How Much of My Search History Could Be Recovered?

//

Hey Leo, Just wondering. The recent trial in Florida where the DA searched the plaintiff’s computer and found an incriminating internet search for formaldehyde leads me to ask two questions. I mainly use CCleaner after using the net to clear cookies, but it also clears history and other stuff. Does CCleaner or even manually erasing history actually remove the history from the hard drive? Is every bloody key stroke permanently kept on the HD? And if so, where? Nothing to hide. Just curious.

Unless you have spyware installed on your computer, “every bloody keystroke” is not being recorded. I get that question often enough that it seems like many people are concerned about it – it’s just not the case.

As for finding other things and seeing what CCleaner or other tools might or might not erase – well, things get complicated pretty quick.

Become a Patron of Ask Leo! and go ad-free!

Does removing history remove history?

Yes and no.

The problem here is that there are several “levels” of delete and many can be recovered, depending on the level and the amount of effort (and perhaps money) that you’re willing to throw at the problem.

… the possibilities are at least worth knowing about, even if you truly have nothing to hide.
  • A file deleted to the Recycle Bin can be recovered from that very simply, but I don’t believe history is deleted to the Recycle Bin.
  • The space used by a file that was deleted “permanently” is simply marked as now being free. That means that until it’s overwritten by other data, the original data actually remains on the disk and can possibly be recovered with special tools.
  • Data on magnetic media that has been overwritten once or twice might (and I have to stress might) still be recoverable by some fairly advanced magnetic media analysis.
  • Data that has been overwritten multiple times can typically not be recovered.

So, if a history file was deleted, there’s a chance that it could still be recovered, depending on a) how much the computer has been used since the delete, and whether or not data has overwritten the space that was previously occupied by the history file, and b) how much effort you’re willing to put into the recovery.

I have no idea if a history file was used in the case that you mention, but my guess is that law enforcement was motivated to put in a lot of effort into the process.1

Really removing traces of data

CCleaner and tools like it can completely erase files, but they often do not by default.

For example, if you delete history in CCleaner, that’s simply a file delete without any guarantee of overwrite. That means that the contents of the deleted file could potentially be recovered with appropriate software.

It’s not until you then use the “Drive Wipe” utility in CCleaner to overwrite all free space that the space previously occupied by the history would be overwritten. Naturally, most people don’t do this.

On top of that, you’d need to select “multiple passes” in order to avoid the possibility of recovery by magnetic media analysis.

Another common tool for this is Secure Delete, a command-line tool that can securely delete specific files or wipe the free space of a drive.

Other traces of history

I’ve focused on the history file here as an example of the most obvious trace left of your website visits and search queries. While that can be securely erased with the appropriate steps, it’s not necessarily the only way that law enforcement might determine that you’ve been searching for a specific topic.

  • Spyware: As I mentioned at the beginning, Windows does not store all of your keystrokes somewhere. However, if you have spyware on your machine – whether it’s simply malicious malware or intentionally placed by parents, law enforcement, or others – then, all bets are off. All of your keystrokes could be recorded and saved on your machine or sent elsewhere over the internet.
  • Cookies: If you erased these with your browser, CCleaner, or other tools, then law enforcement could certainly make some implications about some of the sites or pages that you’ve visited.
  • Google Web History: If you are logged into a Google account at the time that you perform your Google search, it’s possible that your search is recorded in your Google Web History, an online record of everything that you’ve searched for. You can turn this off, but many people don’t even realize that it’s on. Naturally, law enforcement could easily request the contents of this record with a search warrant.
  • Google Search History: Even with the web history feature turned off, Google’s servers, like any web server, will likely record the IP address and some additional characteristics of each access. With some work (and again, that search warrant), law enforcement could establish a link between your IP address and the searches performed from your computer.

As you can see, it’s possible – though perhaps quite difficult – that law enforcement could still recover information about what you’ve been searching for with the appropriate legal documentation.

