Hey Leo, Just wondering. The recent trial in Florida where the DA searched the plaintiffâs computer and found an incriminating internet search for formaldehyde leads me to ask two questions. I mainly use CCleaner after using the net to clear cookies, but it also clears history and other stuff. Does CCleaner or even manually erasing history actually remove the history from the hard drive? Is every bloody key stroke permanently kept on the HD? And if so, where? Nothing to hide. Just curious.
Unless you have spyware installed on your computer, âevery bloody keystrokeâ is not being recorded. I get that question often enough that it seems like many people are concerned about it â itâs just not the case.
As for finding other things and seeing what CCleaner or other tools might or might not erase â well, things get complicated pretty quick.
Become a Patron of Ask Leo! and go ad-free!
Does removing history remove history?
Yes and no.
The problem here is that there are several âlevelsâ of delete and many can be recovered, depending on the level and the amount of effort (and perhaps money) that youâre willing to throw at the problem.
- A file deleted to the Recycle Bin can be recovered from that very simply, but I donât believe history is deleted to the Recycle Bin.
- The space used by a file that was deleted âpermanentlyâ is simply marked as now being free. That means that until itâs overwritten by other data, the original data actually remains on the disk and can possibly be recovered with special tools.
- Data on magnetic media that has been overwritten once or twice might (and I have to stress might) still be recoverable by some fairly advanced magnetic media analysis.
- Data that has been overwritten multiple times can typically not be recovered.
So, if a history file was deleted, thereâs a chance that it could still be recovered, depending on a) how much the computer has been used since the delete, and whether or not data has overwritten the space that was previously occupied by the history file, and b) how much effort youâre willing to put into the recovery.
I have no idea if a history file was used in the case that you mention, but my guess is that law enforcement was motivated to put in a lot of effort into the process.1
Really removing traces of data
CCleaner and tools like it can completely erase files, but they often do not by default.
For example, if you delete history in CCleaner, thatâs simply a file delete without any guarantee of overwrite. That means that the contents of the deleted file could potentially be recovered with appropriate software.
Itâs not until you then use the âDrive Wipeâ utility in CCleaner to overwrite all free space that the space previously occupied by the history would be overwritten. Naturally, most people donât do this.
On top of that, youâd need to select âmultiple passesâ in order to avoid the possibility of recovery by magnetic media analysis.
Another common tool for this is Secure Delete, a command-line tool that can securely delete specific files or wipe the free space of a drive.
Other traces of history
Iâve focused on the history file here as an example of the most obvious trace left of your website visits and search queries. While that can be securely erased with the appropriate steps, itâs not necessarily the only way that law enforcement might determine that youâve been searching for a specific topic.
- Spyware: As I mentioned at the beginning, Windows does not store all of your keystrokes somewhere. However, if you have spyware on your machine â whether itâs simply malicious malware or intentionally placed by parents, law enforcement, or others â then, all bets are off. All of your keystrokes could be recorded and saved on your machine or sent elsewhere over the internet.
- Cookies: If you erased these with your browser, CCleaner, or other tools, then law enforcement could certainly make some implications about some of the sites or pages that youâve visited.
- Google Web History: If you are logged into a Google account at the time that you perform your Google search, itâs possible that your search is recorded in your Google Web History, an online record of everything that youâve searched for. You can turn this off, but many people donât even realize that itâs on. Naturally, law enforcement could easily request the contents of this record with a search warrant.
- Google Search History: Even with the web history feature turned off, Googleâs servers, like any web server, will likely record the IP address and some additional characteristics of each access. With some work (and again, that search warrant), law enforcement could establish a link between your IP address and the searches performed from your computer.
As you can see, itâs possible â though perhaps quite difficult â that law enforcement could still recover information about what youâve been searching for with the appropriate legal documentation.
On one hand, itâs kinda scary that this is possible.
On the other hand, it can be a useful tool to provide evidence that might contribute to the conviction of a criminal.
In either case, the possibilities are at least worth knowing about, even if you truly have nothing to hide.
âą
You could as an alternative use TrueCryptâs whole drive encryption. Then without the TrueCrypt password, no one or no utility would be able to recover any data on the drive.
Leo I like your informative article. I learned a lot.
What if we use Private Browsing will it still leave traces on our computer?
If web server record our IP address we can use Hide Ip software. Do you think it will be useful or not?
Iâm not familiar with IP hiding software. Whether you can be traced depends on the specific approaches used by that software and how good a job it does. In most cases IP hiding tools do not make it impossible to be traced, just harder. The quality of the tool defines just how much harder it makes it.
04-Aug-2011
Those last two items of Leoâs are well worth bearing in mind, because they have nothing  whatsoever to do with your local drive, or the files stored on it. We repeat the mantra that âGoogle Is Your Friendâ â and they very well may be â but, even very close friends may be forced to give you up when faced with a court order or a subpoena, and Google isnât even a âvery closeâ friend â its an absolutely impersonal  one. By very definition, folks â I mean, câmon â itâs a corporation, for Jeezâ sake!!!
