by Dr Tristan Jenkinson
There have recently been a number of articles discussing the use of common passwords and encouraging better password practices. Most guidance includes the recommendation not to use the same password for different accounts. This makes sense – it limits risk of further exposure in the event that one set of details is compromised. To do this we have to remember an increasing number of (potentially complex) passwords. This is not something that comes naturally to most of us.
One way to cope with having many passwords is to use a password manager. This is a program which you access with a “master password” and it stores all of your passwords for you. The idea being that you only need to remember your master password.
In this series of articles we will explore:
- how data from password managers can be important to investigations;
- methods that can be used to investigate password managers; and
- important considerations when looking to investigate data from password managers.
In this first article we cover the importance that data from password managers can have to an investigation.
Why Data from Password Managers Can Be Vitally Important
There are many different scenarios in which the content of password manager databases could be useful during an investigation. We discuss some of these below.
One of the more obvious benefits of password managers is that they contain passwords. Therefore they may provide access to data that has been identified but could not previously be accessed because they were password protected.
Research shows that individuals tend to reuse passwords, or use variants on other passwords, rather than using unique passwords all the time. This means that an investigator could take an export of all of the known passwords from the password manager and create a new dictionary of passwords built from these (and their variants), to try against any known password protected data.
Data Sources and New Lines of Inquiry
Password managers could contain data sources that were previously unknown. These could be diverse in nature, such as additional email addresses or different cloud storage solutions. Just knowing the additional information exists may be useful. If, in addition, these data sources can subsequently be preserved and investigated, they could be hugely useful to the investigation.
New data sources could also give rise to entirely new lines of inquiry – for example an email address may provide an entirely new identity that was used for fraudulent activity. In this case, other data could then be searched for that alias to identify potential evidence of additional wrongdoing. Alternatively this could be used to tie a specific alias or identify to an individual, since they had the password for accounts in that name, or in corruption cases this could identify web-based email used to communicate with co-conspirators involved in the alleged corruption.
An important point to raise (and one that will be revisited in part three) is that although the accounts and passwords are available, this does not mean that the relevant data can automatically be collected. In the UK, accessing data such as email or cloud storage without authorisation to do so could be a breach of the Computer Misuse Act.
Bitcoin Wallets, Cryptocurrencies, and Other Financial Services
If credentials for bitcoin wallets and other cryptocurrency assets are lost, the value of the asset may no longer be accessible. Therefore it is important to ensure that such details are saved in a secure manner – for example within a password manager. This also applies to online banking details for conventional bank accounts.
While other sources (such as internet history and installed applications) may indicate the relevant banks or cryptocurrencies in use, a password manager could provide full account details. This could be key in asset tracing cases, allowing for requests to be made for information from relevant financial institutions, or to identify and investigate the content of cryptocurrency wallets.
There may also be information with regard to other financial institutions, such as loan companies, stockbrokers, trading platforms, foreign exchange and wire transfer services. This information could be important in asset tracing or anti money laundering cases where information about the movement of funds may be key.
Not Just Passwords
Many password management tools provide additional storage for “important documents”. This could hold, for example, scans of passports and other key information, in case they were urgently needed and the original documents were not available.
Such “important documents” may also hold significant value for investigators. Passport information could be helpful to link an alias to an individual, or to connect the content of the password manager to a specific individual.
Other “important documents” could include property deeds, purchase agreements, shareholdings or important contracts or valuations. These may be of interest in cases where the value of goods under control may be of importance. Alternatively, information on assets could inform an enforcement strategy or an approach to freezing orders to ensure that assets cannot be disposed of or dissipated.
In part two, we will discuss some of the ways in which password managers can be investigated and then in part three, we will look at some issues to bear in mind during such investigations.
About The Author
Dr Tristan Jenkinson is a Director in the eDiscovery Consulting team at Consilio. He is an expert witness with over twelve years of experience in the digital forensics and electronic disclosure field and has been appointed as an expert directly by parties, as well as being appointed as a single joint expert. Tristan advises clients with regard to forensic data collections, digital forensic investigations and issues related to electronic discovery.