Kaseya Community

Stolen Laptop

  • Hi Guys,

    I have a client that has a stolen laptop and now it has been checking in and someone has been using it.

    Does anyone know of a way to script a printscreen application and to have these files uploaded to the KServer? It only appears to log on late at night and I dont have the time to watch it all night for any revealing information.

    Any other thoughts on something we can do to try and trace it?

    Any help would be greatly appreciated!

    Thanks.

    Legacy Forum Name: Stolen Laptop,
    Legacy Posted By Username: David2201
  • Search the forums for what you're looking for, as well as for other posts related to stolen laptops, and what other users did.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: boudj
  • Make a note of the address the agent is checking in from. Find out which ISP owns that address - Let the police and ISP work together to track down who is using the stolen laptop.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Dean
  • My company recovered a stolen desktop system for a client a few months ago. However it took a while (about 30 days) for the police to get the physical location from the ISP. According to the police detective the ISP sent the request to their legal staff and so on. It seems like it would never be reclaimed. It's helpful it you can gather any other information to comfirm or speed up the process.

    Matt

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: connectex
  • Setup an agent online alert to capture the gateway IP everytime the machine connects to the internet.
    I have supplied time and IP info to police and within 24 hours they had the laptop back.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: garry
  • David2201
    Hi Guys,

    I have a client that has a stolen laptop and now it has been checking in and someone has been using it.

    Does anyone know of a way to script a printscreen application and to have these files uploaded to the KServer? It only appears to log on late at night and I dont have the time to watch it all night for any revealing information.

    Any other thoughts on something we can do to try and trace it?

    Any help would be greatly appreciated!

    Thanks.


    if you need any help on the scripting side of things when it comes to getting the laptop back (screenshots of the desktop, automatic IP-to-location via Google Maps, audio recording, built-in camera screenshots, etc) please let me know.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
  • Mate, if you know of a way to do IP to Google Maps and Screen Capture and Upload scripts that would be excellent!

    Im not overly savvy when it comes to kaseya scripts.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: David2201
  • We had a similar situation and ended up setting up an offline backup to our FTP server of all the doc's etc on the Laptop. It was the loss of the data that hurt the user more than the actual loss of the Laptop.
    So when the Laptop next appeared online all the users doc's etc were copied.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: haakerp
  • Hi Guys,

    Just wanted to let you know that the Laptop has been recovered and the news story is the top article on TheAge.com.au at the moment.

    http://www.theage.com.au/digital-life/computers/sprung-by-facebook-geek-justice-for-pornsurfing-laptop-thief-20090812-ehpa.html

    Big thanks to Ben for all the help and effort he put in.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: David2201
  • ROFL - serves him right, you cant get good porn from google

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: dsheedy
  • We've had a few laptops stolen and have managed to get all but one back - so far.

    Best one was stolen during a home invasion. Client was a PhD student with no backup of his thesis. Set the alert, it came online and we immediately FTP'd anything that looked like data. Got a lot of photos of the new user, Facebook info etc. One photo that really got the police's attention was her holding a bag of drugs.

    They did the raid a few days later and the laptop wasn't there but they got lots of other stolen goods, drugs, weapons etc.

    A few days later the laptop came online again and this time the police found it in the raid. Along with more stolen goods, drugs, weapons etc.

    Two baddies for the price of one. Got the computer back, got the thesis. Good result.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: chollins
  • David2201
    Hi Guys,

    Just wanted to let you know that the Laptop has been recovered and the news story is the top article on TheAge.com.au at the moment.

    http://www.theage.com.au/digital-life/computers/sprung-by-facebook-geek-justice-for-pornsurfing-laptop-thief-20090812-ehpa.html

    Big thanks to Ben for all the help and effort he put in.


    I'm glad you got it back -- that makes it worth all the effort.

    If it happens again let's hope the laptop actually has a webcam Smile

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
  • I wanted to share my story of what has been going on the last few days in my tech world. I had given my brother-in-law my old Dell laptop a year ago which I left Kaseya installed on. Tuesday afternoon someone broke into his apartment and stole the laptop, TV, stereo, some antique rifles his grandpa gave him from World War II and some other stuff. He was very upset of course, and his car was stolen not less than 6 months ago to top it off. So if you’ve ever had anything stolen you know that feeling.

    I told him that it was good they stole the laptop as I might be able to track it through Kaseya. Little did I know how true that was when I said it. I spent the good part of Wednesday writing and testing scripts to be able to gather as much info as possible if it came online.