On one hand, it’s kinda scary that this is possible.

On the other hand, it can be a useful tool to provide evidence that might contribute to the conviction of a criminal.

In either case, the possibilities are at least worth knowing about, even if you truly have nothing to hide.

Footnotes & references

1: In an interesting twist, in that specific case, it turns out that the software used to analyze whatever history was found on the machine had a bug and grossly over-stated the number of times that the term was searched for.

62 comments on “How Much of My Search History Could Be Recovered?”

  1. You could as an alternative use TrueCrypt’s whole drive encryption. Then without the TrueCrypt password, no one or no utility would be able to recover any data on the drive.

  2. Leo I like your informative article. I learned a lot.
    What if we use Private Browsing will it still leave traces on our computer?
    If web server record our IP address we can use Hide Ip software. Do you think it will be useful or not?

    Theoretically Private Browsing doesn’t leave traces on your computer. I say theorectically because I don’t believe that’s an absolute – perhaps traces could be found in files that are deleted by Private Browsing but still recoverable, or traces could be left in the virtual memory swap file on some computers. If it’s critical that nothing be found I would personally not rely on Private Browsing features and opt instead for a bootable Live CD that never even touches the hard drive.

    I’m not familiar with IP hiding software. Whether you can be traced depends on the specific approaches used by that software and how good a job it does. In most cases IP hiding tools do not make it impossible to be traced, just harder. The quality of the tool defines just how much harder it makes it.

    Leo
    04-Aug-2011

  3. Those last two items of Leo‘s are well worth bearing in mind, because they have nothing  whatsoever to do with your local drive, or the files stored on it. We repeat the mantra that “Google Is Your Friend” — and they very well may be — but, even very close friends may be forced to give you up when faced with a court order or a subpoena, and Google isn’t even a “very close” friend — its an absolutely impersonal   one. By very definition, folks — I mean, c’mon — it’s a corporation, for Jeez’ sake!!!

    Don’t get yourself on “World Dumbest Criminals”, O.K.? Think.  Don’t pump criminal searches through Google’s search engine. (Like, “Duh!” Did I really have to say that?) Things like “kiddie porn” or “bomb making” or “untraceable poison” can (and have!) implicated defendants and contributed to some very lengthy prison (or death!) sentences.

    To say nothing of potential appearances on that aforementioned TruTV television show.

    “That is so obvious that I am ashamed to write it.”
            
    –Lewis, C. S.: The Screwtape Letters

  4. I use File Shredder which will shred files, folders and your free space up to DoD standards. Once shredded no-one can recover any of that data. Not the CIA, nobody.

    TrueCrypt allows you to ‘onion-skin’ your protected files with an encrypted space inside an encrypted space many times.

    Keystroke monitors. If they’re installed as software they are detectable but if they’re a plugged in ‘tween the keyboard and computer, they’re invisible to anti-maleware but a simple peek behind the computer, AHA! What have we here?
    I use keylogging software on my machine simply because I want to know what’s going on behind my back, and anybody that uses this computer knows that. Spyware? Mayhap, but anybody that uses my computer knows about it.

  5. Hi Leo, What about Index.dat, Index .dat keeps a copy of every website and every photo or page that you look at on the net.

    Index.dat is just that – an index that points to the other files in your cache that contain the actual data. Yes, it could still have incrimnating evidence, but I treat it the same as clearing your history – it might be deleted and recoverable like any other file.

    Leo
    04-Aug-2011

    • If I log into the internet access of my employer while at home and view free porn , can this be traced ? to my email adress ? I live in motel and they have internet access through a wireless connection ,

      IT told us they have some viruses

      • If you log on through their account, they are your ISP and can see everything. You can use a VPN to hide the sites you are visiting, but your employer would know you are using a VPN. Since a VPN has many legitimate purposes, this may or may not be a problem with them.

  6. Very good article covering the basics. Privacy , if you have “something to hide” or not is something we all should be much more aware of.

