A Digital Handbook for the Recently Deceased
Adrian Crenshaw
This article's subject matter is not lite, but I'm told it's needed. In early 2017 I had an uncle and then my mother pass away about twelve days apart. I was my uncle's designated executor, so I have some experience with dealing with estates. Neither of them had a huge digital footprint. In 2018, I heard of a man that died at 33 of cancer who did, and it started me thinking about how to pass on digital legacies to loved ones. Besides my own limited experiences, I'm also pulling ideas from Andrew Kalat's (@Lerg) Shmoocon 2016 talk and Kyle Bubp's (@kylebubp) BSides Cincinnati 2018 talk on the subject (links to both are at the bottom of this article, and Mr. Kalat has also written a book called "Managing Digital Legacies" on the subject). This article will be both for people wanting to prepare things for their loved ones to make their lives easier after they pass and for loved ones who have to deal with a deceased person's information.
While I am not a lawyer and can not give legal advice, the first recommendation I can give anyone wanting to make things easier on their loved ones when they pass is to have a will and living will in place and to declare an executor to carry it out. The living will part is important to consider. Keep in mind that things like dementia or vegetative states are issues, and a person can be alive and still incapable of remembering or relaying needed passwords and account information. If someone is not a spouse, declaring an executor of the will becomes even more important as random family members will have a harder time in getting legal requests fulfilled unless they are an executor. One thing you will want to get multiple copies of is the death certificate, which you can generally ask the funeral director for or order from the state. Some places will just make a copy and hand you back the original, others may need an original. I assume jurisdictions vary, but in my case I had to take a death certificate and a copy of the will to a lawyer, and they partitioned the county court to give me a Letters Testamentary. Apparently this goes by a few different names: "A Letter of Testamentary", "Letter of Administration" or "Letter of Representation". Usually to claim bank accounts, investment accounts and such, the officer will need to see a death certificate and a Letter of Testamentary that shows you have the legal authority to act on the deceased's behalf.
For those designing their will, for the sake of your loved ones please be specific in how you want things divied up. I've heard sad stories of the patriarch/matriarch of a family dying and then the family being torn apart afterwords fighting over who receives what. Best to just make it clear up font what your wishes are. Also, make sure loved ones know where to find your will. It slowed things down when it took awhile to sort though uncle's house to find his.
Considered using a financial planner to help keep you investment accounts in order. A few years before my uncle's passing he had me meet with his financial planner and a lawyer to make sure I was set up as executor and had details on how his will was to be handled. His financial planner has helped me a lot in managing and consolidating accounts. I've also heard the advice that if you are commonly the one paying bills, have a little cash or something else liquid on hand that loved ones can get to if need be. Likely funds will not be able to be transferred directly to the inheritors at first, and an estate account will need to be set up till all bills, debts, and will specifications have been carried out. This will also be important to keep certain bills paid for domains, hosting, phones, etc. while you sort things out.
I had an easier time because my uncle appears to have had his financial accounts
managed in one place. Some may have to sort though tax documents and
bank/financial statements after someone's death to figure out where money is
located. For those preparing for their loved ones, please limit the documents
you keep if you know which ones are no longer needed. When uncle passed, we had
to sort through tons of old financial statements as he seemed to have kept
everyone he had ever received, but in no order or system, just a pile here and a
pile there.
Fortunately in these unfortunate circumstances, financial organizations have been dealing with death and inheritance for a long time, so a lost password and account information is not as big of a deal if you have a financial statement for finding the account, a death certificate and a letters testamentary to transfer funds to an estate account. Online accounts for email, social media, websites and such are not as easy and are far from standardized. Let's assume the easiest route first of finding passwords instead of having to go to every online organization to reclaim accounts or get notices of the deceased's passing posted.
The first question to ask if you are preparing to make things easier for your loved ones is who do you trust? I've heard of people putting the password for a password vault in a safe or safety deposit box for safekeeping, but then you have to have trust for who has access to it. You could also encharge trust over to multiple people. For example, more than one person could have only part of a password and they have to combine them to access a password vault, or perhaps one person has access to the password for an encrypted volume and one to a password vault. Sadly, even for those obsessed with security and who know nothing is a secret if more than one person knows it, the master password for a password vault may be best stored in a safe, perhaps obfuscated in a way only executors know.
Some password vaults like Lastpass give you the ability to set an emergency contact that can be given access to your passwords. The emergency contact can request access, you will get a message asking you if you want to deny access, and you can set how long before the emergency contact gets access if you do not deny the request. While this may sound heartless, companies should likely change the passwords of deceased employees after they have been notified as they can't be sure if the employee did or did not mix company credentials with personal credentials in their password vaults.
