5

My family member has reason to believe that someone entered their house last night although they cannot be certain because they only have circumstantial evidence: In the morning they found a light left on and a door leading to the garage left open after locking it last night.

For the sake of this post, let's assume that someone did enter their home without permission.

My sibling owns an AMD PC running Windows 7, and upon waking the computer up today for the first time, this screen appeared:

Log in screen

This seems abnormal to me. (The white bar in the picture was added by me and is to hide the user name. Before editing, the font and color of the user name seemed normal.)

After inspecting the computer and seeing no physical changes, my sibling checked the Windows event logs as well as the Windows Administrator logs and didn't see any suspicious events.

My questions are:

  • How can we go about verifying that no new software has been installed (Via live cd/usb etc) onto Windows beyond checking logs?
  • What measures should we take to make sure that the computer is safe to use?

Some notes:

  • Wiping the computer is not a desired option because of personal files.
  • We are fairly certain that no physical changes were made to the computer because the internals and rear of the tower were covered in undisturbed dust.
  • My sibling is running Windows 7 Home Edition
  • BIOS settings show "Removable Device" is set as the first boot option, although this may have been priorly set by me or someone we trust.

I apologize if I've left out any important details, please let me know through comments and I will add them if I can.

Community
  • 1
Jack
  • 153
  • 4
  • Do you have reason to believe that whoever broke in had a particularly good level of understanding of computer security? It's likely that they were only looking for something to steal, not to plant malicious software on your computer (in which case they would likely have not made themselves so obvious). – forest Sep 06 '18 at 03:12
  • Good question: the only reason that we think the person did something to the computer is the unusual log-in screen and that nothing was taken from the house that we could find. Other than that, we don’t have any other reason to believe that the person who entered the house was interested in planting software on the computer. – Jack Sep 06 '18 at 03:16
  • What is unusual about the lock screen? It does not look strange to me, but then again I use Linux, not Windows and haven't seen its lock screen in years. Is it the color scheme? – forest Sep 06 '18 at 03:17
  • Yes, there is usually a picture background. The password text input is usually black text on a white background. I think this screen is what Windows looks like after it has been booted into safe mode. I’m not sure about this though. – Jack Sep 06 '18 at 03:38
  • 1
    From the photo it looks like the computer has simply been put into "High Contrast" mode, which can be done (even from the lock screen) via the shortcut Alt + Left Shift + PrintScreen. – Iridium Sep 06 '18 at 11:19

1 Answers1

2

How can we go about verifying that no new software has been installed (Via live cd/usb etc) onto Windows beyond checking logs?

The easiest way is simply to go back to the last Restore Point. Go into the Start Menu, type Restore, then choose "create a restore point". From there, click on the System Restore... button and follow the prompts to go back to the last stable install.

What measures should we take to make sure that the computer is safe to use?

Install Avast or your favorite anti-virus, and run a scan. Also install an anti-malware like malwarebytes and run a scan there. If there's some deeper infection that you suspect, you can't fix it; just buy a new system.

Wiping the computer is not a desired option because of personal files.

System Restore won't affect personal files.

BIOS settings show "Removable Device" is set as the first boot option, although this may have been priorly set by me or someone we trust.

This is typically default, and no cause for concern. Obviously, check your hardware for any USB drives. Some systems have extra internal USB headers that could have been tampered with. I know you said there's no undisturbed dust, but realistically, most of that dust is pretty hard to disturb, so you might want to just look inside for any extra USB drives inside.

Unless you're a government employee or a secret agent, etc, most likely, nobody's done any harm to this computer. A physical intrusion is typically used for immediate rewards; ID cards, social security cards, credit cards, etc. You should worry more about any financial institutions than the computer itself. As an additional security precaution, though, consider changing any passwords your sibling may use, especially bank accounts, emails, and any significant social media profiles.

Simply doing a malware and antivirus scan, plus changing any sensitive passwords, should be more than overkill for an average civilian.

phyrfox
  • 5,724
  • 20
  • 24
  • 2
    I don't think just an antivirus scan would be overkill (if you assume that malware was planted on the computer). If someone had privileged access to the system, malware will not be easy to detect. Not to mention, even an average hobbyist programmer will be able to create malware that cannot be detected by antivirus software. I'm not saying it's not a good idea of course, just that it may not be "enough", depending on what the person was after. – forest Sep 06 '18 at 05:43