“My brother died. I’m calling you to get into his computer for me. He had a lot of money invested in the stock market, and we can’t find his will. We’re hoping there are clues on the computer.”
The brothers were both in their seventies. Ron, the deceased (not his real name), lived alone in a beautiful home on the shore of Lake Stevens in Washington. It was in December, just before Christmas, 2022. Ron wasn’t in the best of health, but his death was unexpected. No one was with him at the time. When I met his brother at the home a few days later, Ron’s computer was still on, but it was locked, and no one knew the password. After I gained access, I was able to tell his brother, “Ron’s last activity on the computer was at such-and-such a time, so his death was sometime after that.” But I’m getting ahead of the story. Let’s go back to how I got in.
The Goals
For complete digital recovery after someone dies, there are two goals: (1) data recovery, and (2) account recovery. These two goals overlap, but they’re not the same. For example, if the person has a laptop, and if the hard disk drive or solid state drive isn’t encrypted, the data can be recovered without ever knowing their computer password. But suppose they have a Windows computer with BitLocker whole disk encryption enabled on their laptop’s drive. In that case, data recovery takes a back seat to account recovery. By first recovering access to their Microsoft account, you can usually obtain their BitLocker recovery key, and then use it to decrypt the data on the drive. Or, if you get lucky and the person is a power user, they may have stored a copy of their BitLocker recovery key somewhere, either on a piece of paper or on a USB drive.
If the person was a Mac user, then the whole disk encryption will be FileVault, not BitLocker, but the process is roughly the same. If you can’t login to the computer directly, you need to gain access to their iCloud account – usually. Apple has another option, though. You can create a recovery key that isn’t stored in the iCloud account. Then you end up doing the same thing as you would for a Microsoft computer, and look for a piece of paper or a USB drive that contains the recovery key.
But you can’t just think about getting access to the computer. You also need access to their phone. The phone will be a resource for unlocking a lot of accounts that require 2FA/MFA.
2FA and MFA
Two-Factor Authentication (2FA), also called Multi-Factor Authentication (MFA), is a common way to add an extra layer of security to an account. For example, after you enter a password for an online account, you may be sent a text message with a six- or seven-digit numeric code. After you enter this second authentication factor, you’re allowed access to the website or account.
Another form of 2FA involving the phone is an authenticator app. Some common ones are Google Authenticator, Microsoft Authenticator, and Authy. These apps work in a variety of ways. You may be asked to tap the correct number, or enter a numeric string.
There are some 2FA methods that don’t involve the phone. The person might have one or more physical security keys, like a Yubikey or a Google Titan. The family members may not know what these devices are. Even if they know what a Yubikey is, they may not know if their deceased loved one had one or not, so I always ask to see the deceased person’s key ring. I ask to see what they usually carried in their pockets, and to look at the contents of purses and backpacks. Finding a physical security key is a rare but fortunate occurrence, because it will save a lot of time on account recovery.
Account Recovery
The family will want quick access to email and social media accounts. The email contact list is valuable for notifying friends of the death, and sharing details about when and where memorial services will be held. Email may be on the phone, the tablet, the laptop, or any combination. Many people have more than one email account. Some accounts may be on one device, and a different account may be on another device. It’s important to check each device separately for email accounts.
Once you’ve unlocked a device, if you’re fortunate, a lot of accounts will instantly be available. It’s common for people to save app passwords in the app, and it’s also common to save passwords in the browser.
For those browser-stored passwords: be sure and look in every web browser on the device. Some people use different browsers for different purposes. For instance, their bank accounts might be easy to access with saved passwords in Microsoft Edge, and their social media accounts might be easy to access with saved passwords in Google Chrome. If you use the wrong browser on their computer, it won’t have the stored password, so determine what web browsers are installed and try each of them.
Another thing to look for early in the account recovery process is a password manager. The password manager may be a separately installed app, or it may be a browser extension. The password manager will have one master password that can be used to access all the other authentication information. Obtaining the master password can be one of the most difficult tasks. There’s a way around it, though. If you gain access to one or more email accounts, you can use the “forgot my password” option on many websites and have them send you an email with a link to change the password. The main email account on the phone is often the “golden ticket.” It’s usually the email account that’s used for password resets, so we’re back to the phone again. If you can unlock the phone, you can leverage that access to get into almost everything.
Data Recovery
To recover data, we’re going to do a couple of different things.
First, we’re going to copy all data on all unlocked devices. Look for storage media, too. The person may have USB thumb drives, external USB storage drives, and so forth. If all the stars are aligned just right, and the deceased is someone who was diligent about making data backups, you may be able to get most of the data from the backup media without ever unlocking the computer.
The disk drive(s) can be removed from the computer, if it can’t be unlocked, and data can be copied from the disk. If they used whole disk encryption, you won’t be able to easily get around the need to find the decryption/recovery key.