  7. I rarely find fewer than tens of thousands of history entries, even when the user has a history scrubber. I often find well over a hundred thousand (but fewer when the aforementioned scrubbers are used). If you want a surprise, try downloading the demo version of NetAnalysis by Digital Detective (I have no connection to them) and run it on your own computer.

  8. In the “dark ages” of computing during the early 70’s some of the government main frame computers had to be “scrubbed” after processing top secret data. At the time the scrubbing involved the complete erasure of every memory location in the computer. Believe it or not, we had to run a program that erased core – some of you know that word – 999 times! Overkill? Perhaps, but during the cold war the edict was to be safe, not sorry.

  9. I forgot to add, ixquick suggests “https” connections for many sites, that would otherwise not be found by other search engines.

    It’s a tab slower, but it works good.

    As far as cleaning your computer history goes, run CCleaner daily, after using it for the last time each day. Be sure to use the “DOD” (3x) wiping operation, at a minimum. For added safety, there are 7x & 35x (Guttman) wiping choices, although a 35x wipe is extreme.

    As a second precaution, install Recuva, do a deep scan for files, and use the same options that CCleaner offers to wipe the leftovers. I do this monthly.

    Cat

  10. We may be able to remove all traces of “inappropriate” web sites from our PCs using the various cleaners and shredders, but surely internet service providers can track each and every one of these sites and keep records of all visits?

  11. Even Steve Jobs poersonal computer was searched by law enforcement and evidence was found inplicating him in wrongdoing.

    One way to erase ALL information in your computer when you are buying another one is to completely demagnitize it with a atrong magnet.

    Actually the “strong magnet” approach works for floppy disks, but rarely does anything to today’s hard drives. I recommend something like DBan instead.

    Leo
    20-Aug-2011
  12. I use a computer until I decide to replace it. At that time I remove the insides and destroy all. Goes to a landfill. End of problem. I have replaced a hard drive and destroyed it prior to it’s trip to the landfill. Seems like an easy way to take care of the potential problem.

  13. To the person who posted that ixquick is a good search engine for privacy, I discovered to my frustration that my ixquick searches were nonetheless still on my hard drive, and the usual cleaners will not overwrite the sectors where they are recorded!

  14. Sometimes the best reader for a report is to open in IE, but how vulnerable is that to prying fingers? What should be deleted after using IE to read sensitive reports?
    Thanks!

  15. Can apps I have used on my cell be traced back if I have deleted them. Meaning if I delete them off my cell is there any record of me ever having them on my phone if they are free apps and never paid anything for them

    • If I understand your question correctly, the browsing history of your browser is stored on your hard disk. Deleting browser history would delete those files from the disk. Unfortunately, that doesn’t guarantee that there won’t be some residuals of those files after removal, as the files are deleted but not overwritten. To remove the deleted files from the drive, you can use a free space wiper. CCleaner has that as one of its tools.
      http://ask-leo.com/ccleaner_windows_cleaning_tool.html

      Other places where there might be residuals are the hibernation file (if you’ve enabled hibernation) and the swap files. Those would require forensic skills to extract that kind of information.

      • Thank you for replying to my question, that’s exactly what i wanted to know. Also I wonder how my history is stored on hard disk? Is it stored as links (https://…) or some kind of codes? I have “history” file on my c disk but can’t open it, don’t know why. Thank you, much appreciated.

  16. Is there a way i can see my search history even though i deleted all my browsing history? Like for example from my browsing history stored on c disk?

    • Once you’ve deleted it, it’s no longer available. Your search history is not the same as your browser history. So if you haven’t deleted that, it might still be there. But if you can’t find it in your browser, it’s most likely gone forever, unless you have forensic tools which can sometimes reconstruct missing files from the non-overwritten free space on the drive.

      • Thank you. Also I would like to know…some pages i deleted from my browsing history on google chrome are not appearing in my browsing history that’s stored on my hard disk and some I deleted are still on my hard disk. Why is that?

