by Dr Tristan Jenkinson
In part one we discussed the importance that data from password managers could play in an investigation. In part two we then looked at what aspects an investigation may include from a digital forensics perspective. We now discuss some of the potential issues that can arise in such investigations and some areas where early consideration may help ease or avoid these issues.
The Computer Misuse Act
In the UK, if you access a computer without the authority to do so, this would likely constitute a breach of the Computer Misuse Act. This means that if credentials such as an email address and password are identified, while it would be possible to use those credentials to collect the relevant data, it still may not be possible to do so legally without additional steps seeking the relevant authorisation.
Court Orders and Other Agreements
Accessing the content of password managers will usually require the use of a master password. When preparing court orders or agreements between parties, consideration should be given to including specific wording requesting the master password to any and all password management programs used. It may also be wise to consider ensuring that cooperation is required with respect to multifactor authentication, as this can be used to protect password managers (and is discussed further below).
Ensuring that such agreements are in writing could become important, if evidence from forensic investigation later identifies usage of a password manager, but it was claimed that none were in use.
Acceptable Use Policies
With the previously noted use of password managers at work, businesses may consider looking to update their acceptable use policies to cover password managers and their content. For example, stating that if password managers are used on company devices, the business has the right to access the data stored by the password manager.
Privacy and the Impact of GDPR
One of the concerns that could be raised with regard to the content of data from password management systems is in respect of privacy.
The information contained within such programs could be considered to contain personal information. Further, it could contain information defined as “special categories of personal data” under the GDPR, which gather additional protections. Such categories of data include racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, health data, or data relating to an individual’s sex life or sexual orientation.
This means that when looking to collect such data, or when looking to word acceptable use policies, agreements between parties or court orders, the relevant legal basis for processing should be specifically considered to avoid the potential of falling foul of the GDPR.
It is worth noting that some password managers have the capability to implement multi-factor authentication.
This means that an additional piece of information is required to access the system in addition to the master password. Typically this is through a message sent to a mobile device.
If multi-factor authentication is set up, and there is no way to access the relevant additional information (such as the code on a mobile device), then it will likely not be possible to access the content. This should be a consideration if the individual concerned is not available, or may not be cooperative.
In summary the content of password managers can be hugely helpful – whether it be finding additional data sources in investigations, identifying further assets and bank accounts to be checked in an asset tracing case, or identifying bitcoin and cryptocurrency wallets that may need to be considered for a freezing order.
While they may not be of interest in most litigation cases, there are scenarios where their content could be absolutely vital to an investigation.
About The Author
Dr Tristan Jenkinson is a Director in the eDiscovery Consulting team at Consilio. He is an expert witness with over twelve years of experience in the digital forensics and electronic disclosure field and has been appointed as an expert directly by parties, as well as being appointed as a single joint expert. Tristan advises clients with regard to forensic data collections, digital forensic investigations and issues related to electronic discovery.