer again.

Theory #3 Someone needed the desk space so they unplugged the drive and moved the computer. Probably they needed to wrap some presents.

Looking in Finder for most recent files won't tell you much, but you could do an advanced find, include system files and last opened or modified within the last day. The steps to that are OS X version dependent.

Or you could run the following perl script using

./findMostRecent.pl / >mostRecent20141227.txt

That would output a tab delimited text file you could open in Excel and browse around.

run it as root with sudo if you don't want to see the Permission denied errors.

#!/usr/bin/perl -w

my $findPath = $ARGV[0];
chomp$findPath;
my @fileList = `find -x '$findPath' -type f`;
my %files;

foreach (@fileList) {
chomp $_;
s/\/\/$//;
next if ($_ =~ m/\.DS_Store/);

my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = lstat($_);
$files{"$size\t$_"} = $mtime;
}

@sorted = sort {$files{$a} <=> $files{$b} } keys %files;


print "Date\tSize\tFileName\n";
foreach (@sorted) {
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($files{$_});
$mon = $mon + 1;
if ($mon =~ m/^\d$/) {$mon = "0$mon";}
if ($mday =~ m/^\d$/) {$mday = "0$mday";}
if ($hour =~ m/^\d$/) {$hour = "0$hour";}
if ($min =~ m/^\d$/) {$min = "0$min";}
#$mday = $mday +1;
$year = $year += 1900;

print "$year $mon $mday - $hour$min\t$_\n";
}
 
Years ago, I was visiting my company's office in another part of the state. There was a creepy guy employed there who everyone felt vaguely uncomfortable around. One day during my visit, I left to go to lunch. As I reached my car, I realized I'd forgotten something, so I did a U-turn and went back to my desk.

And there was Creepy Guy, bent over my laptop, poking around.

Raised the back-hairs right up on my neck, that did. I had no worries that he'd find anything problematic on my machine, but he could well have put something outright incriminating on it. He was that kind of creepy.

And so that day, that very moment, I developed a habit of locking my computer when walking away from it.

It's easy to do so on the Mac. Just go to System Preferences, go to Desktop & Screen Saver, click the Hot Corners button, and choose Put Display To Sleep for one corner. Then, in Security & Privacy, ensure that the "Require password ___ seconds after sleep or screen saver begins", in the General tab, is check marked.

Now no one is going to get into your machine when you walk away, as long as you swipe your finger to that corner. That'll instantly sleep the screen, requiring an unlock passcode after the specified number of seconds.

Enable FileVault for additional protection. The firmware passcode is another good idea.

Do all that, and you'll have a very secure machine.
 
  • Like
Reactions: MacbookAlex
sjinsjca said:
And so that day, that very moment, I developed a habit of locking my computer when walking away from it.
Click to expand...
At my work, out computers auto-lock after x minutes. We're also instructed to manually lock them if we leave our desk.

I'd look to embracing this habit, along with the FV and the firmware passwords as recommended by others.
 
bernuli said:
Was the drive actually unplugged? If so, then someone might have just grabbed your computer to look something up. You can look in Safari or Firefox history.

Theory #2 The macbook went to sleep or simply lost connection with the drive for some other reason, maybe the fault of the drive itself. Could even have been a static discharge when you sat down to use the computer again.

Theory #3 Someone needed the desk space so they unplugged the drive and moved the computer. Probably they needed to wrap some presents.

Looking in Finder for most recent files won't tell you much, but you could do an advanced find, include system files and last opened or modified within the last day. The steps to that are OS X version dependent.

Or you could run the following perl script using

./findMostRecent.pl / >mostRecent20141227.txt

That would output a tab delimited text file you could open in Excel and browse around.

run it as root with sudo if you don't want to see the Permission denied errors.

#!/usr/bin/perl -w

my $findPath = $ARGV[0];
....
Click to expand...

Thanks, I'll give the script the bash. And yes the external drive was completely unplugged.

----------

Thanks to all that responded. I have enabled the pw at screen saver. I never leave it unattended in public places, so I never felt the need before.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back