private forensys

I would like to know from the analysis of which directories\files\processes one can draw an unambiguous conclusion: there was a user here. Maybe itis better to use the commands Code:-ctime, -atime, -mtime, and which directories /subdirectories, processes to look at? Maybe there is a manual on this topic? I would appreciate any answers.