This is a relatively persistent family of questions that comes around from time to time, particularly in times of concern about individual privacy.
There are several misconceptions in the question.
Further, those misconceptions are based on kernels of truth, which means I canât just say âthatâs wrongâ; instead, itâs more a case of âitâs not like that â itâs like thisâ.
Letâs see if I can clear up the confusion. To do so, weâll need to talk about keystrokes, loggers, hidden files, erasing files, and really erasing files.
Become a Patron of Ask Leo! and go ad-free!
Recording keystrokes
There is no hidden file containing every keystroke youâve ever typed on your computer.
Pragmatically, if every keystroke were being recorded somehow, thereâs no way, after all this time, it would still be some kind of secret. Weâd be hearing about a lot more successful prosecution of cyber criminals, along with a plethora of lawsuits regarding various privacy concerns.
So, no, there is no hidden permanent record of every keystroke recorded by the operating system, drivers, or other official software.
However, there are kernels of truth:
- As I write this, every keystroke is being recorded to create this article. Thatâs what we would expect. The documents you create, the emails you send, are all a type of record of your keystrokes.
- Every keystroke is temporarily recorded in keyboard buffers. These allow you to âtype aheadâ while your computer is doing something else. Once the computerâs ready again, everything you typed suddenly appears. Those buffers range anywhere from a few bytes to several thousand, and as they fill up, older keystrokes are removed to make room. Normally theyâre in memory only; turn your computer off, and theyâre gone. There may also be one in your actual keyboard, but again, turn the power off, and itâs gone too.
- Keyboard buffers may be written to disk-swap files as the operating system manages memory between all the running programs. If you turn off your computer, the swap file remains, and could be recovered and examined for âinterestingâ contents. Itâs easy to get the swap file, but extremely difficult to make sense of its contents. Thereâs also no predicting what the swap file will contain, or for how long.
Itâs also worth remembering that all bets are off if you have malware installed.
Keystroke loggers
I often hear from people who wonder if one technique or another will somehow âbypassâ keyloggers, allowing them to log in safely without the keylogger logging anything. The answer is no. There are two important points to realize about keyloggers:
- A keylogger is âjustâ malware that happens to log keystrokes.
- As malware, a keylogger can also do anything else it wants â including logging whatever fancy trick you use to try to bypass it.
From my perspective, malware, including keystroke loggers, is the only practical reason for concern when it comes to keeping any record of your keystrokes.
The good news is that since keyloggers are âjustâ malware, then the techniques you already have in place to avoid malware will keep you safe.
Hidden files
The amount of data that would be collected by recording every keystroke is no longer a reason it couldnât be done.
Letâs say youâre a prolific typist, and you type 100,000 keystrokes a day (thatâs over three keystrokes every second for a solid eight-hour work day). In a year, that adds up to 36 megabytes of data. Keep your computer for 10 years, and thatâs 360 megabytes. On todayâs hard disks, thatâs next to nothing. Youâd probably never notice it.
So are all your keystrokes being written to some hidden file? No.
But there is a kernel of truth here: there are hidden files on your machine.
- There are files marked with the âhiddenâ file attribute. The operating system itself often uses this attribute to hide some of its own files from casual observers. The system swap file, typically in the root of the C: drive, is a common example. These are easy to find, since both Windows File Explorer and the Command Prompt âDIRâ command can be instructed to display files that have this âhiddenâ attribute.
- There are often âhiddenâ partitions on the hard drive. Many computer manufacturers, as well as recent versions of Windows, now use them to store their recovery data. These are easy to see with Windowâs built-in disk management tool or any partition management software.
- Thereâs an obscure form of hidden data possible in files stored on a disk thatâs formatted using the NTFS file system. NTFS supports something called âalternate data streamsâ. Not many people know about this feature, and itâs difficult to detect if itâs been used.
- Lastly, there are techniques, such as VeraCryptâs âHidden Volumeâ, which use various approaches to hiding data within other data.
As you can see, thereâs a potential for a lot of hidden information on your PC.
But none of them contain every keystroke youâve ever typed. :-)
Deleting files
We also need to understand how files are deleted, because that can result in a different type of âhiddenâ file: remnants of previously deleted files.
When a file is deleted, its contents are not actually removed. Instead, the space the file formerly occupied is marked as âavailableâ for another file to be written to later. Until that overwrite actually happens, the original deleted information is still there.