Baring having access to a password vault, many passwords can just be reset. If you have access to the deceased's main email account, often that will be all you need to recover passwords (some may even store the passwords for other accounts in their email, a common way pentesters escalate after getting access to someones email password via a phish). Depending on how tech savvy/security conscious someone is, email accounts are often left logged in on desktops, laptops and phones.
Assuming there is not full hard drive encryption enabled but you don't have access to login to a person's PC, you may be able to boot from external media and just copy off the cookies to gain access to accounts. If a shared Windows computer is in use and it has not been rebooted since the person passed and you have access to an administrator account, you could use Metasploit's PSExec along with kiwi to extract logged on user passwords from memory. Even if you don't have an admin account, one could be added or current password hashes could be extracted using external media. Then PSExec could be used to pass a hash, execute Meterpreter then use post modules to extract passwords (gather/firefox_creds, gather/enum_ie, etc.). Other good Windows tools for extracting passwords can be found at NirSoft's site (http://nirsoft.net/password_recovery_tools.html).
Another tip, leave phones up and running for awhile in case they are needed to reset passwords are act in two factor authentication systems. This may mean leaving some money in the account the bill is being autopaid from or moving it to an estate account. Many times password resets may require verification via a phone SMS message. Even if phone is locked, according to Mr. Bubp the SIM can sometimes be moved to another phone and some two factor authentication can be received via SMS. From Lerg's talk apparently Apple does not have a right of survivorship for spouses if you need to get data from an Apple product or service. Related to this, you may want to keep any domain names they own up and running if they are using those domains for email.
I personally hate password reset/security questions, and will fill in things that are not true and store my false answers. I remember how Sarah Palin's email got popped because she was a public figure and questions like "where did you meet your spouse" were easy to find. Password reset questions should likely be stored by people making preparations for loved ones, or you may have to ask a lot of family members to figure out the answers to some questions (I would have no idea what my dad's first pet's name would be for example).
Baring gaining direct access to the credentials, you may have to deal directly with the company to gain access to the accounts. In most of these circumstances, you will receive rather limited abilities so it is better to find the credentials for accounts if you can.
Facebook has support for setting up a "Legacy Contact" which has limited access to your account, but can put up a notice that you have passed. Further details are at the following link:
https://www.facebook.com/help/1568013990080948
Twitter gives access so loved ones can have an account deleted, but you can not gain access to use it.
Google's Inactive Account Manager has the ability to send messages to people you designate to let them know you have been inactive. You can also choose to let designated people download your informations from +1s, Blogger, Drive, Mail and YouTube if you have been inactive. However, people will not get access to use your account.
https://support.google.com/accounts/answer/3036546?hl=en
I use Dreamhost as a provider, and it would be unfortunate if my site went away. I assume other providers have similar procedures. Gaining access to accounts of the deceased:
https://help.dreamhost.com/hc/en-us/articles/215202507-Gaining-access-to-accounts-of-the-deceased
Domain Registrars have similar procedures. GoDaddy has the following page on "How to gain access to domains/accounts after owner's death".
https://www.godaddy.com/help/how-to-gain-access-to-domainsaccounts-after-owners-death-8356
If you run an important site, you may want to consider registering it via a legal entity other than just your personal self. I'm told an LLC or trust can be good options, but work with an estate attorney.
A final thing to consider is if availability is sometimes more important than confidentiality. Family photos may not really need to be on an encrypted drive, and many people want to keep them for the memories. The same goes for written documents, old emails and digital personal effects.
Sorry if this article bummed you out, but people told me it might be helpful for those preparing or those who have lost a loved one. Please check out the following resources for more information on this subject.
Links:
Twitter thread that started it:
https://twitter.com/irongeek_adc/status/999838152318734336
How to Access a Deceased Loved One's Online Accounts by Doug Aamoth
http://techland.time.com/2013/07/16/how-to-access-a-deceased-loved-ones-online-accounts/
Online No One Knows You're Dead by Andrew Kalat's (@Lerg) at Shmoocon 2016, he also has written a book called "Managing Digital Legacies" on the subject
https://www.youtube.com/watch?v=4GL10xrzyyU
https://www.safaribooksonline.com/library/view/managing-digital-legacies/9781491995037/
Death, Dealing, and Digital Forensics by Kyle Bubp (@kylebubp's) at BSides Cincinnati 2018
https://www.youtube.com/watch?v=5PBukBKkkz8
Thanks to @h0tdish for adding some levity with the Beetlejuice inspired title.
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek