private forensys
 

I would like to know from the analysis of which directories\files\processes one can draw an unambiguous conclusion: there was a user here. Maybe it’s better to use the commands , and which directories /subdirectories, processes to look at? Maybe there is a manual on this topic? I would appreciate any answers.

I'm not really sure I understand what are you looking for, but probably you need inotify.

If you mean whether someone was logged into the system, this link should help.

Assuming you're referring to the following:
Access timestamp (atime): which indicates the last time a file was accessed.
Modified timestamp (mtime): which is the last time a file’s contents were modified.
Change timestamp (ctime): which refers to the last time some metadata related to the file was changed.

Please let me know if this reference helps: https://www.geeksforgeeks.org/file-t...time-in-linux/

I understand that this is my crooked English, the reason for the misunderstanding. Ok, I'll start from the beginning.
1. I am interested in events on the computer more than 2 years ago, and for a specific period of dates.
2. I understand that all possible journals for this period are no longer available.
3. The command with descriptors is still working.
4. Using this command, I found all the files that have not yet been overwritten, have not changed, etc.
5. A large number of files in the and similar directories with the same date of modification, change, creation, what are they talking about? I only think that the computer was turned on and online. Since Snap works in automatic mode, we cannot definitely link a user to the process. I'm right?
6. A large number of files in the directory with the same date of modification, change, creation, what are they talking about? I think that the user has connected a removable device, and this clearly indicates the user. Am I right?
7. It would seem that eureka is what we need.... But not everything is so simple, this is not the time period that I need.
8. I hope now you understand, I am looking for directories, files for certain dates. Changes, modifications in which clearly linked with user . I ask you to write here in which directories you think such files may be located. There is no cache from the browser jobs.
9. It is quite possible that this is not the right way to search, then I will be glad to get some hints.
10. By the way, if you have any ideas on how to find out if a virtual machine has started, I will be happy to read your comments.
I see drivers and services are installed, but updated. If only some specific files remain in the system. Where?

It is still unclear (for me). You cannot look for old events on the computer. That information is not available (obviously if it was logged you can check those logs, but by default it is not logged).
You cannot use mtime, ctime, atime, root has right to overwrite everything (including credentials, permissions and any other attributes), for example you may find files which are older than your hardware or created by non-existing users.

@OP: I think it's a bit rich to ask us to write you a general "How to do Computer Forensics" manual. That's what you're looking for. People who know what they are doing can cover their tracks very well anyhow in linux, unlike windows. Hire someone, give him the pc, and ask if he can find anything. A person trying to stay hidden can use Tails (The Amnesiac Incognito Linux System) for years on a pc and you'll find no trace.

It turns out that either I didn’t write everything you need, or my language is completely crooked.
I wrote it myself, after checking many times, that there are no magazines. I wrote to you myself that I found a lot of files with timestamp from 2 years ago, and it’s true.
And I'm not asking you to do forensic analysis or write a manual. I just ask you to express your opinion on which folders contain traces of launched applications, virtual machine startup, and so on. It is not at all necessary that this user - the owner of the computer - covered his tracks there. But now I have this computer, and this is also true. And I'm just a curious Windows user. Starting to learn Ubuntu from scratch is too much for me.)

I know you're suspicious, but if the owner of the pc knew what to do and covered his tracks, any amateur is not going to find anything.

You have one very slender thread of hope, if the disks are spinning rust and not SSDs on NVMEs. Files resident on a disk for some time leave the tiniest trace of residual magnetism on a disk. Forensics techniques exist to read that residual magnetism and recover those lost files, probably as isolated sectors with data. I know nothing more than what's in the shred man page. If you are prepared to pay somebody with that equipment, he can work on your drive, but you'll have to pay whether he comes up with anything or not, and I wouldn't raise your hopes. No residual magnetism exists on SSDs or NVMEs.

there is a little known program called 'shred' which overwrites the disk many times to confuse the residual magnetism, and can make the above technique useless. If somebody has data they don't want found, they can encrypt it anyhow in linux. So you might find the data (as gibberish) but not be able to decrypt and read it. Someone who "covers his tracks" but didn't encrypt his data or shred his disk on his way out the door is a fool indeed.

In summary, you're likely to get nothing. If you want to throw money at it, hire someone that others can vouch for. This is out of your league altogether.

After all, this is an SSD drive. And I myself drove it with different programs, nothing. But first of all, I have a question, why were points 5 and 6 left unanswered? Nobody wrote yes or no.
Secondly, dear forum members want to tell me that in Ubuntu there are no traces of human activity in any case?
Then what about point 6, if I’m right of course?

It was already told, if you want to log all the activities on a host you can switch it on, but by default is is off. Not used. Moreover, it is hardly possible to distinguish between human and automatic activities.
You won't get answers, because we can't see those files and therefore we cannot explain their existence (or absence).
It can be the package content, some generated or user specific data or anything else.

The 6 points were4 left unanswered, because we're volunteering our expertise. We're not under compulsion. If you want them answered, do your own research.

You have an SSD. So you're going to find nothing. Goodbye.

Refine (try various) web-search keywords until you find info that is most useful to you. For example:
https://www.forensicfocus.com/articl...sics-analysis/

You’re out of luck. The information you’re looking for does not exist.

If you want to start collecting it, then some ways are described here:

https://superuser.com/questions/2229...nches-in-linux

But if you weren’t collecting it two years ago then yeah, it’s too late.

EDIT: And seconding Frankbell.