    The first thing I did was cancel all scripts so they wouldn’t get in the way if I needed quick access and then set an agent monitor to email me when it was connected. Next it would disable the AVG watchdog by setting the service to disabled then killing the process. If you don’t, the process will keep restarting. Then I renamed the 2nd exe file AVG uses for its resident shield, avgrsx.exe. You can’t kill this process so you have to rename it and then restart the computer with a script. When it comes back up, it can’t find the file and AVG is useless. The reason I needed it disabled was for the key logger, which would be detected even if I added the files to the Exceptions list. I found a keylogger that is tiny, requires no install and is very powerful. I used Ardamax Key logger and was able to write a script to copy itself to a folder, add it to the registry to run on start up, and hide all traces of the files. What it does is email me an HTML file of any keystrokes, websites and chat messages every 5 minutes and a screenshot every 10 minutes. With a good keylogger, screenshots aren’t very important, but they are nice to have for proof. I also wrote scripts to hide VNC, disabled the VNC wallpaper remove registry value, hide Kasyea icon, folders and from Add/Remove. This all happened so quickly I’m sure the thief didn’t see anything other than maybe a restart.

    Thursday night I was talking to my neighbor when my iPhone buzzed, he heard it and I explained that at any point I might get an “agent is online” email regarding the stolen laptop. And bam there it was! I ran as fast as a guy in flip flops with a beer in one hand and an iPhone in the other could run.

    My brother-in-law coincidently was minutes away and when he got to my house we enjoyed the show. I opened up Remote Control and up it came. The first thing the new owner of the laptop did was go to myspace, as I had guessed, then facebook and all those types of websites. Every login/password and keystoke was emailed to me every 5 minutes. She then logged into her Yahoo mail, her College financial aid account, Kaiser Hospital account and a few others. Within a couple hours I had her name,tons of pictures, birthday, cell and home number, boyfriends name and birthday, and other family members info. She then went on to play mindless Yahoo games for the rest of the night. What we didn’t have, though, was her address.

    The next day I found an address but it didn’t match the location of where a traceroute on the IP showed. But it was all we had so we went to that location Saturday morning to scope out the place. It was a gated apartment complex, but we found where her apartment should be by parking in a nearby lot and using my binoculars. I called her cell number and she didn’t answer. I waited 5 minutes and called again, she answered and I started my act. I said I was Rick with UPS and that I had a package from (her father’s name which I had found out) and that it didn’t have a apartment number on the package, so needed her to confirm to me the full address. She gave up the info quite easily, it matched what I had, I asked if she was there to accept it and she said yes. That alone was pretty exciting. But not less than 2 minutes later, she’s out the door looking for her UPS package! With the binocs I could clearly confirm this is the exact person from all of the pics on the laptop from the previous 2 days. We had called 911 as soon as she said she was there and then waited.

    BTW all of this monitoring I was able to do from my iPhone, I could see she was using the computer as we were there and was constantly receiving emails from the keylogger. I also bought a WiFi radar app for the iPhone that shows all of the WiFi access points and where they are in proximity to you. I had already scanned for access points through the laptop the day before when she wasn’t using it (very carefully and quickly as not to tip her off!) and matched up the SSID names to what I was seeing at her apartment. So we knew for sure that the laptop was there, less than 20 feet from us, and that she was there.

    Well this is where the story gets frustrating. No police came, they called us but said they can’t do anything without a warrant, even with the info we had. My brother-in-law had already spoke to the police many times before we scoped out the apartment, but nothing had come of it, so we gave them all of this new info and are now waiting to see what happens next. We hope they quickly get a warrant as who knows how long that laptop will be there. The main things that he wants back are his grandpas guns from the War. But it has been exciting to be able to do this, without Kaseya we would have nothing to go on. I have already deleted all of his data and personal info on the laptop after copying it over via FTP through Kaseya. If we don’t get it back I guess I could format the laptop with some type of script or app and at least feel better about that.

    It really has been quite exciting so thought I’d share it with all of the other users who love to write scripts and do some neat things through Kaseya. I’ll update this thread when anything else happens if anyone is interested…

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • Im surprised that with just an IP that people have been able to have the police raid somewhere within a couple days. Can anyone share how they dealt with the Police and what they said and did? We're being told there's not much they can do, and I have every bit of contact info about the thief that is possible!

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • CCG
    Im surprised that with just an IP that people have been able to have the police raid somewhere within a couple days. Can anyone share how they dealt with the Police and what they said and did? We're being told there's not much they can do, and I have every bit of contact info about the thief that is possible!


    Try going up the line at the police department?

    Hearing they cannot act on this kind of evidence seems absurd to me.

    Get in touch with higher level people in the county, perhaps? The mayors office?

    I haven't had experience with this personally but I know that police departments can be very hit or miss when it comes to tracking down stolen electronics.

    I'd like to think you could get them to take action on their own but perhaps it might be worth it to get a good local lawyer involved, someone who knows the judges, police chiefs, etc.

    Make sure to let them know that firearms were stolen too. I don't know if you have to mention they are antiques and whether or not they work, just that real, working guns were stolen and are now in the hands of criminals.

    If all else fails with the police, how about contacting your local news? Especially with the pictures from your own detective work, don't you think they might be interested?

    Good luck, I'm hoping to hear a positive resolution to the story.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com