Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Are There Hidden Files that Save Every Keystroke I’ve Ever Typed?

Question: This is a multi-part question and pertains to computer forensics. Specifically, locating those mysterious, deeply hidden files that (supposedly) contain your computer’s entire history – every keystroke ever made. Accessing those files. Viewing the contents. Deleting the contents. Understanding how a utility like DBAN can “find” and nuke them, but I as the computer owner can’t. And finally, if every keystroke really has been recorded to some hidden file, how come it doesn’t wipe out available space on my hard drive.

This is a relatively persistent family of questions that comes around from time to time, particularly in times of concern about individual privacy.

There are several misconceptions in the question.

Further, those misconceptions are based on kernels of truth, which means I can’t just say “that’s wrong”; instead, it’s more a case of “it’s not like that — it’s like this”.

Let’s see if I can clear up the confusion. To do so, we’ll need to talk about keystrokes, loggers, hidden files, erasing files, and really erasing files.

Become a Patron of Ask Leo! and go ad-free!

Recording keystrokes

There is no hidden file containing every keystroke you’ve ever typed on your computer.

Pragmatically, if every keystroke were being recorded somehow, there’s no way, after all this time, it would still be some kind of secret. We’d be hearing about a lot more successful prosecution of cyber criminals, along with a plethora of lawsuits regarding various privacy concerns.

So, no, there is no hidden permanent record of every keystroke recorded by the operating system, drivers, or other official software.

However, there are kernels of truth:

  • As I write this, every keystroke is being recorded to create this article. That’s what we would expect. The documents you create, the emails you send, are all a type of record of your keystrokes.
  • Every keystroke is temporarily recorded in keyboard buffers. These allow you to “type ahead” while your computer is doing something else. Once the computer’s ready again, everything you typed suddenly appears. Those buffers range anywhere from a few bytes to several thousand, and as they fill up, older keystrokes are removed to make room. Normally they’re in memory only; turn your computer off, and they’re gone. There may also be one in your actual keyboard, but again, turn the power off, and it’s gone too.
  • Keyboard buffers may be written to disk-swap files as the operating system manages memory between all the running programs. If you turn off your computer, the swap file remains, and could be recovered and examined for “interesting” contents. It’s easy to get the swap file, but extremely difficult to make sense of its contents. There’s also no predicting what the swap file will contain, or for how long.

It’s also worth remembering that all bets are off if you have malware installed.

Keystroke loggers

Typing on a LaptopKeystroke loggers, or “keyloggers”, are a form of malware that hackers use to gain access to your various usernames and passwords. A keystroke logger is malicious software that, as its name implies, records every keystroke and sends it off to the hacker over the internet. Once it’s been sent, of course, there’s nothing you can do.

I often hear from people who wonder if one technique or another will somehow “bypass” keyloggers, allowing them to log in safely without the keylogger logging anything. The answer is no. There are two important points to realize about keyloggers:

  • A keylogger is “just” malware that happens to log keystrokes.
  • As malware, a keylogger can also do anything else it wants — including logging whatever fancy trick you use to try to bypass it.

From my perspective, malware, including keystroke loggers, is the only practical reason for concern when it comes to keeping any record of your keystrokes.

The good news is that since keyloggers are “just” malware, then the techniques you already have in place to avoid malware will keep you safe.

Hidden files

The amount of data that would be collected by recording every keystroke is no longer a reason it couldn’t be done.

Let’s say you’re a prolific typist, and you type 100,000 keystrokes a day (that’s over three keystrokes every second for a solid eight-hour work day). In a year, that adds up to 36 megabytes of data. Keep your computer for 10 years, and that’s 360 megabytes. On today’s hard disks, that’s next to nothing. You’d probably never notice it.

So are all your keystrokes being written to some hidden file? No.

But there is a kernel of truth here: there are hidden files on your machine.

  • There are files marked with the “hidden” file attribute. The operating system itself often uses this attribute to hide some of its own files from casual observers. The system swap file, typically in the root of the C: drive, is a common example. These are easy to find, since both Windows File Explorer and the Command Prompt “DIR” command can be instructed to display files that have this “hidden” attribute.
  • There are often “hidden” partitions on the hard drive. Many computer manufacturers, as well as recent versions of Windows, now use them to store their recovery data. These are easy to see with Window’s built-in disk management tool or any partition management software.
  • There’s an obscure form of hidden data possible in files stored on a disk that’s formatted using the NTFS file system. NTFS supports something called “alternate data streams“. Not many people know about this feature, and it’s difficult to detect if it’s been used.
  • Lastly, there are techniques, such as VeraCrypt’s “Hidden Volume”, which use various approaches to hiding data within other data.

