Digital Forensic Techniques To Investigate Password Managers

by Dr Tristan Jenkinson

In part one we discussed the importance that data from password managers can play. In part two, we look at aspects an investigation may include from a digital forensics perspective.

How Password Managers Can Be Investigated Using Digital Forensics

Evidence of Usage of Password Management Systems

Finding evidence that a password management tool has been in use could be an important step. It could lead to a request for the relevant details to access the content, or could be used to demonstrate a previous failure to provide details under court order or as part of an agreement. Having an indication of when the manager was installed, how often it was used and when it was last used could be helpful if the usage is questioned.

There are two main types of password managers – those which are locally based and those which are cloud based. The evidence which can be used to demonstrate usage differs slightly in each case.

Evidence for the use of cloud based systems may include webpages accessed, the installation and usage of browser extensions, and potentially related downloads. There would also typically be locally cached (saved) copies of the data contained by the password manager in order to provide offline access. In particular information about how often, and when, webpages through which the password manager was used could be helpful if there are claims that the password manager was not in use, or the master password has been forgotten.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


For local based password managers, the databases will be stored locally, so their existence and the date on which they were created may be useful. There is also likely to be a specific program installed for accessing the data, so looking at dates, times and frequency of the program being executed could prove helpful.

The Master Password

Without the master password, it will likely not be possible to view the content of the password manager. There are methods that can be attempted to locate the master password if it has not been provided. 

For example, check web browsers for saved passwords. They may contain an entry specifically for the password manager, or may contain passwords for other accounts or websites that may be the same or similar to the password required for the password manager.

Exporting Options and Historic Information

Once access is gained, there is a question over how data should be exported. As discussed above, there could be a vast amount of data and an investigator should ensure that all information that they require is exported.

There are often export functions from password manager systems. These typically will export out password information into a spreadsheet like file. Care should be taken though. Some password managers will store historic passwords, and the date on which they were changed – for example to make users aware that they are reusing a previously used password. This information may not be included in such an export so this should be considered by the investigator.

Sections such as secure data storage should also be checked to make sure that information has been exported, and where possible relevant metadata has been preserved. As with any forensic collection exercise, the investigator should take detailed contemporaneous notes.

Live Imaging and Access

If, at the collection/preservation stage, the machine is being imaged live (i.e. while powered on and logged in) then the investigator should consider if the password manager is logged into. If so, the investigator may then need to consider if the content can (and should) be exported. As discussed above, this may require specific considerations with regard to data privacy and data access.

Local Storage and Investigating Purge or Removal of Passwords

As has been noted, both cloud based and local password managers will typically store copies of the database containing the contents of the password manager on the local machine. 

This means that if an image of the machine is taken, and the master password is provided at a later date, in most cases it will be possible to retrieve the content of the password manager at the time of imaging.

This could be of particular interest if there is concern that the content of the password manager has been purged or deleted between the time of imaging and the time that the password is provided.

This may therefore be a consideration when having conversations about access to the password manager. For example, it may be suggested that the custodian may input the master password on a live machine, therefore providing access, but not providing the password. It is preferable to be provided with the password, so that previously captured data can then be unlocked. 

Other Potential Access Points

It is also worth considering alternative access points. Some password managers allow you to share passwords with others. Some allow you to nominate an emergency contact, who can be given access in a specific scenario. These people may also have access to the content of the password manager, so it may be worth considering who such individuals may be. It may be possible run email searches for invitations to the password manager, or notifications from the software that is found to be in use, to identify who may also have access.

Business Accounts and iCloud Keychain

Some businesses provide their staff access to password managers to use at work. This means that the business may have the means to access and export the content. Investigators should bear this in mind when considering data sources to be collected and investigated. It may be beneficial to work with internal staff, where appropriate, to collect the content of business based password management systems to avoid risk of the systems being purged if the individuals involved are tipped off. Care should be taken to ensure that the business have the rights to access and collect the data from the password manager, for example through the use of acceptable use policies (discussed further in part three).

Apple iPhones come with an inbuilt password manager – iCloud keychain. This password manager is then shared across devices using iCloud. If the business provides iPhones for business use, then the iCloud keychain system could be in use and could be a relevant location to consider – provided that there is legitimate lawful access available. This is something that investigators should be aware of and may be a helpful source to investigate.

Don’t Forget Hardcopy

Whilst these articles have are focused on the use of password manager software, investigators should also consider the use of hardcopy password books. These are in relatively common use and so are something that should be considered for collection and investigation. 

As with password managers, specific wording may need to be included in acceptable use policies, agreements between parties or court orders to ensure that they can be preserved and examined where relevant within a business environment.

Coming Up

In part three, we will discuss some of the potential issues that can arise in such investigations and some areas where early consideration may help ease or avoid these issues.

About The Author

Dr Tristan Jenkinson is a Director in the eDiscovery Consulting team at Consilio. He is an expert witness with over twelve years of experience in the digital forensics and electronic disclosure field and has been appointed as an expert directly by parties, as well as being appointed as a single joint expert. Tristan advises clients with regard to forensic data collections, digital forensic investigations and issues related to electronic discovery.

Leave a Comment