Post-Suicide Account Cracking?

An anonymous reader writes "A good friend of mine had her younger brother apparently commit suicide last week. He was a young, promising CS major who was close to being accepted into a very prestigious school. He was very into Linux as well as PHP/MySQL coding. He left absolutely nothing behind for the family as far as a death note or explanation, and there is some possibility that this was all somehow a tragic accident. The family is in a situation where proof of accidental death would change how this was viewed in terms of paying for parts of the funeral. More importantly, some members of the family are hoping to find something, anything, that might explain why this all went down. Since I'm the most computer-skilled person the family knows, they have asked me if I could help them try to find some information. My possible approaches are: his Linux laptop, his university, Gmail And Hotmail email accounts, and a second MySpace profile that apparently has been tagged as private. How ethical would it be to, say, try to crack his root password in a situation like this? I wouldn't attempt to crack a man's account for his wife because she thinks he is cheating on her, as his life is his own business. In death, would you have the same respect for a person's private thoughts? Secondly, If I contacted places like Google, MSN, the university, and MySpace, what are the odds that they would give me access to any of his accounts? I have links to obituaries and such to prove that he is indeed gone. Would it be a matter of not giving it to me (maybe only to the family), or is this something that they would not do at all? Any opinions on if I should do this and if so, how I should go about it?"

I have said it before

dead people don't really care, one way or another.

Re:I have said it before

A subpoena could probably compel them to provide you with access.

From the question it seems like it's related to a life insurance policy that doesn't pay on suicide, which is the norm. So, the family ought to do a cost-benefit analysis about renting lawyer time for said subpoenas versus getting what they stand to gain by proving it wasn't a premeditated suicide.

Re:I have said it before

From the question it seems like it's related to a life insurance policy that doesn't pay on suicide, which is the norm

IANAL, but in many states life insurance still pays off on suicide as long as the policy has been in effect for a specific length of time (2 years in my state) and the death didn't involve a crime (OD on cocaine being a classic example).

Re:I have said it before

The subpoenas should not be necessary. If you are the next of kin and heir to the deceased estate, the accounts are now yours, the computer is yours and all information there in is yours. So simply gain permission from the current owners and gain access. However if you are doing it for legal reasons be careful that your actions do not contaminate the evidence. It is most likely best for the family to seek the assistance of the police in further investigating the incident and ensuring any evidence uncovered remains valid.

Re:I have said it before

From what I've read about similar cases in the past, you would need a power of attorney from the individual in question to get access to things like gmail and hotmail accounts. If he had a will, his executor might be able to get in.

A subpoena would probably get you in, but a court is not going to issue one just because a person is dead and you want to make the family feel better. If there is some grounds to suspect some kind of criminal activity, or that his death might be murder, a subpoena might be issued - but it would get the police into those accounts, not his friend. If the friend could think of some grounds to sue his estate, discovery might require access to the accounts, and generate an appropriate court order. But for the case as stated, he's likely out of luck.

I've left passwords and relevant access information so that this is not an issue. I do not have a problem with my family getting into my mail accounts, for instance, and they might need to pay some final bills. Some people, on the other hand, would have a problem with this. The accounts should not just be open to anyone who can prove that they guy is dead.

I'm not a lawyer, of course. :-)

file a petition with a judge

a court order will streamline all this for you

Re:Bad idea

It's actually a bit gray. If the deceased were not so then you would be entirely correct, as this would be unsolicited system intrusion. However, upon his death his possessions, including his various passwords and access to his accounts, became the responsibility of the executor (one would assume that either the mother or father took on this role, as it would be an exceptionally odd thing for a 21 year old to actually write up a will stating otherwise), who has since requested that the intrusion be done on what is, essentially, their property.

What shocks me is that this was ruled a suicide without an inquest going through all of this already. That is a very radical conclusion to come to, and one with (as stated in the story) some pretty serious legal and financial ramifications; happy successful people don't just off themselves for no reason and without any sort of note or indication that things were not going quite so peachy as believed i am surprised that no investigation has been done if only to rule the possibility that it's an accident.

Do it.

Your friend is gone; he no longer owns anything. His worldly possessions, including his accounts and passwords, belong to those he left behind. They have asked you to open the locked box, open it.

There is no ethical delimma. You are being asked to open something by that something's owner. NOT cracking passwords would be wrong.

Cracking root password not necessary

If you have physical access to his laptop, you can just boot with any linux live cd and mount the partitions without any access control. This will not work if he is using encryption, but unfortunately, few people do.

Re:Cracking root password not necessary

Also, once you have access to his laptop files it is highly likely that he is already logged in to his social networking sites, gmail, hotmail, etc. If you're lucky he might have even saved the password.

Possible account access from laptop

As the parent said, booting the system from a live CD will let you in. If this person used Firefox's password manager (and assuming he didn't set a master password), you can reset his account's password from the live CD, then log into the laptop as him, and use Firefox to connect to hotmail, gmail, etc... You could even use Firefox's "Show Passwords" to recover the passwords, if needed.

No need to crack root...

Just boot it with a LiveCD, and it's all yours.

Don't bother

How ethical would it be to, say, try to crack his root password in a situation like this?

Take 5 seconds to boot into single-user mode, or mount the disk elsewhere sans password.