As you can see, there’s a potential for a lot of hidden information on your PC.

But none of them contain every keystroke you’ve ever typed. :-)

Deleting files

We also need to understand how files are deleted, because that can result in a different type of “hidden” file: remnants of previously deleted files.

When a file is deleted, its contents are not actually removed. Instead, the space the file formerly occupied is marked as “available” for another file to be written to later. Until that overwrite actually happens, the original deleted information is still there.

This is the basis for many undelete and data-recovery utilities. It’s also why most of those utilities recommend you stop using your disk if you accidentally delete something, so as to avoid overwriting the deleted area with something new. So just deleting something doesn’t necessarily mean it’s immediately or completely gone.

The article How Does Secure Delete Work? goes into this in more detail, including the steps to take to make sure that your deleted files’ data is really gone.

Which brings us to DBAN.

Drive wiping utilities

The utility you mention, DBAN, doesn’t locate files at all.

But, once again, there’s a kernel of truth: it erases your files — all of them.

How? It securely erases everything. Without paying any attention to what’s stored on it, DBAN overwrites the entire contents of a hard disk — every sector, whether in use or not.

Should You be Worried?

In my opinion, as long as you follow the fundamentals of keeping your computer safe on the internet, the answer is clearly no. As I’ve said before, unless you’re doing something illegal or secretive, you’re just not that interesting.

When the time comes to dispose of hardware such as your disk drive, tools like DBAN are a fine way to make sure your private information is sufficiently erased.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

27 comments on “Are There Hidden Files that Save Every Keystroke I’ve Ever Typed?”

  1. What about those ‘index.dat’ files found all over the place that keep track of everything you do online that Microsoft claims are just cache files yet they are ‘Super Hidden’ and almost impossible to delete without a third party utility.

    Of course since ‘9/11’ the idea of backdoors in Windows that go directly to the ‘White House’ is not so ludicrous. :-) – so says the extra paranoids out there.

    Reply
  2. Those index.dat files are just that: cache and history files that you can
    delete and/or clear out using IE’s options, or as you say, many readily
    available third parties. There’s nothing sinister, and they’re not “super
    hidden” in my opinion.

    As for the whitehouse: again, in my opinion, they haven’t shown the
    organizational or technological abilities to set up or maintain and kind of a
    data gathering conspiracy. I just don’t believe it.

    Leo

    Reply
  3. If used properly (which I have never bothered trying), those index.dat files can be made to show a lot of deleted browser history and deleted emails. And they are not too hard to pull of someone’s pc and onto a flash drive.

    Reply
  4. Could you tell me how many keystrokes WOULD be stored on a computer before they overwrite each other?

    Nope. There are simply too many variables at play – the drivers, the software you’re using – it all impacts the answer. Could be 10. Could be 10,000. Could be something else entirely.

    – Leo
    17-Nov-2008
    Reply
  5. The real question here is, can your hourly, daily etc. activity be recorded with in a network either corporate or other and reviewed at a later date. I belive the answer to be yes, an employer can if they wanted to go back in time after the end of a day or week etc. and in fast forward watch your activity right down to websites visited in real time, letters written, emails answered, web shopping sites etc. and see the sequences timed as they happened to see how many hours you were logged on you were actually working on company business.I know there is software available for that use. The other question would be can you purchase and install software that allows this not to happen.

    Reply
  6. i dont know much of this but is it possible for some people who know allot about computers to get into files on my computer and read my emails and see all my history etc after i have just simply deleted it by going into tools internet options. if so how do i get into those files

    Reply
  7. Where are the facebook activity logs file kept hidden in the Hard disk.

    I’ve never heard of such a thing existing, so my first reaction is to say “nowhere, because they don’t exist on your computer”.

    Leo
    23-Dec-2012
    Reply
  8. I just left a company that monitored the number of mouse clicks an employee made in a given amount of time. I don’t know the numbers, except that there were
    1,300 employees, but my supervisor got a notice of who was the top “clicker” every few months. The company assumed that those with thousands of mouse
    clicks were playing games on company time. Apparently they knew the number of keystrokes an average employee would make but those with mouse clicks
    were first counseled by management, then their site visits were monitored specifically.