For phones, the easiest way to extract the data is with a direct cable connection to a computer. The phone has to be unlocked first.
Second, we’re going to look for data in online accounts: Google Drive, Microsoft OneDrive, and iCloud are obvious places to start. But don’t forget to look for third party cloud storage accounts like Dropbox, Box, Proton Drive, and Carbonite. Many people have data stored in more than one online service. Check the phone, tablet, and all computers for cloud storage accounts.
Unlocking the Phone
With all this account recovery and data recovery to do, where do we start? It’s kind of circular. If the person uses their computer as their primary device for things like banking, and if they use Outlook email on their computer, then getting into the computer is a major objective. On the other hand – once we get into the computer, we won’t be able to access some important accounts without using the phone for 2FA.
I tend to start with the phone, and then move to the computer. Your first reaction might be that the phone is hard because so many people use their fingerprint or facial recognition to unlock it, but that’s usually not an obstacle. Every Android and Apple phone that uses biometric authentication has an alternate way to obtain access. Android devices will have a PIN or a pattern code. Apple doesn’t support pattern unlock, but biometric authentication can still be bypassed with a PIN, also called a passcode.
In very many cases, unlocking the phone is easy, because a family member knows the PIN or pattern code. But be sure you get it right, because too many failed attempts will render the device unusable without a factory reset, and all data will be lost.
And, one more thing: when your loved one dies, keep paying their cell phone bill until you’re done with all account and data recovery. Their smartphone is often a key piece of hardware for 2FA codes, and if the phone number is deactivated some 2FA methods won’t work. You may need their phone to access and close accounts. It may be important for financial and legal matters.
Unlocking the Computer
There are a few different ways to unlock the computer. Here’s a list, in order of preference:
1) See if a relative or friend knows the password or PIN.
This is by far the best solution. It’s pretty common for someone close to know the password/PIN. Before you go all crazy with cracking tools, just ask.
2) Search the deceased person’s belongings for a record of the password or PIN.
People keep notes. I’ve found the information in wallets and purses, in notebooks, in desk drawers, in file drawers, in a pocket of a laptop bag, on bulletin boards, under refrigerator magnets – look around, with an eye for words or number and letter combinations. Some people keep the password/PIN for their computer in a digital note in their phone. Conversely, some people keep the PIN for their phone in a digital note in their computer, so like I said earlier – whether to work on the phone or the computer first is a toss-up. It’s kind of circular.
3) Change the unknown computer account password to a password of your choice.
There are several ways to change an unknown password to a known password. I’m not going to detail them here. There are free software tools available online, and you can also download and pay for professional-grade password tools. Beware: many of the free tools are actually malware in disguise, and the paid tools involve several steps, and for most people it’s not a good idea to attempt this yourself. But if you already have IT skills, legitimate password changing software can certainly do the job.
4) Crack the password.
There are software tools that you can use to crack the users password, instead of simply changing it. Discovering the password generally takes more time than changing it, but there are times when doing it this way is important. For example, on Windows machines, there can be encrypted files where the user’s password is needed as part of the decryption key. If you change the password, you can get into the computer – but you may not be able to read the encrypted files. By logging into the computer with the user’s regular password, these files appear in cleartext.
5) “Blank,” or remove, the password.
Blanking the password is a method that was used on older computers. There was a time when setting a password on a Windows computer was optional, but for the last several years Microsoft has made it almost impossible to set up a computer without a password. But, there are still a few really old computers around, so for the sake of completeness I’m mentioning this archaic method here.
When the password is blank, or set to null, then you can just turn on the computer and it boots straight into the user’s account. If there’s more than one user, you select the appropriate user account, leave the password field blank, and go.
When You Can’t Unlock the Computer
There are times when unlocking the computer doesn’t work as expected. For example, sometimes the deceased person has more than one computer. The computer in the closet doesn’t work anymore, and they bought a new computer. But it’s still a good idea to recover the data on that old computer.
In these situations, the solution is to open the computer, remove the disk drive, and connect it as an external drive to a working computer. Now the files can be copied. The only time we run into a problem is if those files are encrypted.
If they were using password encryption, our best options are to find some record of the password, or decrypt it from the hashed password file stored on the computer.
If they were using BitLocker whole disk encryption, we’ll need to find the key – hopefully it’s stored in their Microsoft account online – and use that to decrypt the files.
The Rest of the Story: Cracking Ron’s Computer
But enough of the boring technical details for now – let’s get back to Ron’s computer.
Before he died unexpectedly, Ron told his brother that he had made a will, but after searching the house his brother hadn’t been able to find it. Also, Ron’s brother knew that Ron had significant investments in the stock market, but there wasn’t too much in the way of paperwork to be found.
