Helping people with computers... one answer at a time.

There's a lot of misinformation and even paranoia relating to keystroke logging and privacy. Much of it, however, is based on small kernels of truth.

This is a multi-part question and pertains to computer forensics. Specifically, locating those mysterious, deeply hidden files that (supposedly) contain your computer's entire history - every keystroke ever made. Accessing those files. Viewing the contents. Deleting the contents. Understanding how a utility like DBAN can "find" and nuke them, but I as the computer owner can't. And finally, if every keystroke really has been recorded to some hidden file, how come it doesn't wipe out available space on my hard drive.

There are several misconceptions present in the question.

The problem is that the misconceptions are based on kernels of truth, which means I can't just say "that's wrong", it's more a case of "it's not like that - it's like this".

Confused already? Let's see if I can clear it up.

Keystrokes

Every keystroke you ever typed is not recorded on your computer.

Unfortunately the amount of data that would be collected is no longer a valid reason it couldn't be done. Let's say you're a really prolific typist, and you type 100,000 keystrokes a day (that's over three keystrokes every second for a solid 8 hour work day). In a year that adds up to 36 megabytes of data. Keep your computer for 10 years, and that's 360 megabytes. On today's hard disks that's next to nothing.

More to the point, if every keystroke were being recorded somehow , we'd be hearing about a lot more successful capture and prosecution of cyber criminals, along with a plethora of lawsuits from privacy concerns.

So, no, I certainly don't believe that every keystroke is being permanently recorded by the operating system, drivers or other official software.

However there are kernels of truth:

  • As I write this, every keystroke is recorded to create this article. That's kind of what we would expect. The documents you create, the email you send, these are all a kind of record of your keystrokes if kept on your hard disk.

  • Every keystroke is recorded in keyboard buffers. These are the buffers that allow you to "type ahead" while your computer is doing something else. Once the computer's ready again, everything you typed suddenly appears. Those buffers are various sizes, anywhere from a few bytes to several thousand. As these buffers fill up older keystrokes are removed to make room for new ones. And normally they're in memory only; turn your computer off and they're gone. (There may be one quite literally in your actual keyboard, but again, turn the computer off and it's gone.)

  • Memory can be swapped to disk. That means that the keyboard buffers I just spoke of, or any memory related to any software on your machine may be written to disk as the operating system manages how it allocates "real" memory between all the running programs. If you turn off your computer the swap file remains. It could be recovered and examined for "interesting" contents. It's trivial to get the swap file (boot from a Linux live CD, for example), and extremely difficult to make any sense of its contents. There's no predicting what the swap file will contain or for how long - it's all a function of how you use your computer.

  • And of course, all bets are off if you have spyware installed.

That last point is worth considering for a moment.

"Keystroke loggers" are one way that hackers gain access to your various usernames and passwords. A keystroke logger is malicious software that records every keystroke and sends it off to the hacker over the internet for data collection. Once it's been sent, of course, there's nothing you can do. That's why knowing how to keep your computer safe on the internet, an in particular running anti-spyware software is critical these days.

"... knowing how to keep your computer safe on the internet, an in particular running anti-spyware software is critical these days."

Disk Erasing Utilities

The utility you mention, DBAN, doesn't locate files at all.

But, once again, there's a kernel of truth: it erases them. How? It simple securely erases everything. DBAN wipes out the entire contents of a hard disk. It doesn't need to know what's on a hard disk - it just 'nukes' it.

There are other "secure delete" utilities as well that typically either securely delete a file, or securely ensure that the "empty" space not currently used by any files is, indeed, empty.

Which leads us to a couple of related "kernels of truth".

The first is that when you delete a file the contents are not actually removed. Instead, the space that the file formerly occupied is marked as "available" for another file to be written to at some later time. As long as that space isn't actually reused and overwritten by another file, the original deleted information is still there. This is the basis for many undelete and other data-recovery utilities. It's also why most of those utilities recommend you stop using your disk if you accidentally delete something, so as to avoid overwriting the deleted area with something new. So just deleting something necessarily mean that it's immediately or completely gone.

Secure delete utilities explicitly overwrite the data when a file is deleted. They can often also be instructed to overwrite the data in all of the space marked as unused on your hard disk, so as to overwrite any files that had been previously deleted as well. When a secure delete utility deletes or cleans a file, it's gone.

Sort of.

Our second "kernel of truth" gets us talking about forensics at a hardware level.

The best way to think of this is to grab a pencil with an eraser:

  • Write something on a piece of paper. That'll be the equivalent of creating a file on your hard disk.

  • Draw a line through what you've just written. That's kind of equivalent to a "normal" delete. You can still see the data, but the line says "this has been deleted, ignore it".

  • Using the pencil's eraser, erase what you've written, including the line. That's roughly equivalent to the first level of secure delete. You've actually physically removed what you'd written.

At this point there's a good chance you can still kind-of, sort-of, see what you had written before. As it turns out the same is true for magnetic media like hard disks. With the right equipment - which typically means taking the hard disk apart in a clean room and using some extremely high powered analysis tools - it's possible that even the data overwritten can be partially recovered. Just like you could sort of make out what you had written in pencil and then erased.

