Are there hidden files that save every keystroke I've ever typed, and how do I find them?

Home » Internet » Privacy

Summary: There's a lot of misinformation and even paranoia relating to keystroke logging and privacy. Much of it, however, is based on small kernels of truth.

This is a multi-part question and pertains to computer forensics. Specifically, locating those mysterious, deeply hidden files that (supposedly) contain your computer's entire history - every keystroke ever made. Accessing those files. Viewing the contents. Deleting the contents. Understanding how a utility like DBAN can "find" and nuke them, but I as the computer owner can't. And finally, if every keystroke really has been recorded to some hidden file, how come it doesn't wipe out available space on my hard drive.

There are several misconceptions present in the question.

The problem is that the misconceptions are based on kernels of truth, which means I can't just say "that's wrong", it's more a case of "it's not like that - it's like this".

Confused already? Let's see if I can clear it up.

•

Keystrokes

Every keystroke you ever typed is not recorded on your computer.

Unfortunately the amount of data that would be collected is no longer a valid reason it couldn't be done. Let's say you're a really prolific typist, and you type 100,000 keystrokes a day (that's over three keystrokes every second for a solid 8 hour work day). In a year that adds up to 36 megabytes of data. Keep your computer for 10 years, and that's 360 megabytes. On today's hard disks that's next to nothing.

More to the point, if every keystroke were being recorded somehow , we'd be hearing about a lot more successful capture and prosecution of cyber criminals, along with a plethora of lawsuits from privacy concerns.

So, no, I certainly don't believe that every keystroke is being permanently recorded by the operating system, drivers or other official software.

However there are kernels of truth:

• As I write this, every keystroke is recorded to create this article. That's kind of what we would expect. The documents you create, the email you send, these are all a kind of record of your keystrokes if kept on your hard disk.

• Every keystroke is recorded in keyboard buffers. These are the buffers that allow you to "type ahead" while your computer is doing something else. Once the computer's ready again, everything you typed suddenly appears. Those buffers are various sizes, anywhere from a few bytes to several thousand. As these buffers fill up older keystrokes are removed to make room for new ones. And normally they're in memory only; turn your computer off and they're gone. (There may be one quite literally in your actual keyboard, but again, turn the computer off and it's gone.)

• Memory can be swapped to disk. That means that the keyboard buffers I just spoke of, or any memory related to any software on your machine may be written to disk as the operating system manages how it allocates "real" memory between all the running programs. If you turn off your computer the swap file remains. It could be recovered and examined for "interesting" contents. It's trivial to get the swap file (boot from a Linux live CD, for example), and extremely difficult to make any sense of its contents. There's no predicting what the swap file will contain or for how long - it's all a function of how you use your computer.

• And of course, all bets are off if you have spyware installed.

That last point is worth considering for a moment.

"Keystroke loggers" are one way that hackers gain access to your various usernames and passwords. A keystroke logger is malicious software that records every keystroke and sends it off to the hacker over the internet for data collection. Once it's been sent, of course, there's nothing you can do. That's why knowing how to keep your computer safe on the internet, an in particular running anti-spyware software is critical these days.

•

Disk Erasing Utilities

The utility you mention, DBAN, doesn't locate files at all.

But, once again, there's a kernel of truth: it erases them. How? It simple securely erases everything. DBAN wipes out the entire contents of a hard disk. It doesn't need to know what's on a hard disk - it just 'nukes' it.

There are other "secure delete" utilities as well that typically either securely delete a file, or securely ensure that the "empty" space not currently used by any files is, indeed, empty.

Which leads us to a couple of related "kernels of truth".

The first is that when you delete a file the contents are not actually removed. Instead, the space that the file formerly occupied is marked as "available" for another file to be written to at some later time. As long as that space isn't actually reused and overwritten by another file, the original deleted information is still there. This is the basis for many undelete and other data-recovery utilities. It's also why most of those utilities recommend you stop using your disk if you accidentally delete something, so as to avoid overwriting the deleted area with something new. So just deleting something necessarily mean that it's immediately or completely gone.

Secure delete utilities explicitly overwrite the data when a file is deleted. They can often also be instructed to overwrite the data in all of the space marked as unused on your hard disk, so as to overwrite any files that had been previously deleted as well. When a secure delete utility deletes or cleans a file, it's gone.

Sort of.

Our second "kernel of truth" gets us talking about forensics at a hardware level.

The best way to think of this is to grab a pencil with an eraser:

• Write something on a piece of paper. That'll be the equivalent of creating a file on your hard disk.

• Draw a line through what you've just written. That's kind of equivalent to a "normal" delete. You can still see the data, but the line says "this has been deleted, ignore it".

• Using the pencil's eraser, erase what you've written, including the line. That's roughly equivalent to the first level of secure delete. You've actually physically removed what you'd written.

At this point there's a good chance you can still kind-of, sort-of, see what you had written before. As it turns out the same is true for magnetic media like hard disks. With the right equipment - which typically means taking the hard disk apart in a clean room and using some extremely high powered analysis tools - it's possible that even the data overwritten can be partially recovered. Just like you could sort of make out what you had written in pencil and then erased.

Let's continue with the pencil and eraser example:

• Write a line of capital "A's" on top of the area you just erased.

• Erase the line of "A's".

• Write a line of capital "X's" on top of the area you just erased.

• Erase the line of "X's".

• repeat until you get tired :-)

At this point, if you haven't erased the paper into oblivion, you'll have a much more difficult time deciphering the original line of text you wrote, if you can make it out at all.

A good secure delete utility will do the same thing: it'll write and erase the data several times before calling it erased. Overwriting the data many times is what really puts the "secure" in a secure delete utility such as DBAN.

•

Hidden Files

So are all your keystrokes being written to some hidden file? As I said above, I think not.

Could their be hidden files on your machine? Well, there's that kernel of truth again: of course there could be. In fact I'm certain that there are.

There are several possibilities:

• Files could simply be marked with the "hidden" file attribute. In fact there probably already are many of these, as the operating system itself often uses this attribute to hide some of it's own files from casual observers. But, these are easy to find, since both Windows Explorer and the command line "DIR" command can be instructed to show hidden files.

• There could be an additional "hidden" partition on the hard drive. Many computer manufacturers use this to keep their recovery data. These are easy to see with Window's built in disk management tool, or any partition management software.

• On an NTFS file system something called "alternate data streams" could be used. This is my favorite, since not many people know about this feature, and it's difficult to detect that it's been used.

• Lastly there are techniques such as TrueCrypt's "Hidden Volume" which use various approaches to hiding data within other data.

The important thing to note is that all files take up space, whether they're hidden or not.

And erasing the entire hard drive erases them all.

•

Should You be Worried?

In my opinion, as long as you have the fundamentals of keeping your computer safe on the internet down, the answer is clearly no. As I've said before, unless you're doing something illegal or secretive yourself, you're just not that interesting.

And when the time comes to dispose of hardware such as your disk drive, then tools like DBAN are a fine way to make sure that your hard drive is sufficiently erased of all your private information for all but the most dedicated (and well financed) snoop.

Related:

• Ask Leo! - Internet Safety: How do I keep my computer safe on the internet?

• Ask Leo! - How should I erase my hard drive before I give it away?

• Ask Leo! - How can I keep data on my laptop secure?

• Darik's Boot and Nuke (DBAN) - self-contained boot disk that securely wipes the hard disks of most computers.

• Microsoft Knowledgebase - How To Use NTFS Alternate Data Streams

Article 11548 | Posted May 31, 2007