          • No, i haven’t…but the problem is there is still one of the sites i wisited a year ago on my c disk and even if i delete browsing history it’s still there. But i will try ccleaner

  17. Can someone find out what pages i visited and my browsing history from their own computer without some spy program? For example is there some kind of site online where someone can enter my name and get such information?

    • The answer is “not really”. A person would have to have access to server logs for all the servers that a person may have visited. Or have access to the person’s ISP logs. So there won’t be some website you can go to and log in and find this information. On the other hand, if you are the FBI you can probably do this with search warrants and the like.

      Also, if I own a server and you come to my server and browse through pages I host, then I can see and track where you have been on my server. That is not public information.

  18. When in “incognito” mode (Chrome) or in “in-private browsing” (IE) or “Private Browsing” (Firefox), do any of the browsers store cookies and/or cache temporary files on disk, or is it all in memory?

  19. Hi Leo. I always browsed the web through Internet Explorer Inprivate in conjunction with Duckduckgo. I hoped that these two actions would keep no record of browsing history whatsoever if anyone came looking through my laptop. I also deleted everything using the Microsoft Internet Explorer browser typical action I.e…
    2.Click Tools in the upper right-hand corner.
    3.Select Internet Options from the drop-down menu.
    4.On the General tab, in the Browsing history section, click the Delete button.
    5.Check the boxes of the data you’d like to clear.
    6.Click Delete.

    I clicked all boxes and confirmed delete.

    My question is what could be extracted by a forensics examination regarding my web browsing history?

    Many thanks,
    Lorraine

    • There are a few places which might contain things which a forensic specialist might be able to dig up information such as the Swap File (virtual memory, where your computer uses the HDD when it runs out of RAM), the hibernation file or temporary files which your file cleaning software might miss. Additionally a forensic expert with court permission can see all of your internet activity at your ISP. Using a VPN would get around that, but again they might get a court order to see your activity at the VPN. On the bright side, unless you are suspected of criminal, or in some countries, political activity, it’s likely no one would bother.

      • Hello, thank you so much for replying. I had a number of other questions if you would be so kind.
        Firstly, does web browsing Inprivate (IE) in conjunction with DuckDuckgo still create Index.dat files in Windows 8/8.2 and Windows 10?
        Secondly, Does web browsing Inprivate (IE) in conjunction with DuckDuckgo provide an additional level of privacy for the user at a local level? I understand that DDG prevents websites tracking user activities but does DDG also act as an additional level of privacy for the user to hide or prevent altogether web browsing history remaining on a computer of which can be uncovered by a forensic examination?

        Thanks so much for reading and hopefully replying to questions.
        With best wishes

        • InPrivate in IE, Private in FireFox or Incognito in Chrome browsing are designed not to leave any traces of the browsing history on the computer. Duck, Duck Go won’t save your search history, so yes, each adds another layer of privacy. Whether they work as 100%, that’s another story, although you can get an idea. If you stop getting ads related to your searches (protected by Duck Duck Go) or websites you visit (protected by InPrivate browsing), you can see how those are protecting you.

  20. Hello Leo community.
    I have a family member who is being investigated for accessing illicit inappropriate material online. He has reassured me that he only ever ‘browsed’ this material and never saved, stored, or downloaded anything. Again, similar to a previous post, he also has told me that he always browsed Inprivate (IE) and combined these actions with browsing through Duck, Duck go.
    I am obviously very worried about his situation as his laptops have been taken to be forensically examined.
    I have many questions and concerns but mainly I would like to know if simply browsing the web without, as I say, downloading, storing, saving etc Inprivate and via DDG, will this still be all on his hard drives etc or is merely ‘browsing’ the web Inprivate in conjunction with DDG along with a standard deletion of Inprivate browsing history at the end of the Inprivate session enough to keep any trace whatsoever being left to uncover?
    Thank you so much for your help.
    Mary

    • Yes, it may be on the hard drive. Remember, when you view a web page it’s actually downloaded to your computer in order for you to see it. Even what you’re reading right now. That, then, is typically stored in the browser’s cache and can persist for a while. In private prevents some, but not all of this. For example remnants could exist on deleted areas of the hard disk, or in the swap file. There’s no guarantee that is IS, but there’s also no guarantee that is it not.

