Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Accessing MRU Information

Status
Not open for further replies.
RecLambyUK

RecLambyUK

Technical User
Dec 12, 2003
66
GB
Hi guys,

I am after some help. Basically are company are trying to action disciplinary procedures against somebody who has been accessing accounts information etc. On his PC under his account (we know it was the user as CCTV has him sitting on the machine at the time) under the MRU, there are multiple entries on there pointing at very sensitive payroll information etc.

My question is... what exactly creates an entry on the MRU? Is it when a file is opened or can it be just a folder etc?
For example, one entry is the shortcut to a employees users folder. Does this mean they accessed the contents of it? Would it show on this list if he attempted to access but was denied due to security permissions etc?

I hope I am making sense here, I just want to be 100% sure I know the ins and outs of the MRU in case I am called on to give evidence etc in the disciplinary.

Kind regards
John
 
Sort by date Sort by votes
The MRU will be created any time someone has accessed a particular file. However, I must warn you that your company is treading on thin ice. If disciplinary action is going to be made based on the CCTV, then that is one thing, but if
there is a plan to use the information on the MRU, I would advise finding a competent security investigator to investigate. A compentent investigator will then be able to make a complete copy of the drive, leaving it untainted. If you or any one else has logged on to the PC, and looked at any information on his "account", then the whole case can be dismissed on grounds of tampering.
 
Upvote 0 Downvote
Very good point, I agree totally. All I know is that looking at his MRU, it shows files being accessed at certain times. When the CCTV was checked at these exact times, the person in question was sitting at his machine doing whatever. The company feel that is enough to at least bring him in for questioning, as far as the legal side goes it is out of my hands and completely up to the company. For what its worth, when the activity was first reported a complete backup of the drive was made anyway in case the user was clever enough to clear history, remove evidence etc.
 
Upvote 0 Downvote
A backup would not be valid, as this has modified every file on the pc.
As future reference, you need to literally power off the pc and lock it away, until it is to be dealt with by an expert.
You say it's up to the company when it comes to how they deal with it, but who will they be asking for the technical, and therefore physical, proof. Looks like you I'm afraid. My best advice it the "To the best of my knoweldge....however this is no guarentee" route.

Only the truly stupid believe they know everything.
Stu.. 2004
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CruiseMan
  • Locked
  • Question
Accessing specific websites in XP sp2 difficulties
Replies
8
Views
406
goombawaho
goombawaho
ChrisRChamberlain
  • Locked
  • Question
Accessing Windows 7 box without a password
Replies
2
Views
169
bfordz
bfordz
bloomlight
  • Locked
  • Question
How to put back "System Volume Information\_restore" folder?
Replies
3
Views
130
bloomlight
bloomlight
dibbkd
  • Locked
  • Question
Windows 7 XP Mode accessing a server on a LAN
Replies
2
Views
133
linney
linney
JBruyet
  • Locked
  • Question
How do I get rid of information popups? 1
Replies
5
Views
136
linney
linney

Part and Inventory Search

Sponsor

Back
Top