Kaseya Community

Self Distruct/Remote Wipe system

This question is not answered

Has anybody done any scripts that can be run to do a self distruct/remote wipe on a hard drive?   Looking for a way to be able to send a command out to a machine so that as soon as it is turned on after it has been stolen to wipe the system.

I know that if you send format c: command it would prob fail because it is the OS partition  and even if you could I know that the data could be recovered.  But alteast it would stop an novice theif from seeing the files.

So has anyone come up with a soulution for this already?

 

Thanks,

 

Troy

 

 

All Replies
  • Heck, I'd want someone who stole a computer to turn it on if I had an agent on it.  That way you can get the IP address of it and eventually track it down to an ISP and to the user who was using that IP at the time.  Busted.

    You can write procedures to fire on agent checkin to delete files in My Documents, etc.

    To do a complete wipe, remotely... maybe (if PC is vPro aware) you could remote ISO boot it to some bootable utility that wipes the drives...

    Or maybe if BUDR and secure zone is installed, do an auto recovery to a blank  install image...

     



    [edited by: Dan at 8:55 AM (GMT -7) on 11-4-2010] fd
  • Ditto to Dan - There are better ways than destroying the data. We have successfully tracked a stolen laptop using Kaseya. Sent the police right to the door, police verified the serial of the notebook with us over the phone while there. It's a MAJOR win if you happen to be in that scenario.

    If you're worried about the security of the data, I would suggest encrypting the entire drive and making sure the system is password protected. That way, they can't get into the system, but if it checks in, you have a record of it. If they happen to pull the drive and put it into a USB casing or another PC, it does them no good since they can't decrypt it.

  • You may want to check out Dban to see if it will totally load into memory from a boot file on the drive to wipe the drive.

  • There was a great thread in the old forums about this, and how the person used Kaseya to track and assist the police with the recovery of the laptop.

  • Oops, to answer the question in posed in the original post, I don't know of any apps that'll do that (due to the need for human intervention to boot to the CD or USB drive) but I have made systems unusable by sending DEL c:\ *.* /F /S /Q a few times

  • As has been said, it might be useful to have the computer on in order to trace it but what you could also do is use something like SDelete from technet.microsoft.com/.../bb897443.aspx to securely delete data files and applications so that the laptop works enough for the person who stole it to leave it on long enough to find but not allow them to get any data.

    Of course the actual data should actually be encrypted using some method (EFS, Trucrypt, whatever) but if the user has their password written on a sticker on the laptop itself then chances are none of that would help anyway so you're back to deleting whatever you can ASAP.

  • We had a customer device stolen that checked back in 2 weeks later.  The police wouldn't do anything as it was on a mobile usb dongle.  A further two weeks later it started checking in from a fixed adsl line.  One of my colleagues wrote a program to take a picture using the webcam on the laptop and we then created a script to upload it back to the kserver.

    We dialled into the machine silently and whilst watching them on the internet got a very good idea where they were and reported this to the police.  Unfortunately they were no longer interested, probably because the insurance company had paid out.  It's still checking in to this day and I'd love to turn it into a good PR story but I guess we'll not be able to do much more.

    Did consider some destructive methods but it meant we wouldn't be able to trace it.

  • Had the same thing (usb dongle connection so couldn't locate) when a stolen laptop suddenly checked in after 10 months.  Luckily the new "owner" was doing their coursework on it so I managed to lift some documents from the laptop that had his name, course, tutor, student number and college on the front page.  It took the police a while to complete all the investigation but the laptop eventually came back and the student cautioned for buying stolen property. I did however have a script all scheduled to run the second time it connected in to delete the profile of the user it was stolen from though as there was some sensitive info on there.



