Are There Hidden Files that Save Every Keystroke I’ve Ever Typed?

This is a relatively persistent family of questions that comes around from time to time, particularly in times of concern about individual privacy.

There are several misconceptions in the question.

Further, those misconceptions are based on kernels of truth, which means I can’t just say “that’s wrong”; instead, it’s more a case of “it’s not like that — it’s like this”.

Let’s see if I can clear up the confusion. To do so, we’ll need to talk about keystrokes, loggers, hidden files, erasing files, and really erasing files.

Recording keystrokes

There is no hidden file containing every keystroke you’ve ever typed on your computer.

Pragmatically, if every keystroke were being recorded somehow, there’s no way, after all this time, it would still be some kind of secret. We’d be hearing about a lot more successful prosecution of cyber criminals, along with a plethora of lawsuits regarding various privacy concerns.

So, no, there is no hidden permanent record of every keystroke recorded by the operating system, drivers, or other official software.

However, there are kernels of truth:

• As I write this, every keystroke is being recorded to create this article. That’s what we would expect. The documents you create, the emails you send, are all a type of record of your keystrokes.
• Every keystroke is temporarily recorded in keyboard buffers. These allow you to “type ahead” while your computer is doing something else. Once the computer’s ready again, everything you typed suddenly appears. Those buffers range anywhere from a few bytes to several thousand, and as they fill up, older keystrokes are removed to make room. Normally they’re in memory only; turn your computer off, and they’re gone. There may also be one in your actual keyboard, but again, turn the power off, and it’s gone too.
• Keyboard buffers may be written to disk-swap files as the operating system manages memory between all the running programs. If you turn off your computer, the swap file remains, and could be recovered and examined for “interesting” contents. It’s easy to get the swap file, but extremely difficult to make sense of its contents. There’s also no predicting what the swap file will contain, or for how long.

It’s also worth remembering that all bets are off if you have malware installed.

Keystroke loggers

Keystroke loggers, or “keyloggers”, are a form of malware that hackers use to gain access to your various usernames and passwords. A keystroke logger is malicious software that, as its name implies, records every keystroke and sends it off to the hacker over the internet. Once it’s been sent, of course, there’s nothing you can do.

I often hear from people who wonder if one technique or another will somehow “bypass” keyloggers, allowing them to log in safely without the keylogger logging anything. The answer is no. There are two important points to realize about keyloggers:

• A keylogger is “just” malware that happens to log keystrokes.
• As malware, a keylogger can also do anything else it wants — including logging whatever fancy trick you use to try to bypass it.

From my perspective, malware, including keystroke loggers, is the only practical reason for concern when it comes to keeping any record of your keystrokes.

The good news is that since keyloggers are “just” malware, then the techniques you already have in place to avoid malware will keep you safe.

Hidden files

The amount of data that would be collected by recording every keystroke is no longer a reason it couldn’t be done.

Let’s say you’re a prolific typist, and you type 100,000 keystrokes a day (that’s over three keystrokes every second for a solid eight-hour work day). In a year, that adds up to 36 megabytes of data. Keep your computer for 10 years, and that’s 360 megabytes. On today’s hard disks, that’s next to nothing. You’d probably never notice it.

So are all your keystrokes being written to some hidden file? No.

But there is a kernel of truth here: there are hidden files on your machine.

• There are files marked with the “hidden” file attribute. The operating system itself often uses this attribute to hide some of its own files from casual observers. The system swap file, typically in the root of the C: drive, is a common example. These are easy to find, since both Windows File Explorer and the Command Prompt “DIR” command can be instructed to display files that have this “hidden” attribute.
• There are often “hidden” partitions on the hard drive. Many computer manufacturers, as well as recent versions of Windows, now use them to store their recovery data. These are easy to see with Window’s built-in disk management tool or any partition management software.
• There’s an obscure form of hidden data possible in files stored on a disk that’s formatted using the NTFS file system. NTFS supports something called “alternate data streams“. Not many people know about this feature, and it’s difficult to detect if it’s been used.
• Lastly, there are techniques, such as VeraCrypt’s “Hidden Volume”, which use various approaches to hiding data within other data.

As you can see, there’s a potential for a lot of hidden information on your PC.

But none of them contain every keystroke you’ve ever typed. 🙂

Deleting files

We also need to understand how files are deleted, because that can result in a different type of “hidden” file: remnants of previously deleted files.

When a file is deleted, its contents are not actually removed. Instead, the space the file formerly occupied is marked as “available” for another file to be written to later. Until that overwrite actually happens, the original deleted information is still there.

This is the basis for many undelete and data-recovery utilities. It’s also why most of those utilities recommend you stop using your disk if you accidentally delete something, so as to avoid overwriting the deleted area with something new. So just deleting something doesn’t necessarily mean it’s immediately or completely gone.

The article How Does Secure Delete Work? goes into this in more detail, including the steps to take to make sure that your deleted files’ data is really gone.

Which brings us to DBAN.

Drive wiping utilities

The utility you mention, DBAN, doesn’t locate files at all.

But, once again, there’s a kernel of truth: it erases your files — all of them.

How? It securely erases everything. Without paying any attention to what’s stored on it, DBAN overwrites the entire contents of a hard disk — every sector, whether in use or not.

Should You be Worried?

In my opinion, as long as you follow the fundamentals of keeping your computer safe on the internet, the answer is clearly no. As I’ve said before, unless you’re doing something illegal or secretive, you’re just not that interesting.

When the time comes to dispose of hardware such as your disk drive, tools like DBAN are a fine way to make sure your private information is sufficiently erased.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,

Slow Computer?

Speed up with my FREE special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

No strings. No email. Here's the direct download. (Just right-click and "Save As...".)

Podcast audio

Download (right-click, Save-As) (Duration: 8:56 — 4.2MB)

Subscribe: Apple Podcasts | RSS