If I open and view, but do not ever save a file on my hard drive – in other words it is opened from and only stored on other media like CD or flash drive – can such a file be recovered, opened, viewed or otherwise identified?
Maybe.
This is another of those cases where it really, really, really depends on the characteristics of the file, the system, and the program used to view it.
More often than you might think the answer to at least some of the scenarios you raise is yes.
Become a Patron of Ask Leo! and go ad-free!
When you view a file, even on external media like a CD-ROM several things
might happen:
- The entire file might get copied to a temporary location on your hard drive. Some viewing programs, for example, will do this so that the file can be read/write, others might do this because they know they need the file locally for reasons of their own choosing, and others might do it “just because”. Image viewers are notable, since given a huge image they might make a local copy that they can then scale to your screen size without affecting the original.
- Even if the file is kept entirely in RAM in order to be viewed, all or parts of it might get written to the Windows swap file if your system happens to need to do so to make room for other applications in RAM. Accessing it later out of that swap file is extremely difficult, but still potentially possible.
- The fact that you viewed the document might get added to the “recently viewed documents” list that Windows maintains for your Start menu. This requires the viewing application’s cooperation, but many applications do cooperate.
- The fact that you viewed the document might also get added to the application’s own “recently opened” list.
- It’s even possible that the document might get added to your browser’s history if the document requires the browser’s help to be displayed. The default viewer for certain types of images is sometimes your web browser.
- Auditing might be turned on in your system for security reasons, and a record of your actions kept there.
- Even using “Type” to view a file in the Windows Command Prompt might add an entry to the command history that can easily be retrieved. (Type up-arrow in a command prompt and you might see previously executed commands.)
- While we normally think of the file system as simply retaining the date a file was last modified or created, it might also be recording the date and time that the file was last accessed.
- There might be spyware.
As you can see, there are lots of ways that things “might” happen. I have to stress might simply because there are no guarantees, and everything varies with all the things that could be different from situation to situation, right down to the configuration of the machine.
And I have to stress that just because it “might” be possible doesn’t mean that it “will” be possible. It’s also possible for those situations above not to apply at all, and for there to be no way to know what’s been accessed on the machine.
It sounds like you’re trying to hide something. Naturally, I’d recommend against doing anything that would require that level of stealth, but I also know that sometimes it’s simply required.
The only real safe way to view a file and hide all traces, is to view that file on a machine that only you control. If you’ve taken all the steps to make sure that no one else has access to that machine (including preparing for or planning for theft) then the traces you might leave are inconsequential.
There is one compromise: you might consider rebooting the machine and accessing or viewing the files using a “Live” CD, typically a Linux distribution, that simply doesn’t access the hard drive at all.
However, the fact that you rebooted and when might also be easily available.
Will firewall software (I have Avira Anti Virus and PC Tools Threatfire installed) prevent anyone on the Internet from reading a word processing file which is open on the computer and which I am working on?
14-Jan-2010
Vista often shows a representation of a file in it’s thumbnail – does previewing a file leave a similar trail?
On a similar note, does (or can) copying a file from one removeable storage to another (i.e. between memory sticks) leave such trails?
good question. Ive been trying to find out if I opened a file from my flash drive the company could see it, even if they dont have physical access to the laptop?
11-Sep-2011
If you only connect the flash drive to the machine but don’t actually open any files that are on it, can those files be recovered, opened, viewed, etc after the flash drive has been removed?
Normally, no. However if you have malware, then of course it could have done anything.
Thanks, Do you mean malware on the flash drive or the machine? Or both?
Either. Malware on the machine could already be doing anything. Malware on the flash drive could infect the machine (even with a simple insertion and nothing else on your part) at which point it would be on the machine and able to do anything.
The risks of getting malware from inserting a flash drive can be mitigated (reduced) by turning off Autorun. This is a very important default to change in Windows.
Is Autorun Really Evil, and If So, How do I Turn Autorun Off?
Why Does Nothing Happen When I Insert a Disc?
Thanks again. I’m pretty sure there’s no malware on my flash drive, the problem was that I connected the wrong external hard drive to my company computer. (Yeah, completely stupid, but a mistake). It had some confidential documents on it. The files were not opened at all, so if I understand you correctly, the only way that my company would have access to them is if they have anything on their system that automatically saves from any device connected?
Correct.
You mentioned booting from a Live Linux distribution. This normally won’t work on a company computer. Most companies don’t allow booting from external media. And now, with Windows 10, the default is set to Secure Boot which only allows booting from “trusted” sources.
True. But so many machines remain bootable from external media — or UEFI settings left unprotected — that it’s still something to be aware of.
And if the external hard drive was formatted to Mac OS Extended Journaled and the company computer was Windows 10, could malware on the computer still take the data from the external?
It could. It would be more work, but sure … it could.