This is the basis for many undelete and data-recovery utilities. Itâs also why most of those utilities recommend you stop using your disk if you accidentally delete something, so as to avoid overwriting the deleted area with something new. So just deleting something doesnât necessarily mean itâs immediately or completely gone.
The article How Does Secure Delete Work? goes into this in more detail, including the steps to take to make sure that your deleted filesâ data is really gone.
Which brings us to DBAN.
Drive wiping utilities
The utility you mention, DBAN, doesnât locate files at all.
But, once again, thereâs a kernel of truth: it erases your files â all of them.
How? It securely erases everything. Without paying any attention to whatâs stored on it, DBAN overwrites the entire contents of a hard disk â every sector, whether in use or not.
Should You be Worried?
In my opinion, as long as you follow the fundamentals of keeping your computer safe on the internet, the answer is clearly no. As Iâve said before, unless youâre doing something illegal or secretive, youâre just not that interesting.
When the time comes to dispose of hardware such as your disk drive, tools like DBAN are a fine way to make sure your private information is sufficiently erased.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
What about those âindex.datâ files found all over the place that keep track of everything you do online that Microsoft claims are just cache files yet they are âSuper Hiddenâ and almost impossible to delete without a third party utility.
Of course since â9/11â the idea of backdoors in Windows that go directly to the âWhite Houseâ is not so ludicrous. :-) â so says the extra paranoids out there.
Those index.dat files are just that: cache and history files that you can
delete and/or clear out using IEâs options, or as you say, many readily
available third parties. Thereâs nothing sinister, and theyâre not âsuper
hiddenâ in my opinion.
As for the whitehouse: again, in my opinion, they havenât shown the
organizational or technological abilities to set up or maintain and kind of a
data gathering conspiracy. I just donât believe it.
Leo
If used properly (which I have never bothered trying), those index.dat files can be made to show a lot of deleted browser history and deleted emails. And they are not too hard to pull of someoneâs pc and onto a flash drive.
it seems that i cannot retrieve my hidden files. where else should i peek?
Could you tell me how many keystrokes WOULD be stored on a computer before they overwrite each other?
17-Nov-2008
The real question here is, can your hourly, daily etc. activity be recorded with in a network either corporate or other and reviewed at a later date. I belive the answer to be yes, an employer can if they wanted to go back in time after the end of a day or week etc. and in fast forward watch your activity right down to websites visited in real time, letters written, emails answered, web shopping sites etc. and see the sequences timed as they happened to see how many hours you were logged on you were actually working on company business.I know there is software available for that use. The other question would be can you purchase and install software that allows this not to happen.
i dont know much of this but is it possible for some people who know allot about computers to get into files on my computer and read my emails and see all my history etc after i have just simply deleted it by going into tools internet options. if so how do i get into those files
Where are the facebook activity logs file kept hidden in the Hard disk.
23-Dec-2012
@Milind
Facebook does have activity logs that you can access on Facebook. I believe theyâre stored on Facebookâs servers, not on your computer.
I just left a company that monitored the number of mouse clicks an employee made in a given amount of time. I donât know the numbers, except that there were
1,300 employees, but my supervisor got a notice of who was the top âclickerâ every few months. The company assumed that those with thousands of mouse
clicks were playing games on company time. Apparently they knew the number of keystrokes an average employee would make but those with mouse clicks
were first counseled by management, then their site visits were monitored specifically.
Yep. If a company â or anyone â installs spyware on the machine, all bets are off. They can track ANYTHING.
Worked at NASA and also at a very large govt contractor installation, where EVERY computer had a CLEAR, BLATANT notice at the Login screen that EVERY keystroke entered, EVERY website visited, and EVERY email & document created was being monitored. Misuse of computer rules and guidelines would be subject to disciplinary action up to, and including, termination.
I believe this is the same warning on all government computers but cannot say for certain. I was told by our IT guy that keystroke logging software IS installed.
Okay, before anyone laughs because of recent political happenings & mishaps of the past few years, Iâm just adding this info to this thread. BTW, despite the clear warning, several civil service & contractor personnel that I had personally either known or heard of were disciplined â one banned from computers (UGH! You can imagine what that did to his performance), one demoted, one fired; one whom I didnât know was fired, arrested, & convicted in FEDERAL court. He went to prison for EXTENSIVE child porn, (his job on 3rd shift gave him lots of free time).
So, keystroke loggers arenât just malware!