Donât get yourself on âWorld Dumbest Criminalsâ, O.K.? Think. Â Donât pump criminal searches through Googleâs search engine. (Like, âDuh!â Did I really have to say that?) Things like âkiddie pornâ or âbomb makingâ or âuntraceable poisonâ can (and have!) implicated defendants and contributed to some very lengthy prison (or death!) sentences.
To say nothing of potential appearances on that aforementioned TruTV television show.
I use File Shredder which will shred files, folders and your free space up to DoD standards. Once shredded no-one can recover any of that data. Not the CIA, nobody.
TrueCrypt allows you to âonion-skinâ your protected files with an encrypted space inside an encrypted space many times.
Keystroke monitors. If theyâre installed as software they are detectable but if theyâre a plugged in âtween the keyboard and computer, theyâre invisible to anti-maleware but a simple peek behind the computer, AHA! What have we here?
I use keylogging software on my machine simply because I want to know whatâs going on behind my back, and anybody that uses this computer knows that. Spyware? Mayhap, but anybody that uses my computer knows about it.
Hi Leo, What about Index.dat, Index .dat keeps a copy of every website and every photo or page that you look at on the net.
04-Aug-2011
If I log into the internet access of my employer while at home and view free porn , can this be traced ? to my email adress ? I live in motel and they have internet access through a wireless connection ,
IT told us they have some viruses
If you log on through their account, they are your ISP and can see everything. You can use a VPN to hide the sites you are visiting, but your employer would know you are using a VPN. Since a VPN has many legitimate purposes, this may or may not be a problem with them.
Not very helpful to the discussion, but wasnât the search term in question âchloroform?â
Very good article covering the basics. Privacy , if you have âsomething to hideâ or not is something we all should be much more aware of.
I rarely find fewer than tens of thousands of history entries, even when the user has a history scrubber. I often find well over a hundred thousand (but fewer when the aforementioned scrubbers are used). If you want a surprise, try downloading the demo version of NetAnalysis by Digital Detective (I have no connection to them) and run it on your own computer.
In the âdark agesâ of computing during the early 70âs some of the government main frame computers had to be âscrubbedâ after processing top secret data. At the time the scrubbing involved the complete erasure of every memory location in the computer. Believe it or not, we had to run a program that erased core â some of you know that word â 999 times! Overkill? Perhaps, but during the cold war the edict was to be safe, not sorry.
Add ixquick to your browserâs search engine choices. ixquick does not record searches & protects your privacy.
http://www.ixquick.com/
It really works! I know that it can be added to Firefox & Chrome.
Cat
I forgot to add, ixquick suggests âhttpsâ connections for many sites, that would otherwise not be found by other search engines.
Itâs a tab slower, but it works good.
As far as cleaning your computer history goes, run CCleaner daily, after using it for the last time each day. Be sure to use the âDODâ (3x) wiping operation, at a minimum. For added safety, there are 7x & 35x (Guttman) wiping choices, although a 35x wipe is extreme.
As a second precaution, install Recuva, do a deep scan for files, and use the same options that CCleaner offers to wipe the leftovers. I do this monthly.
Cat
We may be able to remove all traces of âinappropriateâ web sites from our PCs using the various cleaners and shredders, but surely internet service providers can track each and every one of these sites and keep records of all visits?
Even Steve Jobs poersonal computer was searched by law enforcement and evidence was found inplicating him in wrongdoing.
One way to erase ALL information in your computer when you are buying another one is to completely demagnitize it with a atrong magnet.
20-Aug-2011
I use a computer until I decide to replace it. At that time I remove the insides and destroy all. Goes to a landfill. End of problem. I have replaced a hard drive and destroyed it prior to itâs trip to the landfill. Seems like an easy way to take care of the potential problem.
To the person who posted that ixquick is a good search engine for privacy, I discovered to my frustration that my ixquick searches were nonetheless still on my hard drive, and the usual cleaners will not overwrite the sectors where they are recorded!
It there a âccleanerâ type program for the ipad2? I need the wipe my history searches FOREVER.
Thanks
Sometimes the best reader for a report is to open in IE, but how vulnerable is that to prying fingers? What should be deleted after using IE to read sensitive reports?
Thanks!
Can apps I have used on my cell be traced back if I have deleted them. Meaning if I delete them off my cell is there any record of me ever having them on my phone if they are free apps and never paid anything for them
There may be. It depends on the app, the phone, the phone OS, the carrier and probably a few other things.
If i delete my google chrome browsing history will my browsing history on c disk also be deleted?