    Reply
  9. Worked at NASA and also at a very large govt contractor installation, where EVERY computer had a CLEAR, BLATANT notice at the Login screen that EVERY keystroke entered, EVERY website visited, and EVERY email & document created was being monitored. Misuse of computer rules and guidelines would be subject to disciplinary action up to, and including, termination.

    I believe this is the same warning on all government computers but cannot say for certain. I was told by our IT guy that keystroke logging software IS installed.

    Okay, before anyone laughs because of recent political happenings & mishaps of the past few years, I’m just adding this info to this thread. BTW, despite the clear warning, several civil service & contractor personnel that I had personally either known or heard of were disciplined – one banned from computers (UGH! You can imagine what that did to his performance), one demoted, one fired; one whom I didn’t know was fired, arrested, & convicted in FEDERAL court. He went to prison for EXTENSIVE child porn, (his job on 3rd shift gave him lots of free time).

    So, keystroke loggers aren’t just malware!

    Reply
    • Technically I’m correct, in that I did say “if you have malware, all bets are off”. This is malware. HP has released an update to the utility.

      Reply
  10. If you’re really this paranoid about your PC activity, keep a large hammer next to your station, and the side panel off the desk-top. If you’re using a laptop, locate the area on the rear of the console where the HDD is, and have at it.,..,,bent, distorted HDD platters are un-recoverable…….but check your conscience first? Are you really that bad?

    Reply
  11. Windows maintain lists of console keystroke events in memory. You even mention this, briefly. Why are there no tools to access these? This would be useful after one has lost text just now typed into an application. Even being able to see the last several keystrokes would reveal why an editing program just deleted text without allowing Undo, which just happened to me.

    Reply
  12. I get an email with files attached. One is a zip, one is word. I am sure at least one contains a keylogger. Knowing this, I have a second, old laptop I use exclusively to open and save attachments from this person. If I put any of the files onto a thumb drive and open on my regular laptop, is the keylogger then activated on that machine? Basically, do keylogger infected files keep that ability, even when transferred between machines via external storage devices? Thanks for your help.

    Reply
    • It depends on what you meant by “opening”. For a key logger to take effect you’d have to run the infected file on your computer. If it’s an .exe file, you would have to run it and agree to the UAC warning. In the case of an infected Word file, open it in Word. Recent versions of Word, by default, warn you of any files containing macros, executable code which runs on your machine. Trying to run an installation program or any program which makes system changes will result in a UAC warning which you have to consent to to run. Those aren’t perfect but offer protection. If you clicked yes to a UAC warning or agreed to run Word macros, malware might have been installed if the files were infected.
      I don’t know what you mean by “keep that ability”. As long as those files exist on an medium, they are executable.
      If you don’t trust emails from someone, mark their emails as spam and avoid opening their attachments.
      If you’re not sure if you have malware, follow the steps in this article: How to Remove Malware.

      Reply
  13. Where do the hidden files from keyloggers (malware) get stored? In temp folders? I’ve just looked at one Temp folder & found lots of strange files created recently.

    Reply
  14. So, essentially, I’m a student and there are these weekly discussion boards, per class, in my online college course on Moodle. And these discussion-boards are set up fairly user-friendly. After making one’s initial post in response to that week’s “discussion question”, 2 replies are owed by that week’s end. You can fulfil those tasks by either pressing the reply button and then directly typing your response into the provided answering box or uploading a previously finished and saved document from the “folders” shortcut appropriate to task at hand. Alas, my problem and thus, subjacent question is that of this: Is there any way to find and retrieve what one has typed (I guess sort of like keystrokes) if there was an unintentional (by accident and misfortunate) page-redirect/closure? I used the right mouse key to bring up the command bar for accessing the “look up definition?” button for a word I highlighted to inspect, and it REDIRECTED me OUT of the answer forum page to this a whole other new page to land me on some little search bar in regard to looking up that “inspected word.” Not the link to an answer, but a link to another link for again, asking for the same answer! Obviously being the bearer of my bad news, my back button didn’t suffice. Nothing to find in my History for neither my laptop’s internal memory, Google’s memory or even Moodle’s. I looked everywhere I can think of. Being that I haven’t yet shutdown my laptop since the incident, nor attempted to mess with deleting or clearing any “catch” or web history or anything like that.. do I still have a chance at finding/retrieving my wayward discussion answer?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.