| |||||
|
| |||||
|
Search Irongeek.com:  
Help Irongeek.com pay for bandwidth and research equipment: |
A Digital Handbook for the Recently Deceased
Adrian Crenshaw
This article's subject matter is not lite, but I'm told it's needed. In early
2017 I had an uncle and then my mother pass away about twelve days apart. I was
my uncle's designated executor, so I have some experience with dealing with
estates. Neither of them had a huge digital footprint. In 2018, I heard of a man
that died at 33 of cancer who did, and it started me thinking about how to pass
on digital legacies to loved ones. Besides my own limited experiences, I'm also
pulling ideas from Andrew Kalat's (@Lerg)
Shmoocon 2016 talk and Kyle Bubp's (@kylebubp)
BSides Cincinnati 2018 talk on the subject (links to both are at the bottom of
this article, and Mr. Kalat has also written a book called "Managing Digital
Legacies" on the subject). This article will be both for people wanting to
prepare things for their loved ones to make their lives easier after they pass
and for loved ones who have to deal with a deceased person's information.
While I am not a lawyer and can not give legal advice, the first recommendation
I can give anyone wanting to make things easier on their loved ones when they
pass is to have a will and living will in place and to declare an executor to
carry it out. The living will part is important to consider. Keep in mind that
things like dementia or vegetative states are issues, and a person can be alive
and still incapable of remembering or relaying needed passwords and account
information. If someone is not a spouse, declaring an executor of the will
becomes even more important as random family members will have a harder time in
getting legal requests fulfilled unless they are an executor. One thing you will
want to get multiple copies of is the death certificate, which you can generally
ask the funeral director for or order from the state. Some places will just make
a copy and hand you back the original, others may need an original. I assume
jurisdictions vary, but in my case I had to take a death certificate and a copy
of the will to a lawyer, and they partitioned the county court to give me a
Letters Testamentary. Apparently this goes by a few different names: "A Letter
of Testamentary", "Letter of Administration" or "Letter of Representation".
Usually to claim bank accounts, investment accounts and such, the officer will
need to see a death certificate and a Letter of Testamentary that shows you have
the legal authority to act on the deceased's behalf.
For those designing their will, for the sake of your loved ones please be
specific in how you want things divied up. I've heard sad stories of the
patriarch/matriarch of a family dying and then the family being torn apart
afterwords fighting over who receives what. Best to just make it clear up font
what your wishes are. Also, make sure loved ones know where to find your will.
It slowed things down when it took awhile to sort though uncle's house to find
his.
Considered using a financial planner to help keep you investment accounts in
order. A few years before my uncle's passing he had me meet with his financial
planner and a lawyer to make sure I was set up as executor and had details on
how his will was to be handled. His financial planner has helped me a lot in
managing and consolidating accounts. I've also heard the advice that if you are
commonly the one paying bills, have a little cash or something else liquid on
hand that loved ones can get to if need be. Likely funds will not be able to be
transferred directly to the inheritors at first, and an estate account will need
to be set up till all bills, debts, and will specifications have been carried
out. This will also be important to keep certain bills paid for domains,
hosting, phones, etc. while you sort things out.
I had an easier time because my uncle appears to have had his financial accounts
managed in one place. Some may have to sort though tax documents and
bank/financial statements after someone's death to figure out where money is
located. For those preparing for their loved ones, please limit the documents
you keep if you know which ones are no longer needed. When uncle passed, we had
to sort through tons of old financial statements as he seemed to have kept
everyone he had ever received, but in no order or system, just a pile here and a
pile there.
Fortunately in these unfortunate circumstances, financial organizations have
been dealing with death and inheritance for a long time, so a lost password and
account information is not as big of a deal if you have a financial statement
for finding the account, a death certificate and a letters testamentary to
transfer funds to an estate account. Online accounts for email, social media,
websites and such are not as easy and are far from standardized. Let's assume
the easiest route first of finding passwords instead of having to go to every
online organization to reclaim accounts or get notices of the deceased's passing
posted.
The first question to ask if you are preparing to make things easier for your
loved ones is who do you trust? I've heard of people putting the password for a
password vault in a safe or safety deposit box for safekeeping, but then you
have to have trust for who has access to it. You could also encharge trust over
to multiple people. For example, more than one person could have only part of a
password and they have to combine them to access a password vault, or perhaps
one person has access to the password for an encrypted volume and one to a
password vault. Sadly, even for those obsessed with security and who know
nothing is a secret if more than one person knows it, the master password for a
password vault may be best stored in a safe, perhaps obfuscated in a way only
executors know.
Some password vaults like Lastpass give you the ability to set an emergency
contact that can be given access to your passwords. The emergency contact can
request access, you will get a message asking you if you want to deny access,
and you can set how long before the emergency contact gets access if you do not
deny the request. While this may sound heartless, companies should likely change
the passwords of deceased employees after they have been notified as they can't
be sure if the employee did or did not mix company credentials with personal
credentials in their password vaults.
