Helping people with computers... one answer at a time.
Web searches are stored in your browser history, but even deleting that may not be enough to prevent the discovery of what you've been searching for.
Hey Leo, Just wondering. The recent trial in Florida where the DA searched the plaintiff's computer and found an incriminating internet search for formaldehyde leads me to ask two questions. I mainly use CCleaner after using the net to clear cookies, but it also clears history and other stuff. Does CCleaner or even manually erasing history actually remove the history from the hard drive? Is every bloody key stroke permanently kept on the HD? And if so, where? Nothing to hide. Just curious.
•
Unless you have spyware installed on your computer, "every bloody keystroke" is not being recorded. I get that question often enough that it seems like many people are concerned about it - it's just not the case.
As for finding other things and seeing what CCleaner or other tools might or might not erase - well, things get complicated pretty quick.
•
Does removing history remove history?
Yes and no.
The problem here is that there are several "levels" of delete and many can be recovered, depending on the level and the amount of effort (and perhaps money) that you're willing to throw at the problem.
-
A file deleted to the Recycle Bin can be recovered from that very simply, but I don't believe history is deleted to the Recycle Bin.
-
The space used by a file that was deleted "permanently" is simply marked as now being free. That means that until it's overwritten by other data, the original data actually remains on the disk and can possibly be recovered with special tools.
-
Data on magnetic media that has been overwritten once or twice might (and I have to stress might) still be recoverable by some fairly advanced magnetic media analysis.
-
Data that has been overwritten multiple times can typically not be recovered.
So, if a history file was deleted, there's a chance that it could still be recovered, depending on a) how much the computer has been used since the delete, and whether or not data has overwritten the space that was previously occupied by the history file, and b) how much effort you're willing to put into the recovery.
I have no idea if a history file was used in the case that you mention, but my guess is that law enforcement was motivated to put in a lot of effort into the process. 1
Really removing traces of data
CCleaner and tools like it can completely erase files, but they often do not by default.
For example, if you delete history in CCleaner, that's simply a file delete without any guarantee of overwrite. That means that the contents of the deleted file could potentially be recovered with appropriate software.
It's not until you then use the "Drive Wipe" utility in CCleaner to overwrite all free space that the space previously occupied by the history would be overwritten. Naturally, most people don't do this.
On top of that, you'd need to select "multiple passes" in order to avoid the possibility of recovery by magnetic media analysis.
Another common tool for this is Secure Delete, a command-line tool that can securely delete specific files or wipe the free space of a drive.
Other traces of history
I've focused on the history file here as an example of the most obvious trace left of your website visits and search queries. While that can be securely erased with the appropriate steps, it's not necessarily the only way that law enforcement might determine that you've been searching for a specific topic.
-
Spyware: As I mentioned at the beginning, Windows does not store all of your keystrokes somewhere. However, if you have spyware on your machine - whether it's simply malicious malware or intentionally placed by parents, law enforcement, or others - then, all bets are off. All of your keystrokes could be recorded and saved on your machine or sent elsewhere over the internet.
-
Cookies: If you erased these with your browser, CCleaner, or other tools, then law enforcement could certainly make some implications about some of the sites or pages that you've visited.
-
Google Web History: If you are logged into a Google account at the time that you perform your Google search, it's possible that your search is recorded in your Google Web History, an online record of everything that you've searched for. You can turn this off, but many people don't even realize that it's on. Naturally, law enforcement could easily request the contents of this record with a search warrant.
-
Google Search History: Even with the web history feature turned off, Google's servers, like any web server, will likely record the IP address and some additional characteristics of each access. With some work (and again, that search warrant), law enforcement could establish a link between your IP address and the searches performed from your computer.
As you can see, it's possible - though perhaps quite difficult - that law enforcement could still recover information about what you've been searching for with the appropriate legal documentation.
On one hand, it's kinda scary that this is possible.
On the other hand, it can be a useful tool to provide evidence that might contribute to the conviction of a criminal.
In either case, the possibilities are at least worth knowing about, even if you truly have nothing to hide.
•
1: In an interesting twist, in that specific case, it turns out that the software used to analyze whatever history was found on the machine had a bug and grossly over-stated the number of times that the term was searched for.
Article C4890 - July 30, 2011 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
August 17, 2011 10:50 AM
I forgot to add, ixquick suggests "https" connections for many sites, that would otherwise not be found by other search engines.
It's a tab slower, but it works good.
As far as cleaning your computer history goes, run CCleaner daily, after using it for the last time each day. Be sure to use the "DOD" (3x) wiping operation, at a minimum. For added safety, there are 7x & 35x (Guttman) wiping choices, although a 35x wipe is extreme.
As a second precaution, install Recuva, do a deep scan for files, and use the same options that CCleaner offers to wipe the leftovers. I do this monthly.
Cat
August 17, 2011 2:18 PM
We may be able to remove all traces of "inappropriate" web sites from our PCs using the various cleaners and shredders, but surely internet service providers can track each and every one of these sites and keep records of all visits?
August 19, 2011 10:38 AM
Even Steve Jobs poersonal computer was searched by law enforcement and evidence was found inplicating him in wrongdoing.
One way to erase ALL information in your computer when you are buying another one is to completely demagnitize it with a atrong magnet.
20-Aug-2011
August 19, 2011 11:34 AM
I use a computer until I decide to replace it. At that time I remove the insides and destroy all. Goes to a landfill. End of problem. I have replaced a hard drive and destroyed it prior to it's trip to the landfill. Seems like an easy way to take care of the potential problem.
January 30, 2013 8:44 AM
To the person who posted that ixquick is a good search engine for privacy, I discovered to my frustration that my ixquick searches were nonetheless still on my hard drive, and the usual cleaners will not overwrite the sectors where they are recorded!
•
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.