Hey Leo, Just wondering. The recent trial in Florida where the DA searched the plaintiff’s computer and found an incriminating internet search for formaldehyde leads me to ask two questions. I mainly use CCleaner after using the net to clear cookies, but it also clears history and other stuff. Does CCleaner or even manually erasing history actually remove the history from the hard drive? Is every bloody key stroke permanently kept on the HD? And if so, where? Nothing to hide. Just curious.
Unless you have spyware installed on your computer, “every bloody keystroke” is not being recorded. I get that question often enough that it seems like many people are concerned about it – it’s just not the case.
As for finding other things and seeing what CCleaner or other tools might or might not erase – well, things get complicated pretty quick.
Does removing history remove history?
Yes and no.
The problem here is that there are several “levels” of delete and many can be recovered, depending on the level and the amount of effort (and perhaps money) that you’re willing to throw at the problem.
- A file deleted to the Recycle Bin can be recovered from that very simply, but I don’t believe history is deleted to the Recycle Bin.
- The space used by a file that was deleted “permanently” is simply marked as now being free. That means that until it’s overwritten by other data, the original data actually remains on the disk and can possibly be recovered with special tools.
- Data on magnetic media that has been overwritten once or twice might (and I have to stress might) still be recoverable by some fairly advanced magnetic media analysis.
- Data that has been overwritten multiple times can typically not be recovered.
So, if a history file was deleted, there’s a chance that it could still be recovered, depending on a) how much the computer has been used since the delete, and whether or not data has overwritten the space that was previously occupied by the history file, and b) how much effort you’re willing to put into the recovery.
I have no idea if a history file was used in the case that you mention, but my guess is that law enforcement was motivated to put in a lot of effort into the process.1
Really removing traces of data
CCleaner and tools like it can completely erase files, but they often do not by default.
For example, if you delete history in CCleaner, that’s simply a file delete without any guarantee of overwrite. That means that the contents of the deleted file could potentially be recovered with appropriate software.
It’s not until you then use the “Drive Wipe” utility in CCleaner to overwrite all free space that the space previously occupied by the history would be overwritten. Naturally, most people don’t do this.
On top of that, you’d need to select “multiple passes” in order to avoid the possibility of recovery by magnetic media analysis.
Another common tool for this is Secure Delete, a command-line tool that can securely delete specific files or wipe the free space of a drive.
Other traces of history
I’ve focused on the history file here as an example of the most obvious trace left of your website visits and search queries. While that can be securely erased with the appropriate steps, it’s not necessarily the only way that law enforcement might determine that you’ve been searching for a specific topic.
- Spyware: As I mentioned at the beginning, Windows does not store all of your keystrokes somewhere. However, if you have spyware on your machine – whether it’s simply malicious malware or intentionally placed by parents, law enforcement, or others – then, all bets are off. All of your keystrokes could be recorded and saved on your machine or sent elsewhere over the internet.
- Cookies: If you erased these with your browser, CCleaner, or other tools, then law enforcement could certainly make some implications about some of the sites or pages that you’ve visited.
- Google Web History: If you are logged into a Google account at the time that you perform your Google search, it’s possible that your search is recorded in your Google Web History, an online record of everything that you’ve searched for. You can turn this off, but many people don’t even realize that it’s on. Naturally, law enforcement could easily request the contents of this record with a search warrant.
- Google Search History: Even with the web history feature turned off, Google’s servers, like any web server, will likely record the IP address and some additional characteristics of each access. With some work (and again, that search warrant), law enforcement could establish a link between your IP address and the searches performed from your computer.
As you can see, it’s possible – though perhaps quite difficult – that law enforcement could still recover information about what you’ve been searching for with the appropriate legal documentation.
On one hand, it’s kinda scary that this is possible.
On the other hand, it can be a useful tool to provide evidence that might contribute to the conviction of a criminal.
In either case, the possibilities are at least worth knowing about, even if you truly have nothing to hide.