Baring having access to a password vault, many passwords can just be reset. If
you have access to the deceased's main email account, often that will be all you
need to recover passwords (some may even store the passwords for other accounts
in their email, a common way pentesters escalate after getting access to
someones email password via a phish). Depending on how tech savvy/security
conscious someone is, email accounts are often left logged in on desktops,
laptops and phones.
Assuming there is not full hard drive encryption enabled but you don't have
access to login to a person's PC, you may be able to boot from external media
and just copy off the cookies to gain access to accounts. If a shared Windows
computer is in use and it has not been rebooted since the person passed and you
have access to an administrator account, you could use Metasploit's PSExec along
with kiwi to extract logged on user passwords from memory. Even if you don't
have an admin account, one could be added or current password hashes could be
extracted using external media. Then PSExec could be used to pass a hash,
execute Meterpreter then use post modules to extract passwords
(gather/firefox_creds, gather/enum_ie, etc.). Other good Windows tools for
extracting passwords can be found at NirSoft's site (http://nirsoft.net/password_recovery_tools.html).
Another tip, leave phones up and running for awhile in case they are needed to
reset passwords are act in two factor authentication systems. This may mean
leaving some money in the account the bill is being autopaid from or moving it
to an estate account. Many times password resets may require verification via a
phone SMS message. Even if phone is locked, according to Mr. Bubp the SIM can
sometimes be moved to another phone and some two factor authentication can be
received via SMS. From Lerg's talk apparently Apple does not have a right of
survivorship for spouses if you need to get data from an Apple product or
service. Related to this, you may want to keep any domain names they own up and
running if they are using those domains for email.
I personally hate password reset/security questions, and will fill in things
that are not true and store my false answers. I remember how Sarah Palin's email
got popped because she was a public figure and questions like "where did you
meet your spouse" were easy to find. Password reset questions should likely be
stored by people making preparations for loved ones, or you may have to ask a
lot of family members to figure out the answers to some questions (I would have
no idea what my dad's first pet's name would be for example).
Baring gaining direct access to the credentials, you may have to deal directly
with the company to gain access to the accounts. In most of these circumstances,
you will receive rather limited abilities so it is better to find the
credentials for accounts if you can.
Facebook has support for setting up a "Legacy Contact" which has limited access
to your account, but can put up a notice that you have passed. Further details
are at the following link:
https://www.facebook.com/help/1568013990080948
Twitter gives access so loved ones can have an account deleted, but you can not
gain access to use it.
Google's Inactive Account Manager has the ability to send messages to people you
designate to let them know you have been inactive. You can also choose to let
designated people download your informations from +1s, Blogger, Drive, Mail and
YouTube if you have been inactive. However, people will not get access to use
your account.
https://support.google.com/accounts/answer/3036546?hl=en
I use Dreamhost as a provider, and it would be unfortunate if my site went away.
I assume other providers have similar procedures. Gaining access to accounts of
the deceased:
https://help.dreamhost.com/hc/en-us/articles/215202507-Gaining-access-to-accounts-of-the-deceased
Domain Registrars have similar procedures. GoDaddy has the following page on
"How to gain access to domains/accounts after owner's death".
https://www.godaddy.com/help/how-to-gain-access-to-domainsaccounts-after-owners-death-8356
If you run an important site, you may want to consider registering it via a
legal entity other than just your personal self. I'm told an LLC or trust can be
good options, but work with an estate attorney.
A final thing to consider is if availability is sometimes more important than
confidentiality. Family photos may not really need to be on an encrypted drive,
and many people want to keep them for the memories. The same goes for written
documents, old emails and digital personal effects.
Sorry if this article bummed you out, but people told me it might be helpful for
those preparing or those who have lost a loved one. Please check out the
following resources for more information on this subject.
Links:
Twitter thread that started it:
https://twitter.com/irongeek_adc/status/999838152318734336
How to Access a Deceased Loved One's Online Accounts by Doug Aamoth
http://techland.time.com/2013/07/16/how-to-access-a-deceased-loved-ones-online-accounts/
Online No One Knows You're Dead by Andrew Kalat's (@Lerg)
at Shmoocon 2016, he also has written a book called "Managing Digital Legacies"
on the subject
https://www.youtube.com/watch?v=4GL10xrzyyU
https://www.safaribooksonline.com/library/view/managing-digital-legacies/9781491995037/
Death, Dealing, and Digital Forensics by Kyle Bubp (@kylebubp's)
at BSides Cincinnati 2018
https://www.youtube.com/watch?v=5PBukBKkkz8
Thanks to @h0tdish for adding some
levity with the Beetlejuice inspired title.
15 most recent posts on Irongeek.com:
| ||||
Printable version of this article
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast