Kaseya Community

stolen laptop

  • I've had one of my monitored laptops stolen.

    I've tracked this thing over the course of 3 weeks on 3 different networks.

    I've contacted the network admin of the current/latest network the machine is on, and he wants me to let him know the moment I see this machine again.

    How do I set up a script or a monitor to notify me instantly the next time I see this machine on a network again?

    If it matters, the machine is a Mac.

    Thanks,
    Will O'Neal

    Legacy Forum Name: stolen laptop,
    Legacy Posted By Username: willoneal
  • You could just configure online alert for the agent and have it notify you when it is online.

    You can apply a script to run against it every 5 mins (check skip if machine offline) that will email you if a a certain variable is met (the Gateway address).

    Just a thought.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: boudj
  • I hope I set it up right - thanks for the tip.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: willoneal
  • Hi. Just curious, has that laptop turned up yet??

    Legacy Forum Name: How-To,
    Legacy Posted By Username: carey-pccare
  • The machine has shown up 4 times total, but not since I started learning how to get some apps to install and a script to run to capture some more information.

    The most amazing thing is the darn machine showed up on a network in a building 300 feet from my office. I got in touch with the system admins over there and they were very helpful, but it's been a week and it hasn't shown up again.

    I'll be ready for when the next time it shows up, hopefully. I'm working on a script to enable the camera and take a picture of the thief! I've got a long way to go, though.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: willoneal
  • Excellent !!

    Legacy Forum Name: How-To,
    Legacy Posted By Username: carey-pccare
  • willoneal
    The machine has shown up 4 times total, but not since I started learning how to get some apps to install and a script to run to capture some more information.

    The most amazing thing is the darn machine showed up on a network in a building 300 feet from my office. I got in touch with the system admins over there and they were very helpful, but it's been a week and it hasn't shown up again.

    I'll be ready for when the next time it shows up, hopefully. I'm working on a script to enable the camera and take a picture of the thief! I've got a long way to go, though.


    You could provide the IP addresses and dates/times to the cops and push them to subpoena the information you need to identify the person.

    Michael

    Legacy Forum Name: How-To,
    Legacy Posted By Username: RCS-Michael
  • hmmm. now why didn't I think of that? Smile Just kidding.

    This was done within 1 hour of the machine being stolen. Problem is it jumps jurisdictions, and the ISP's generally sit on subpoenas for 10 days to 2 weeks before responding. and if it's not there _now_ then what good is it? It was in one county for a couple of days, on the same ISP, then in a different city (still local) for single checkin, then 300 feet from my office for one checkin, all different jurisdictions. So at this rate, the cops will never catch up with the robbers.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: willoneal
  • Have you dumped a keylogger onto it yet? Just schedule it for every 5 minutes and skip if offline, you're bound to get one on there. That will capture keystrokes and email the log to you. (Preconfigured first of course).

    Legacy Forum Name: How-To,
    Legacy Posted By Username: carey-pccare
  • Also, if you search the forums you will find a screen shot script that will allow you to run it pretty continuously and capture a lot of screen shots. This could help you catch his personal info (like email address, bank account, etc...) and help you ID the thief.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: boudj
  • I am not a MAC scripter, but once when tracking a stolen laptop we came up with the idea of creating a script which would use the built in camera to take a picture, save the file and transfer it back to our server. If any of you Mac scripters get this to work, let me know.

    Karen

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Karen_Sadler
  • Gadgettrak does that. I wonder if you could remotely deploy that?

    http://www.gadgettrak.com/

    Legacy Forum Name: How-To,
    Legacy Posted By Username: bighouse
  • http://files.kaseya.com/sftp/macscripts.zip


    You'll need to run an Import Folder to get them imported -- just select either My Scripts or Public Scripts and on the right you should see Import Folder.

    Click Import Folder, and paste in the contents of 'macports.txt'.

    Do not select the extracted file to be imported directly as it doesn't seem to work -- you have to paste in the contents. Once you have the data pasted in just click Import.

    You'll see there are two scripts I created specifically to help out here, one to capture the screen of OS X and one to use the builtin Mac camera to take a pictures.

    Results can be found on the 'Documents' tab for any given agent.

    You should probably run these two scripts on the stolen machine on a regular basis, scheduling them to run every few minutes.

    I've only had my Macbook a month or so and I'm grooving myself back into traditional bash-style scripting, so I welcome any suggested improvements to how these scripts work or suggestions on better utilities to use. I put several hours into working on them over the past few days and I'd love to know if they are helpful to any of you.

    I tested them on two OS X 10.5.6 Macbooks with the latest version of the Mac agent, 5.1.0.6. If these scritps dont seem to work well for you contact support if you need to get updated to the latest Mac agent.

    Good luck Will!

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Benjamin.Lavalley@kaseya.com
  • we had this exact scenario, where a laptop was stolen out of a Merc.
    The crook managed to crack his way into the OS, but prior to this I set an 'alert if agent comes online' to my mail account.
    Two days later the machine came online and populated the database with all new IP info, from here I managed to get to the thief’s router , which was a Netgear, after which I tried Netgears default username and password and Volla I was into the thief’s environment.
    I didn’t do anything malicious though!

    I established through the IP that the laptop was now in Vietnam, so there was no point in calling the police!

    I'm wondering what I should have done to the system to protect what I could have at the time?
    Maybe a selfdistruct script of some kind?

    Legacy Forum Name: How-To,
    Legacy Posted By Username: ricrosen
  • Interesting story!!! Seems there's more going on here than a laptop being stolen. It is now in Vietnam and someone hacked on to it. Why? I would suspect a higher level of criminal here (perhaps looking to perform identity theft or worse?). If you are given a chance to wipe a laptop that's been stolen, then do so. You can easily find "scrub" programs on the internet and run them using a quick little script. Also, this will help you convince your client that they should invest in a product like lojack for laptops. This would have allowed you to totally kill this system.

    Finally, did you report this incident to the proper officials? I sure would have. I might even had contacted the local FBI and asked for advice regarding this (since the laptop left the country... they might be interested in this).

    My thoughts anyway.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: boudj