    [edited by: richardprice at 5:59 AM (GMT -7) on 11-5-2010] .
  • The reason I originally posted this was because yes we were able to give the police the IP of the computer, but they would not go through the effort of finding out who was assigned the IP and go after them.    Sure we all know that laptops should have encrypted drives,  but because of the expense involved on most machines it is difficult to get the owners to pay for it until its to late.  It won't happen to me mentality.  How many of you actually encrypt desktops?  They get stolen also.  So it would be nice to destroy data and try to retrieve hardware later.

    Thanks for all the different options to look at.  It would be a nice feature for Kaseya to add.

    Alistair,  Any chance on sharing that program and script you had done?

  • You know, it occurs to me that people who use stolen systems should't be surprised by mysterious reliability issues...

  • I did something along these lines once. We had a terminated employee that was suppose to give back the company laptop. They were lagging for 2 weeks, so I started running a reboot script on the alert when it checked in. The laptop was delivered the next day.

  • I do think this is turning into a pretty valid concern these days, and think perhaps it would do us all well to give it some thought as we sign on new customers.  I know one of the great sales tools we use is that we can support a laptop user while he's sitting in a Starbucks somewhere, so we should have an answer to the question "What happens if that user leaves that laptop in Starbucks..."  I think in many instances it might make sense to at least identify particularly critical information that might need to be removed at next check in, Outlook's files seems like a good common place to start, but I think each client / company might have different degrees of fear about the other data that might be on that laptop.  Perhaps a VPN Client needs to be disabled so the Corporate network isn't wide open to the "lost" laptop.  I don't think there's one answer to this, but I think if we all started at the top, we could come up with some pretty good standard practices that make sense at the high level at least.

    Smart Phones, iPads, etc., all can easily fall into this same area.  I've looked at a couple of Apps for managing smart phones that have a Remote Wipe command that can be pushed out to a lost/stolen phone.  

    I think this might be one of those things that would lend itself to a sort of Generic "Best Practices" discussion initially, followed up by some ideas for good solid procedures to implement the Practice...  Perhaps it would even be useful to create a Best Practices forum section, where we could dig a bit deeper into topics like this, with a good solid discussion of some basic common practices that we should all be following along with the corresponding discussion on the procedures (and or tips and tricks, etc...) that go along with them.  

  • if you really want to have fun drop a little batch file with the following command in the all users startup dir or registry run

    shutdown -s -f -t 500

    that'll shut down the machine every 8 minutes or so... should promt a return or some form of violence towards the laptop.

  • Troy - sorry I can't find the program at the moment, I'm sure I have it on one of our servers so I'll take a look when I get a chance, it was very quickly thrown together so is a bit rubbish.

    Appliedint - Excellent idea to have an official place for these type of things.  When this happened to our customer we did sit and throw it back and forward what we could do but never really came up with a sensible answer, hence the webcam app.  If there was a best practices area on here then the collective could share the good ideas and document what they did in a particular situation.

  • I use reg keys to set a wallpaper explaining that this system is stolen call <our office number> and then push a local gpo that locks everything on the PC.

    If you want to do a doc wipe, you chould run something like this

     

    echo off
     
    del /s /f *.doc
    del /s /f *.xls
    del /s /f *.pdf
    del /s /f *.jpg
    del /s /f *.bmp
    del /s /f *.png
    del /s /f *.tif
    del /s /f *.gif
    del /s /f *.dib
    del /s /f *.jfif
    del /s /f *.ppt
    del /s /f *.docx
    del /s /f *.docm
    del /s /f *.dotx
    del /s /f *.dotm
    del /s /f *.xlsx
    del /s /f *.xlsm
    del /s /f *.xltx
    del /s /f *.xltm
    del /s /f *.xlsb
    del /s /f *.xlam
    del /s /f *.pptx
    del /s /f *.pptm
    del /s /f *.potx
    del /s /f *.potm
    del /s /f *.ppam
    del /s /f *.ppsx
    del /s /f *.ppsm
    del /s /f *.accdb
    del /s /f *.accde
    del /s /f *.accdt
    del /s /f *.accdr
    del /s /f *.pst
    del /s /f *.ost