When I arrived at Ron’s house, his brother showed me the computer. It was a desktop computer; there was no laptop. His brother also had Ron’s Android smartphone, but he had no idea what the PIN was.
Getting into the phone wasn’t going to be easy, so I started with the desktop. I asked Ron’s brother for permission to do a search of the office. I asked for permission to open any drawers, go through any stacks of paperwork, and look in any unsealed envelopes. If anything was sealed, I would bring it to his attention.
I found several pieces of paper, on the desk and in drawers, with various account passwords. Some of them seemed like they might be likely candidates for the computer password, too, so I tried a couple of them. No luck. Microsoft doesn’t like it if you try too many wrong passwords on a computer. You get locked out for awhile, and it just slows down my work. So after a couple of quick tries, I switched to professional password changing software, and replaced Ron’s still-unknown computer password with one I made up.
I was in. And, we were fortunate! Ron’s computer didn’t use BitLocker encryption, and he wasn’t using any other file encryption, either. Everything was right there.
Next, I searched for the will. I found two things: I found a copy of the will in PDF format, and I also found a scanned receipt. Ron had filed his will with the King County Superior Court Clerk. The PDF copy was nice for the brother to have as a quick source of information, and the legal copy was in the Records Office and could be retrieved easily.
Once the problem of the will was solved, I did what I would normally do first: I looked for a password manager. Ron stored his passwords in his web browser using the LastPass browser extension. Between LastPass and the various notes in his desk, I had the information I needed to access everything.
Some accounts required 2FA – 2-Factor Authentication – and when I tried to sign into the accounts, they sent a text message to the phone. Remember I said that Ron’s brother didn’t have the PIN for the phone? It was no problem, because Ron had allowed text message notifications to display on the lock screen. We just kept the phone handy, and when we told a website to send the verification code, we looked at the phone – and there it was.
How to Prepare While You’re Alive
Some people say, “I don’t want anyone – even my family – to get into my computer or online accounts when I die.” If that’s you, then you can skip this section, because now I’m going to tell you how to prepare so that it’s easy for at least one loved one to obtain all of your data – local and online – after you die.
Ron could’ve made it easier for his brother if he’d done just a few simple things.
1) Keep a complete, well-organized, offline list of all passwords. Include information for getting into all computers and all online accounts. You can lock this up somewhere; just make sure your trusted person knows where to find it.
2) Use a password manager, and then you only need a written record of two passwords: the master password to unlock the password manager, and the computer password.
3) Give your trusted person access to your phone. You can keep a written record of the phone’s PIN with your password list.
4) Keep a list of all financial accounts.
5) File a copy of your will with the County Records office.
6) If you use a physical security key, like a Yubikey or Google Titan, make sure your trusted person knows you use it, what it looks like, and where to find it.
7) One last idea: I know a woman who is single and lives alone. She has a sealed envelope clipped to her refrigerator that contains all the information the executor of her estate will need when she dies. You may prefer to hide this information in a fire safe built into the wall and hidden behind a painting of your favorite uncle, but you get the idea. Let someone you trust know where they can retrieve the information. They don’t need to know your passwords right now.
Last But Not Least: Legal Considerations
Before we wrap this up, we need to talk about the legal side of account and data recovery: in many places, “the dead have rights.” Those rights may be actual legal rights, enshrined in law, or they may be rights conferred on them by the online account provider.
I’ve heard several sad stories from people who went to major online account providers with a request for access to a deceased loved one’s account. On the one hand, it can be very difficult. On the other hand, it can be impossible. The online service that stores your loved ones pictures, files, or email may flatly refuse to offer any assistance.
Parents have been denied access to the accounts of their deceased minor children. Adult children have been denied access to the accounts of their deceased parents. Oftentimes, online account providers have processes in place for people to take advantage of while they’re still alive. When you approach the provider after your loved one dies, their response is, “That should’ve been taken care of. We have procedures in place, use them.”
For example, Facebook provides the ability to set up a Legacy Contact to manage your page after you die. But you have to be proactive and set it up.
As a data recovery and account recovery specialist, I comply with government laws. To that end, I’ll ask you to provide certain legal documents relevant to your situation. For example, are you the executor of the estate? Were you their parent or spouse? Then prove it. But I’m not too concerned about the policies of online account providers. If I can get you in, I’ll get you in – no success, no charge.
You can contact me for more information at https://fifonetworks.com/contact-us/. It says, “Contact Us,” but I’m a sole proprietor. It’s me. You’ll be working directly with me.
About Bob Young
Bob started his cybersecurity career with a secret clearance for cryptographic electronics in the US Navy as a young man. Then he worked for corporations in the private sector to provide secure data storage, handling, and transmission. He started his own company in 2003, helping companies develop secure networks and policies. He taught cybersecurity courses at colleges for several years, and still consults and teaches privately for corporations and public utilities.