If I understand your question correctly, the browsing history of your browser is stored on your hard disk. Deleting browser history would delete those files from the disk. Unfortunately, that doesnât guarantee that there wonât be some residuals of those files after removal, as the files are deleted but not overwritten. To remove the deleted files from the drive, you can use a free space wiper. CCleaner has that as one of its tools.
http://ask-leo.com/ccleaner_windows_cleaning_tool.html
Other places where there might be residuals are the hibernation file (if youâve enabled hibernation) and the swap files. Those would require forensic skills to extract that kind of information.
Thank you for replying to my question, thatâs exactly what i wanted to know. Also I wonder how my history is stored on hard disk? Is it stored as links (https://âŠ) or some kind of codes? I have âhistoryâ file on my c disk but canât open it, donât know why. Thank you, much appreciated.
Is there a way i can see my search history even though i deleted all my browsing history? Like for example from my browsing history stored on c disk?
Once youâve deleted it, itâs no longer available. Your search history is not the same as your browser history. So if you havenât deleted that, it might still be there. But if you canât find it in your browser, itâs most likely gone forever, unless you have forensic tools which can sometimes reconstruct missing files from the non-overwritten free space on the drive.
Thank you. Also I would like to knowâŠsome pages i deleted from my browsing history on google chrome are not appearing in my browsing history thatâs stored on my hard disk and some I deleted are still on my hard disk. Why is that?
Did you try using the tool reccomended above? CCLEANER?
No, i havenâtâŠbut the problem is there is still one of the sites i wisited a year ago on my c disk and even if i delete browsing history itâs still there. But i will try ccleaner
Can someone find out what pages i visited and my browsing history from their own computer without some spy program? For example is there some kind of site online where someone can enter my name and get such information?
The answer is ânot reallyâ. A person would have to have access to server logs for all the servers that a person may have visited. Or have access to the personâs ISP logs. So there wonât be some website you can go to and log in and find this information. On the other hand, if you are the FBI you can probably do this with search warrants and the like.
Also, if I own a server and you come to my server and browse through pages I host, then I can see and track where you have been on my server. That is not public information.
When in âincognitoâ mode (Chrome) or in âin-private browsingâ (IE) or âPrivate Browsingâ (Firefox), do any of the browsers store cookies and/or cache temporary files on disk, or is it all in memory?
Supposedly theyâre all deleted when you close the window. (They may or may not be stored on disk.)
What if i use something like cc cleaner, for example if there is something stored, will it be deleted?
Depends on how you use it. In theory cleaning everything with CCleaner and then also using its free space wiper will remove it.
Hi Leo. I always browsed the web through Internet Explorer Inprivate in conjunction with Duckduckgo. I hoped that these two actions would keep no record of browsing history whatsoever if anyone came looking through my laptop. I also deleted everything using the Microsoft Internet Explorer browser typical action I.eâŠ
2.Click Tools in the upper right-hand corner.
3.Select Internet Options from the drop-down menu.
4.On the General tab, in the Browsing history section, click the Delete button.
5.Check the boxes of the data youâd like to clear.
6.Click Delete.
I clicked all boxes and confirmed delete.
My question is what could be extracted by a forensics examination regarding my web browsing history?
Many thanks,
Lorraine
There are a few places which might contain things which a forensic specialist might be able to dig up information such as the Swap File (virtual memory, where your computer uses the HDD when it runs out of RAM), the hibernation file or temporary files which your file cleaning software might miss. Additionally a forensic expert with court permission can see all of your internet activity at your ISP. Using a VPN would get around that, but again they might get a court order to see your activity at the VPN. On the bright side, unless you are suspected of criminal, or in some countries, political activity, itâs likely no one would bother.
Hello, thank you so much for replying. I had a number of other questions if you would be so kind.
Firstly, does web browsing Inprivate (IE) in conjunction with DuckDuckgo still create Index.dat files in Windows 8/8.2 and Windows 10?
Secondly, Does web browsing Inprivate (IE) in conjunction with DuckDuckgo provide an additional level of privacy for the user at a local level? I understand that DDG prevents websites tracking user activities but does DDG also act as an additional level of privacy for the user to hide or prevent altogether web browsing history remaining on a computer of which can be uncovered by a forensic examination?
Thanks so much for reading and hopefully replying to questions.
With best wishes
InPrivate in IE, Private in FireFox or Incognito in Chrome browsing are designed not to leave any traces of the browsing history on the computer. Duck, Duck Go wonât save your search history, so yes, each adds another layer of privacy. Whether they work as 100%, thatâs another story, although you can get an idea. If you stop getting ads related to your searches (protected by Duck Duck Go) or websites you visit (protected by InPrivate browsing), you can see how those are protecting you.
Hello Leo community.
I have a family member who is being investigated for accessing illicit inappropriate material online. He has reassured me that he only ever âbrowsedâ this material and never saved, stored, or downloaded anything. Again, similar to a previous post, he also has told me that he always browsed Inprivate (IE) and combined these actions with browsing through Duck, Duck go.