      • Thank you for replying.
        Please could you tell me a little more about DuckDuckGo? I do understand a little of what it achieves but would it be accurate to say that browsing via DDG is like browsing Inprivate or incognito etc? Will it therefore act as another defence against browsed material leaving traces on hard drive or other retrievable locations?

        Many thanks again,
        Mary

        • No. You don’t “browse” via DuckDuckGo. It’s JUST a search engine. You tell it what to look for and it provides results. You click on the result you want ot go to and DDG is no longer involved. It’s claim to fame is that it doesn’t save what you search for or the results or keep any record of how you used it. That all happens on the DDG web site, and has NO impact on what happens on your computer.

          • Ok thank you for that. I understand that my family member believed that DDG enabled a completely anonymous browsing session, I.e. nothing would be saved on the computer including hard drive (which could be uncovered at a later date) and everything searched would be 100% discarded once the session was over. Would it therefore be wrong to say that DDG offers an additional level of web browsing privacy whatsoever?
            Thank you so much

          • It is an additional level of privacy, in that DDG does not track/save information (whereas alternatives often do). But it all has nothing to do with what’s saved on your computer.

  21. It wouldn’t be wrong, it offers a “layer” of protection but a thin layer. It doesn’t protect you if law enforcement gets an authorization to see what has passed through the ISP. Duck Duck Go simply doesn’t keep records of your searches and nothing more. That would do little more than eliminate some targeted ads. That’s doesn’t seem to be what your original question was asking.

    • Depends on what you mean by “safe”. Incognito only controls what’s stored on your machine (no cache, history, cookies discarded, etc.). The sites you visit can still do whatever they do within those constraints.

      • Well i mean for example if i visit in incognito mode sites about traveling etc. Will i have ads on facebook related to the site i visited in incognito mode, for example plain tickets etc. Or because i was in incognito mode and no cookies are stored facebook wont recommend similar ads?

        • Yes. As Leo said, incognito mode doesn’t affect how your browser interacts with websites. The only advantage incognito mode offers is that it doesn’t save any record of your surfing on your computer. Incognito mode is badly named. It has nothing to do with being incognito.

        • There are many different techniques that advertisers use beyond simple cookies. It would not surprise me at all to see ads track even in incognito mode.

  22. I had browsed some sites from another computer unknowingly that I am logged in Google. Later when I opened my official laptop and checked my activity tracker; I got the view of the sites searched on the other computer and didn’t click on any link but logged out of Google. Will it leave any traces of the links searched on my other computer; in my official laptop.

    • Any activity you did on that computer can leave traces of what you did on that computer. Web activity always leave its history in the browser.

  23. Hello Leo community
    Please could you tell me how much internet browsing history would police be able to obtain from work-issued laptop with a VPN?

  24. If a felonious crime is committed, is it standard protocol for Law Enforcement to search that person’s web history and their search inquiries?

    And how much of that information can be permanently erased once it’s already been searched for?

    • I would guess that law enforcement looks at web and search history whenever they believe it will give them information they need.
      If it’s a search on Google, it never can be really deleted. Stuff on your computer can be erased pretty effectively if you use CCleaner the way described in the article, but unfortunately, you can never be 100% sure.

    • Depends on the specifics of the situation. Not all felonies are “worth” the extra effort that may be required, and not all law enforcement agencies have the resources to do it.

  25. I got a pc from friend…and she is interest if i could see her browsing history trough graphic card. She changed hard disk inside pc but wants to know if its possible with graphic card.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.