Two possibilities

Well, if it was suicide, and there was anything he didn't want people seeing, then he had his chance to delete it. If it was not suicide then I think you have to tread more carefully, but in the end the dead have no right to privacy (or reason to care).

For FSM's sake, though, take a moment to "accidentally" delete his porn and such while you are going about this. That's just basic courtesy.

IANAL...

...but...

The belongings of the deceased become part of the estate. The estate, with a lack of a will, can go either to the 'state' or to the next of kin (depending where you live). The 'state' usually takes its taxes and give the rest to the next of kin. This means that the laptop and accounts now belong to the family (barring the EULA on myspace and google which, correct me if I'm wrong, state that the ownership resides with them). This means that you are cracking a laptop for an OWNER that no longer has a password (forgotten it, so to speak). There is no ethical issue here.

Gregor

Not to be indelicate...

A good friend of mine had her younger brother apparently commit suicide last week.

... but that sounds like a lot of words to describe a hit job. The political correctness is awesome though!

sanitize his history and records

In the military, there's the tradition of cleaning up a dead guy's locker before sending it home to his next of kin. Remove all skin mags, letters from local girlfriends if he has a wife back home, that sort of thing. Get rid of anything that might make them think less of the dead, they're already broken up about it as is. I'm sure the last thing this kid's family would want to find out about is his furry porn collection.

What Google requires for this:

1. Your full name and contact information, including a verifiable email address.
2. The Gmail address of the individual who passed away.
3a. The full header from an email message that you have received at your verifiable email address, from the Gmail account in question. (To obtain the header from a message in Gmail, open the message, click 'More options,' then click 'Show original.' Copy everything from 'Delivered- To:' through the 'References:' line. To obtain headers from other webmail or email providers, please refer to http://www.spamcop.com/help_with_headers/ [spamcop.com])
3b. The entire contents of the message.
4. A copy of the death certificate of the deceased.
5. A copy of the document that gives you Power of Attorney over the Gmail account.
6. If you are the parent of the individual, please send us a copy of the Birth Certificate if the Gmail account owner was under the age of 18. In this case, Power of Attorney is not required.

Speak to a lawyer.

Seriously. Speak to a lawyer, and then recommend a professional data recovery company to the family. You do not want to get involved with this. Best case, it turns out there's proof it was accidental. I'm not sure how that could be proved, but let's assume it was.

Worst case, you find evidence of... something. Drug use, criminal activity, involvement with a cult, something like that. Whatever it was, it drove him to suicide. Now you're in the position of telling the family that their son/brother was doing something they wouldn't have approved of. Yes, they may be glad to know what really happened, but you'd better believe that things are going to be awkward with the family from now on.

Or, possibly even worse than that... what if it turns out it was something the family did? Even if it wasn't anything illegal or even dishonest... do you want to be in the position of telling the parents that something they did caused their son to kill himself? I wouldn't. I wouldn't want to do that to my worst enemy, let alone people I liked.

Speak to a lawyer to find out the legal issues and what is needed to get information from various hosting services, then suggest that the family contact a good data recovery firm. Have them hire a lawyer to get the data from the hosting services. No matter how much you want to help, restrict it to helping them find professionals to get the data, don't try to do it yourself.

In military service...

...when someone is killed in action or dies in any other manner while away from home, his personal effects are examined by an officer before being sent to the next of kin. The official purpose of this, and the legal justification for it, is to recover whatever government property the decedent had issued to him -- but the officer, in a totally off-the-books manner, also removes the things his survivors wouldn't want to get back. And in an overseas military environment, there are lots of those.

I'd suggest something similar. Ask the probate judge to release the computers to a designated consultant, maybe a family friend, who has the technical chops to bypass the passwords (which, as others mention here, is not that big a job) and whose judgment they trust to preserve the decedent's privacy while he digs out anything that might help them.

rj

Re:Death certificate

You beat me to the punch. Having worked in the financial sector for a time, a death certificate should do the trick.

The catch will be is if the person signed up for accounts but didn't use his real name, address, etc. Then you may have a problem. Otherwise, submitting the certificate (more than likely official copies) should suffice to prove to the various places that the person is truly dead and you are doing a port mortem of his accounts.

The family should be the ones contacting these places as they are next of kin.

I know it's asking for trouble, but this is why all your accounts including username and password should be written down and stored in a separate location. Regardless if it's suicide or getting run over by a wildebeast, someone, somewhere, will need to be able to get into your accounts to clear things up.

Re:yes, but with conditions

If this guy was any kind of good person at all, I'm sure he would have wanted to share his porn collection with the world after he was gone. Sure, maybe you shouldn't tell anyone where it came from if it's got porn featuring midgets, grannies, horses, or especially all three at once, but you should still post it on Slashdot^W^W^W^Wgive it to his close friends.

Re:Providers providing passwords posthumously

Google is your friend! Here are some links to the story:

Slashdot [slashdot.org]

Another [slashdot.org] Slashdot.

The Conclusion [detnews.com] to the story.

Re:Gmail, Hotmail, MySpace

A friend of mine died last year and, as long as you can provide the proper paperwork, his family got access to his hotmail account. i guess as long as they can tie the death certificate to the person in the e-mails then its not a problem.

Re:If you saw your friend again

If he saw his friend again, he'd be more worried about protecting his braiiiins.