I am obviously very worried about his situation as his laptops have been taken to be forensically examined.
I have many questions and concerns but mainly I would like to know if simply browsing the web without, as I say, downloading, storing, saving etc Inprivate and via DDG, will this still be all on his hard drives etc or is merely âbrowsingâ the web Inprivate in conjunction with DDG along with a standard deletion of Inprivate browsing history at the end of the Inprivate session enough to keep any trace whatsoever being left to uncover?
Thank you so much for your help.
Mary
Yes, it may be on the hard drive. Remember, when you view a web page itâs actually downloaded to your computer in order for you to see it. Even what youâre reading right now. That, then, is typically stored in the browserâs cache and can persist for a while. In private prevents some, but not all of this. For example remnants could exist on deleted areas of the hard disk, or in the swap file. Thereâs no guarantee that is IS, but thereâs also no guarantee that is it not.
Thank you for replying.
Please could you tell me a little more about DuckDuckGo? I do understand a little of what it achieves but would it be accurate to say that browsing via DDG is like browsing Inprivate or incognito etc? Will it therefore act as another defence against browsed material leaving traces on hard drive or other retrievable locations?
Many thanks again,
Mary
No. You donât âbrowseâ via DuckDuckGo. Itâs JUST a search engine. You tell it what to look for and it provides results. You click on the result you want ot go to and DDG is no longer involved. Itâs claim to fame is that it doesnât save what you search for or the results or keep any record of how you used it. That all happens on the DDG web site, and has NO impact on what happens on your computer.
Ok thank you for that. I understand that my family member believed that DDG enabled a completely anonymous browsing session, I.e. nothing would be saved on the computer including hard drive (which could be uncovered at a later date) and everything searched would be 100% discarded once the session was over. Would it therefore be wrong to say that DDG offers an additional level of web browsing privacy whatsoever?
Thank you so much
It is an additional level of privacy, in that DDG does not track/save information (whereas alternatives often do). But it all has nothing to do with whatâs saved on your computer.
It wouldnât be wrong, it offers a âlayerâ of protection but a thin layer. It doesnât protect you if law enforcement gets an authorization to see what has passed through the ISP. Duck Duck Go simply doesnât keep records of your searches and nothing more. That would do little more than eliminate some targeted ads. Thatâs doesnât seem to be what your original question was asking.
Is my browsing in incognito mode safe from facebook and their ads based on which sites i visited?
Depends on what you mean by âsafeâ. Incognito only controls whatâs stored on your machine (no cache, history, cookies discarded, etc.). The sites you visit can still do whatever they do within those constraints.
Well i mean for example if i visit in incognito mode sites about traveling etc. Will i have ads on facebook related to the site i visited in incognito mode, for example plain tickets etc. Or because i was in incognito mode and no cookies are stored facebook wont recommend similar ads?
Yes. As Leo said, incognito mode doesnât affect how your browser interacts with websites. The only advantage incognito mode offers is that it doesnât save any record of your surfing on your computer. Incognito mode is badly named. It has nothing to do with being incognito.
There are many different techniques that advertisers use beyond simple cookies. It would not surprise me at all to see ads track even in incognito mode.
If i browse in incognito mode is what i browsed in incognito mode stored on my hard disk or c disk?
This article will help answer that: https://askleo.com/good-incognito-mode/
I had browsed some sites from another computer unknowingly that I am logged in Google. Later when I opened my official laptop and checked my activity tracker; I got the view of the sites searched on the other computer and didnât click on any link but logged out of Google. Will it leave any traces of the links searched on my other computer; in my official laptop.
Any activity you did on that computer can leave traces of what you did on that computer. Web activity always leave its history in the browser.
Hello Leo community
Please could you tell me how much internet browsing history would police be able to obtain from work-issued laptop with a VPN?
You should assume they could find all of it.
If a felonious crime is committed, is it standard protocol for Law Enforcement to search that personâs web history and their search inquiries?
And how much of that information can be permanently erased once itâs already been searched for?
I would guess that law enforcement looks at web and search history whenever they believe it will give them information they need.
If itâs a search on Google, it never can be really deleted. Stuff on your computer can be erased pretty effectively if you use CCleaner the way described in the article, but unfortunately, you can never be 100% sure.
Depends on the specifics of the situation. Not all felonies are âworthâ the extra effort that may be required, and not all law enforcement agencies have the resources to do it.
I got a pc from friendâŠand she is interest if i could see her browsing history trough graphic card. She changed hard disk inside pc but wants to know if its possible with graphic card.
Browsing history wouldnât be accessible from a graphics card.
Is it possible for your Browser history search queries to end up in search results themselves or results reflecting the query in one way or another ?
Nope. Not that I know of.