4

I am acutely aware I may be overly paranoid here.

I left my laptop unattended by myself (I trusted a friend who was beside it). He assures me it was not touched. When I returned I was still logged in. When the network went down shortly later I was clicking through my connections and found my ethernet connection (which I never use, and was unplugged before and after) had last been in use 40 minutes earlier (while I left it unattended). This ethernet port "unfolds" from the laptop and was unfolded (could have been when I took it out of my bag) which is unusual, I did not consciously open it. At that point the network was stable (and is wifi), I took a look in the auth logs but have no idea how to get time stamps or even where I could look to see if something was used. At least I am sure no sudo attempts were made/failed.

Should I be worried/go and speak to security? There is video surveillance there which is my next stop when I am more certain.

Any advice would be appreciated.

Tink
  • 41
  • Just out of interest: How sensitive is the information on your computer? Or how crazy is your friend? Are you afraid he accessed some of your documents? If so, check the timestamps. Are you afraid he used your computer to do malicious things? – don.joey Mar 05 '13 at 14:19
  • Right at this moment, nothing on the computer requires any security. However, tonight I will be working on some coursework for the lab that I left the laptop within. Going forward I want to be sure I can use this laptop safely. I am sure that my friend has neither the inclination nor the knowledge to do anything really tricky, he has no ability in linux/ubuntu. I would be unwilling to rely on his observational skills however. – Tink Mar 05 '13 at 14:26
  • 1
    If you're truly afraid of future security on the system, nuke the OS and everything on the drive and start from scratch. – Thomas Ward Mar 06 '13 at 07:13
  • Possible duplicate of this question. –  Mar 08 '13 at 20:24

1 Answers1

7

The stat command will show you the latest time a file was accessed. The find command can tell you which files were accessed in a certain time span. For instance:

find ~ -amin -210 -amin +60

will list all files under your $HOME that have been accessed between 60 and 210 minutes ago. Use -cmin to locate files which have been modified. That should get you started. However you may be better off concentrating on your coursework.

zwets
  • 12,354
  • $ find ~ -atime -3h30m -atime +1h00m doesn't seam to work: find: invalid argument '-atime' of '-atime' – R110 Mar 05 '13 at 18:34
  • 1
    Try find ~ -amin +a -amin -b which means accessed for more than a minutes ago and less than b minutes ago. – AliNajafies Mar 05 '13 at 19:53
  • -atime n means file was last accessed n*24 hours ago. So only a real number is allowable after it. – AliNajafies Mar 05 '13 at 19:59
  • You're right, POSIX only specificies the full day units with -atime. The minute-based tests work though. I was testing this on BSD, which has the luxury extensions. – zwets Mar 05 '13 at 22:06
  • @zwets, This might output a lot of information so that it can not be possible to process them, anyway youre a command master! – Mostafa Shahverdy Mar 06 '13 at 07:11