If I open and view, but do not ever save a file on my hard drive – in other
words it is opened from and only stored on other media like CD or flash drive –
can such a file be recovered, opened, viewed or otherwise identified?
This is another of those cases where it really, really, really depends on
the characteristics of the file, the system, and the program used to view it.
More often than you might think
the answer to at least some of the scenarios you raise is yes.
When you view a file, even on external media like a CD-ROM several things might happen:
The entire file might get copied to a temporary location on your hard drive. Some viewing programs, for example, will do this so that the file can be read/write, others might do this because they know they need the file locally for reasons of their own choosing, and others might do it “just because”. Image viewers are notable, since given a huge image they might make a local copy that they can then scale to your screen size without affecting the original.
Even if the file is kept entirely in RAM in order to be viewed, all or parts of it might get written to the Windows swap file if your system happens to need to do so to make room for other applications in RAM. Accessing it later out of that swap file is extremely difficult, but still potentially possible.
The fact that you viewed the document might get added to the “recently viewed documents” list that Windows maintains for your Start menu. This requires the viewing application’s cooperation, but many applications do cooperate.
The fact that you viewed the document might also get added to the application’s own “recently opened” list.
It’s even possible that the document might get added to your browser’s history, if the document requires the browser’s help to be displayed. The default viewer for certain types of images is sometimes your web browser.
Auditing might be turned on in your system for security reasons, and a record of your actions kept there.
Even using “Type” to view a file in the Windows Command Prompt might add an entry to the command history that can easily be retrieved. (Type up-arrow in a command prompt and you might see previously executed commands.)
While we normally think of the file system as retaining simply the date a file was last modified or created, it might also be recording the date and time that the file was last accessed.
There might be spyware.
As you can see, there are lots of ways that things “might” happen. I have to stress might simply because there are no guarantees, and everything varies with all the things that could be different from situation to situation, right down to the configuration of the machine.
And I have to stress that just because it “might” be possible doesn’t mean that it “will” be possible. It’s also possible for those situations above not to apply at all, and for there to be no way to know what’s been accessed on the machine.
It sounds like you’re trying to hide something. Naturally, I’d recommend against doing anything that would require that level of stealth, but I also know that sometimes it’s simply required.
The only real safe way to view a file and hide all traces, is to view that file on a machine that only you control. If you’ve taken all the steps to make sure that no one else has access to that machine (including preparing for or planning for theft) then the traces you might leave are inconsequential.
There is one compromise: you might consider rebooting the machine and accessing or viewing the files using a “Live” CD, typically a Linux distribution, that simply doesn’t access the hard drive at all.
However, the fact that you rebooted and when might also be easily available.