Good point. When you are using an employerâs computer they are in charge. Hereâs a good article with more on that: https://askleo.com/can-my-company-see-my-personal-email/
You are incorrect, at least regarding some models of HP computers. The article âSome HP PCs are recording your keystrokesâ (http://www.pcworld.com/article/3196127/computers/some-hp-pcs-are-recording-your-keystrokes.html) just today appeared in PC World.
Ronny
Technically Iâm correct, in that I did say âif you have malware, all bets are offâ. This is malware. HP has released an update to the utility.
If youâre really this paranoid about your PC activity, keep a large hammer next to your station, and the side panel off the desk-top. If youâre using a laptop, locate the area on the rear of the console where the HDD is, and have at it.,..,,bent, distorted HDD platters are un-recoverableâŠâŠ.but check your conscience first? Are you really that bad?
Is there a way to tell how many times an application has been opened on a mac?
I found these articles on that:
http://www.makeuseof.com/tag/whos-been-using-your-mac-behind-your-back-find-out/
http://osxdaily.com/2012/10/02/how-to-tell-if-someone-opened-files-mac/
Windows maintain lists of console keystroke events in memory. You even mention this, briefly. Why are there no tools to access these? This would be useful after one has lost text just now typed into an application. Even being able to see the last several keystrokes would reveal why an editing program just deleted text without allowing Undo, which just happened to me.
I get an email with files attached. One is a zip, one is word. I am sure at least one contains a keylogger. Knowing this, I have a second, old laptop I use exclusively to open and save attachments from this person. If I put any of the files onto a thumb drive and open on my regular laptop, is the keylogger then activated on that machine? Basically, do keylogger infected files keep that ability, even when transferred between machines via external storage devices? Thanks for your help.
It depends on what you meant by âopeningâ. For a key logger to take effect youâd have to run the infected file on your computer. If itâs an .exe file, you would have to run it and agree to the UAC warning. In the case of an infected Word file, open it in Word. Recent versions of Word, by default, warn you of any files containing macros, executable code which runs on your machine. Trying to run an installation program or any program which makes system changes will result in a UAC warning which you have to consent to to run. Those arenât perfect but offer protection. If you clicked yes to a UAC warning or agreed to run Word macros, malware might have been installed if the files were infected.
I donât know what you mean by âkeep that abilityâ. As long as those files exist on an medium, they are executable.
If you donât trust emails from someone, mark their emails as spam and avoid opening their attachments.
If youâre not sure if you have malware, follow the steps in this article: How to Remove Malware.
Where do the hidden files from keyloggers (malware) get stored? In temp folders? Iâve just looked at one Temp folder & found lots of strange files created recently.
They are hidden in different places, sometimes under Windows folders or under the AppData folder etc.
Thereâs always lots of random stuff in TEMP. Nothing to worry about.
So, essentially, Iâm a student and there are these weekly discussion boards, per class, in my online college course on Moodle. And these discussion-boards are set up fairly user-friendly. After making oneâs initial post in response to that weekâs âdiscussion questionâ, 2 replies are owed by that weekâs end. You can fulfil those tasks by either pressing the reply button and then directly typing your response into the provided answering box or uploading a previously finished and saved document from the âfoldersâ shortcut appropriate to task at hand. Alas, my problem and thus, subjacent question is that of this: Is there any way to find and retrieve what one has typed (I guess sort of like keystrokes) if there was an unintentional (by accident and misfortunate) page-redirect/closure? I used the right mouse key to bring up the command bar for accessing the âlook up definition?â button for a word I highlighted to inspect, and it REDIRECTED me OUT of the answer forum page to this a whole other new page to land me on some little search bar in regard to looking up that âinspected word.â Not the link to an answer, but a link to another link for again, asking for the same answer! Obviously being the bearer of my bad news, my back button didnât suffice. Nothing to find in my History for neither my laptopâs internal memory, Googleâs memory or even Moodleâs. I looked everywhere I can think of. Being that I havenât yet shutdown my laptop since the incident, nor attempted to mess with deleting or clearing any âcatchâ or web history or anything like that.. do I still have a chance at finding/retrieving my wayward discussion answer?
Once youâve closed the page, itâs unlikely that itâs recoverable.
This article about disappearing emails applies similarly.
My Email Disappeared While Composing. Can I Get it Back?
Itâs generally best to compose your work in a text editor or word processor.