Here’s an answer I am about give to a post on Quora asking about how to tell how and if your computer was hacked.
The obvious thing to take away here is to have a strong defence before getting to this point.
Although you’re looking for a post-measure there are a few things to take away from this for preventative measures as well as post-measures that I think are very important.
First before anything if you do not have backups you should try to recover the files using software like Recuva. Continuing to use your system and hard drive will decrease your chance for successful recovery. The sooner you can do any of these steps the better, and gives you a better chance to find out what happened.
As a preventative measure, make sure to keep backups including remote back ups – which is much easier now days with the amount of cloud storage options.
Make sure to have strong passwords in place and to keep them secure and unique. Any opportunity you have to use an authenticator [1 time rolling passwords] you should – it’s the next best thing to bio security – if you have a unique password to your authenticator and you’re the only one who knows it you’ll be pretty safe. Check out How Secure Is My Password? to see how secure your password is – computing will change over time and decrease security of current algorithms used to generate passwords.
Here’s a preventative measure you’ll want to enable if you’re paranoid about this: How To See Who Logged Into a Computer and When. This uses Window’s built in policies to audit successful and failed logins to the event log.
If the computer was still logged in when you got back to it you can see when the last login was, although I doubt that’s of much use. Windows 7 : uptime, last user logged in time and date, last rebooted
The above is assuming a login occurred, if you believe someone was physically at the system I would recommend running motion detection camera software – you can use any web cam with Yawcam, or grab a web camera packaged with motion detection software like some of the Logitech cameras.
If a login did not take place make sure to run and continue to run Anti Virus software – one with real time scanning.
If they used a back door like a RAT – Remote Access Tool, or how some other software that allows them to access your computer even an FTP or tunnel. You will need to have a proper fire wall in place. Knowing how to manage your fire wall and how it works is vital to it’s success – any AV or Firewall is useless if the end user allows everything.
Once you have an understanding of what should be on your system try auditing the connections your self and look for anything suspicious – honestly there’s a lot of things you have probably never seen or heard of and think sound suspicious by but are system processes. On the other hand, you may have a processes that has been taken over by a virus or pretending to be a system process. This is why it’s good to run a good AV scan to detect such things.
If someone coded something by scratch it’s likely it will not get flagged by an AV. This comes back to be familiar with what should be running on your system. There’s some AVs like Comodo you can stick on paranoid mode and it will let you know every small action a program wants to take (last I used it) – “Word would like to have access to your keyboard” honestly it’s a pain to start – I stepped away from most AVs due to their massive overhead – they become their own virus – CPU and Memory resources used up.