Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Does just looking at a file leave a trail?

Question:

If I open and view, but do not ever save a file on my hard drive – in other words it is opened from and only stored on other media like CD or flash drive – can such a file be recovered, opened, viewed or otherwise identified?

Maybe.

This is another of those cases where it really, really, really depends on the characteristics of the file, the system, and the program used to view it.

More often than you might think the answer to at least some of the scenarios you raise is yes.

Become a Patron of Ask Leo! and go ad-free!

When you view a file, even on external media like a CD-ROM several things
might happen:

“The only real safe way to view a file and hide all traces, is to view that file on a machine that only you control.”
  • The entire file might get copied to a temporary location on your hard drive. Some viewing programs, for example, will do this so that the file can be read/write, others might do this because they know they need the file locally for reasons of their own choosing, and others might do it “just because”. Image viewers are notable, since given a huge image they might make a local copy that they can then scale to your screen size without affecting the original.
  • Even if the file is kept entirely in RAM in order to be viewed, all or parts of it might get written to the Windows swap file if your system happens to need to do so to make room for other applications in RAM. Accessing it later out of that swap file is extremely difficult, but still potentially possible.
  • The fact that you viewed the document might get added to the “recently viewed documents” list that Windows maintains for your Start menu. This requires the viewing application’s cooperation, but many applications do cooperate.
  • The fact that you viewed the document might also get added to the application’s own “recently opened” list.
  • It’s even possible that the document might get added to your browser’s history if the document requires the browser’s help to be displayed. The default viewer for certain types of images is sometimes your web browser.
  • Auditing might be turned on in your system for security reasons, and a record of your actions kept there.
  • Even using “Type” to view a file in the Windows Command Prompt might add an entry to the command history that can easily be retrieved. (Type up-arrow in a command prompt and you might see previously executed commands.)
  • While we normally think of the file system as simply retaining the date a file was last modified or created, it might also be recording the date and time that the file was last accessed.
  • There might be spyware.

As you can see, there are lots of ways that things “might” happen. I have to stress might simply because there are no guarantees, and everything varies with all the things that could be different from situation to situation, right down to the configuration of the machine.

And I have to stress that just because it “might” be possible doesn’t mean that it “will” be possible. It’s also possible for those situations above not to apply at all, and for there to be no way to know what’s been accessed on the machine.

It sounds like you’re trying to hide something. Naturally, I’d recommend against doing anything that would require that level of stealth, but I also know that sometimes it’s simply required.

The only real safe way to view a file and hide all traces, is to view that file on a machine that only you control. If you’ve taken all the steps to make sure that no one else has access to that machine (including preparing for or planning for theft) then the traces you might leave are inconsequential.

There is one compromise: you might consider rebooting the machine and accessing or viewing the files using a “Live” CD, typically a Linux distribution, that simply doesn’t access the hard drive at all.

However, the fact that you rebooted and when might also be easily available.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

14 comments on “Does just looking at a file leave a trail?”

  1. Will firewall software (I have Avira Anti Virus and PC Tools Threatfire installed) prevent anyone on the Internet from reading a word processing file which is open on the computer and which I am working on?

    Not by itself, no. You need to avoid viruses and spyware as well.

    Leo
    14-Jan-2010

    Reply
  2. Vista often shows a representation of a file in it’s thumbnail – does previewing a file leave a similar trail?
    On a similar note, does (or can) copying a file from one removeable storage to another (i.e. between memory sticks) leave such trails?

    Reply
  3. good question. Ive been trying to find out if I opened a file from my flash drive the company could see it, even if they dont have physical access to the laptop?

    Possibly – they could have spyware on your machine if it’s a company machine, they could watch the network if accessed over a network, they could look at “recently opened files” if the program used to view the file updated that. They may not, but they may, and if it matters you should assume that they do.

    Leo
    11-Sep-2011

    Reply
  4. If you only connect the flash drive to the machine but don’t actually open any files that are on it, can those files be recovered, opened, viewed, etc after the flash drive has been removed?

    Reply
  5. You mentioned booting from a Live Linux distribution. This normally won’t work on a company computer. Most companies don’t allow booting from external media. And now, with Windows 10, the default is set to Secure Boot which only allows booting from “trusted” sources.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.