Let's continue with the pencil and eraser example:

  • Write a line of capital "A's" on top of the area you just erased.

  • Erase the line of "A's".

  • Write a line of capital "X's" on top of the area you just erased.

  • Erase the line of "X's".

  • repeat until you get tired :-)

At this point, if you haven't erased the paper into oblivion, you'll have a much more difficult time deciphering the original line of text you wrote, if you can make it out at all.

A good secure delete utility will do the same thing: it'll write and erase the data several times before calling it erased. Overwriting the data many times is what really puts the "secure" in a secure delete utility such as DBAN.

Hidden Files

So are all your keystrokes being written to some hidden file? As I said above, I think not.

Could their be hidden files on your machine? Well, there's that kernel of truth again: of course there could be. In fact I'm certain that there are.

There are several possibilities:

  • Files could simply be marked with the "hidden" file attribute. In fact there probably already are many of these, as the operating system itself often uses this attribute to hide some of it's own files from casual observers. But, these are easy to find, since both Windows Explorer and the command line "DIR" command can be instructed to show hidden files.

  • There could be an additional "hidden" partition on the hard drive. Many computer manufacturers use this to keep their recovery data. These are easy to see with Window's built in disk management tool, or any partition management software.

  • On an NTFS file system something called "alternate data streams" could be used. This is my favorite, since not many people know about this feature, and it's difficult to detect that it's been used.

  • Lastly there are techniques such as TrueCrypt's "Hidden Volume" which use various approaches to hiding data within other data.

The important thing to note is that all files take up space, whether they're hidden or not.

And erasing the entire hard drive erases them all.

Should You be Worried?

In my opinion, as long as you have the fundamentals of keeping your computer safe on the internet down, the answer is clearly no. As I've said before, unless you're doing something illegal or secretive yourself, you're just not that interesting.

And when the time comes to dispose of hardware such as your disk drive, then tools like DBAN are a fine way to make sure that your hard drive is sufficiently erased of all your private information for all but the most dedicated (and well financed) snoop.

Article C3041 - May 31, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Terry Hollett
June 2, 2007 4:29 AM

What about those 'index.dat' files found all over the place that keep track of everything you do online that Microsoft claims are just cache files yet they are 'Super Hidden' and almost impossible to delete without a third party utility.

Of course since '9/11' the idea of backdoors in Windows that go directly to the 'White House' is not so ludicrous. :-) - so says the extra paranoids out there.

www.geocities.com/terryhollett2003/

Leo A. Notenboom
June 2, 2007 8:46 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm guessing that we'll end up disagreeing.

Those index.dat files are just that: cache and history files that you can
delete and/or clear out using IE's options, or as you say, many readily
available third parties. There's nothing sinister, and they're not "super
hidden" in my opinion.

As for the whitehouse: again, in my opinion, they haven't shown the
organizational or technological abilities to set up or maintain and kind of a
data gathering conspiracy. I just don't believe it.

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGYZD4CMEe9B/8oqERAoA/AJ0W2WifzrNA5N2Lg0xXaqFc/m5A2gCeI0iS
S/H8CTcFtyv4hice4GSimRU=
=Ldck
-----END PGP SIGNATURE-----

Fred Nerd
June 2, 2007 5:23 PM

If used properly (which I have never bothered trying), those index.dat files can be made to show a lot of deleted browser history and deleted emails. And they are not too hard to pull of someone's pc and onto a flash drive.

salih abdulbaki
October 17, 2008 7:41 AM

it seems that i cannot retrieve my hidden files. where else should i peek?

Aries
November 17, 2008 1:43 AM

Could you tell me how many keystrokes WOULD be stored on a computer before they overwrite each other?

Nope. There are simply too many variables at play - the drivers, the software you're using - it all impacts the answer. Could be 10. Could be 10,000. Could be something else entirely.
- Leo
17-Nov-2008

Roger Berryment
March 12, 2009 7:56 AM

The real question here is, can your hourly, daily etc. activity be recorded with in a network either corporate or other and reviewed at a later date. I belive the answer to be yes, an employer can if they wanted to go back in time after the end of a day or week etc. and in fast forward watch your activity right down to websites visited in real time, letters written, emails answered, web shopping sites etc. and see the sequences timed as they happened to see how many hours you were logged on you were actually working on company business.I know there is software available for that use. The other question would be can you purchase and install software that allows this not to happen.

Bob
June 21, 2009 12:33 AM

i dont know much of this but is it possible for some people who know allot about computers to get into files on my computer and read my emails and see all my history etc after i have just simply deleted it by going into tools internet options. if so how do i get into those files

Milind
December 23, 2012 4:21 AM

Where are the facebook activity logs file kept hidden in the Hard disk.

I've never heard of such a thing existing, so my first reaction is to say "nowhere, because they don't exist on your computer".
Leo
23-Dec-2012

Mark J
December 24, 2012 1:25 AM

@Milind
Facebook does have activity logs that you can access on Facebook. I believe they're stored on Facebook's servers, not on your computer.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.