Helping people with computers... one answer at a time.

While simply viewing a file seems like a benign thing to do, there are many ways that the file itself or the fact that you viewed it might be recorded.

If I open and view, but do not ever save a file on my hard drive - in other words it is opened from and only stored on other media like CD or flash drive - can such a file be recovered, opened, viewed or otherwise identified?

Maybe.

This is another of those cases where it really, really, really depends on the characteristics of the file, the system, and the program used to view it.

More often than you might think the answer to at least some of the scenarios you raise is yes.

When you view a file, even on external media like a CD-ROM several things might happen:

"The only real safe way to view a file and hide all traces, is to view that file on a machine that only you control."
  • The entire file might get copied to a temporary location on your hard drive. Some viewing programs, for example, will do this so that the file can be read/write, others might do this because they know they need the file locally for reasons of their own choosing, and others might do it "just because". Image viewers are notable, since given a huge image they might make a local copy that they can then scale to your screen size without affecting the original.

  • Even if the file is kept entirely in RAM in order to be viewed, all or parts of it might get written to the Windows swap file if your system happens to need to do so to make room for other applications in RAM. Accessing it later out of that swap file is extremely difficult, but still potentially possible.

  • The fact that you viewed the document might get added to the "recently viewed documents" list that Windows maintains for your Start menu. This requires the viewing application's cooperation, but many applications do cooperate.

  • The fact that you viewed the document might also get added to the application's own "recently opened" list.

  • It's even possible that the document might get added to your browser's history, if the document requires the browser's help to be displayed. The default viewer for certain types of images is sometimes your web browser.

  • Auditing might be turned on in your system for security reasons, and a record of your actions kept there.

  • Even using "Type" to view a file in the Windows Command Prompt might add an entry to the command history that can easily be retrieved. (Type up-arrow in a command prompt and you might see previously executed commands.)

  • While we normally think of the file system as retaining simply the date a file was last modified or created, it might also be recording the date and time that the file was last accessed.

  • There might be spyware.

As you can see, there are lots of ways that things "might" happen. I have to stress might simply because there are no guarantees, and everything varies with all the things that could be different from situation to situation, right down to the configuration of the machine.

And I have to stress that just because it "might" be possible doesn't mean that it "will" be possible. It's also possible for those situations above not to apply at all, and for there to be no way to know what's been accessed on the machine.

It sounds like you're trying to hide something. Naturally, I'd recommend against doing anything that would require that level of stealth, but I also know that sometimes it's simply required.

The only real safe way to view a file and hide all traces, is to view that file on a machine that only you control. If you've taken all the steps to make sure that no one else has access to that machine (including preparing for or planning for theft) then the traces you might leave are inconsequential.

There is one compromise: you might consider rebooting the machine and accessing or viewing the files using a "Live" CD, typically a Linux distribution, that simply doesn't access the hard drive at all.

However, the fact that you rebooted and when might also be easily available.

Article C4077 - January 10, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Keith Griffiths
January 13, 2010 9:53 AM

Will firewall software (I have Avira Anti Virus and PC Tools Threatfire installed) prevent anyone on the Internet from reading a word processing file which is open on the computer and which I am working on?

Not by itself, no. You need to avoid viruses and spyware as well.
Leo
14-Jan-2010

Bob
January 21, 2010 1:58 AM

Vista often shows a representation of a file in it's thumbnail - does previewing a file leave a similar trail?
On a similar note, does (or can) copying a file from one removeable storage to another (i.e. between memory sticks) leave such trails?

brad
September 9, 2011 9:40 PM

good question. Ive been trying to find out if I opened a file from my file drive the company could see it, even if they dont have physical access to the laptop?

Possibly - they could have spyware on your machine if it's a company machine, they could watch the network if accessed over a network, they could look at "recently opened files" if the program used to view the file updated that. They may not, but they may, and if it matters you should assume that they do.
Leo
11-Sep-2011

brad
September 9, 2011 9:42 PM

I meant flash drive

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.