Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Laptop stolen; Logmein installed; I see it come online occasionally -- 1

Status
Not open for further replies.

sweetcow

Technical User
Oct 20, 2008
28
US
My laptop was stolen out of my apartment a few weeks ago. It had Logmein, which is remote access software, installed. I've been monitoring my Logmein account regularly, and have seen the laptop come online 3 times now. I feel like I should be able to take advantage of this and track down the stolen laptop, but I just can't seem to figure out what to do.

1. Logmein provides the IP address of the computers that are logged on. But I was recently informed that "the LogMeIn IP address is only routable on the LogMeIn vpn (established by the LMI clients) not in public IP space." Meaning, I guess, that this would not be useful in establishing his actual location?

2. I could use LogMeIn to Remote Control the computer and either watch him and hope he checks his email so I have an email address; I could additionally install any number of helpful programs: computrace lojack, locatepc, etc. But it seems that whenever the computer is online, he is actively using it, and so would notice if I started remote controlling things.

I CAN use the File Manager and manipulate files on the computer without him knowing, though, so that would be my preferred route.

a. I know he uses Firefox, so I copied over his Firefox profile files today (C:\Users\(yourname)\Appdata\Roaming\Mozilla\Firefox\Profiles), hoping I could grab his PWs. But the files were blank -- I guess he doesn't have Firefox set up to store passwords.

b. Maybe I could access other potentially idenftifying files within Documents and Settings, but I am unable to access this directory (I get a message that I don't have the rights whenever I do).
**Is there any way around this? **

**Are there other potentailly identifying files on the computer that I can copy over and look through?**
**Could I insert some code into a file that runs on start-up (like boot.ini?) that would send his IP back to me, or maybe send other identifying information back to me. Maybe even keylogging information, but that's a stretch I realize...

I would really really really appreciate any help anyone could provide.
 
do you know if he is using wireless? you can get a stumbler and track him down using GPS. if you can manipulate files, try to copy of some sort of key logger. search internet for key loggers or why not just have a file open when he logs in saying that he is being tracked and the police will be knocking on the door shortly unless he calls you at said number. lastly, did you call the police and tell them this info? it sounds like grand theft to me
 
b. Maybe I could access other potentially idenftifying files within Documents and Settings, but I am unable to access this directory (I get a message that I don't have the rights whenever I do).
**Is there any way around this? **

Using your admin account can you take ownership of his Documents and Settings\username folder? Once you have ownership of the folder then you should be able to give yourself full permissions on it.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
 
North323
No I don't know that he's using wirelss unfortunately. But if he was -- what do you mean by "get a stumbler and track him down using GPS."? Wouldn't I need to know what his wireless router's name was at the very least to do something like this?

I don't know of any keyloggers that
a. are not detectd by AVG, which I have installed on there -- AVG's alerts would tip him off.
b. you can just copy over to a computer and then they just work from there -- for all of them I'd have to actually run an exe on the computer; and for that I"d need to switch into "Remote control" mode, which I'm hesitant to do. My only thought is copy over a keylogger, and set it to run on startup, by inserting it in a start-up file like boot.ini file. But I don't know that any such file exists in Vista?

Yes, I've filed a police report, of course. They don't particularly care though. As for notifying him, it's possible this would scare him into returning the laptop, but I feel like it's more likely he'd just delete Logmein, and I'd then have no hope. If I do notify him, I'd need his information for leverage.

Cmeangan656
I order to use my admin account to take ownership, I'd have to switch into "Remote control" mode, which I'm hesitant to do.
 
if you get a wireless stumbler, you need the IP address and the SSID name. It is going to be very difficult to get your laptop back. one of two things i would do. copy something on the desktop telling him what a POS he is and go buy a new one with lojack next time. or just let it go and buy a new laptop. i dont know how savvy you are or your position in life but you can always put out a bounty on this d-bag of some sort in the IT community. Lastly, you can put a virus on the machine so no none can use it.

 
If you need to install someting remotely, drop it into the "Scheduled Tasks" folder.

I reckon a keylogger would be the go.

Don't let him know you're onto him until you've identified him. Even then, don't let him know - just get the cops to do it.

But I think you should try the cops - ask them if they have a computer forensics team and speak with them directly & see if they are interested in tracking the thief down - you should be able to convince them, I'm sure they'd love to have a crack at it.
 
I did not read this entire thing, but if you can get the guy's MAC address, then hunt him down through the ISP. That is how the BTK Killer was caught...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Cool, now have IP from tracert
And MAC address through ipconfig.
I'll contact the police with this, and keep bugging them, and hopefully they'll do something with this.

In the mean-time I'll continue looking into the keylogger possibility -- it's really tough to find one that isn't detected by AVG. Wonder if there would be a way to disable AVG through the command line, somehow?

VinceWhirlwind -- useful tip on using the scheduled tasks folder -- I'd forgotten about that.
 
In the mean-time I'll continue looking into the keylogger possibility -- it's really tough to find one that isn't detected by AVG. Wonder if there would be a way to disable AVG through the command line, somehow?

You'd be better off giving the police all the information you have and leaving it at that. You'll only raise suspicion and the machine will get wiped.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
When you talk to the cops, ask to talk to their computer forensics people, not to the dummy at the front desk.
A proper geek will love to get onto it for you, but the dummy at the front desk is there to "reduce crime" (by being uncooperative and thus discouraging people from talking to the cops in the first place).
 
Or maybe look into metasploit, sectools, nmap...muahahaha...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
too bad you couldn't insert a tty program that logged all his keystrokes, and them route them to a blog. You might have a new hit blog site.

I see it now, ToWatchAThief.com

If nothing else, I'd leave him alone, and create a new blog about this adventure. it might be worth more money than the computer itself.
 
Wonder if there would be a way to disable AVG through the command line, somehow?

add a scheduled task to kill processes/stop services on boot??

Have you got any further with this?

'When all else fails.......read the manual'
 
Here's an update on this...

-I copied over all the Firefox profile files, and then used Nirsoft's Firefox MozillaHistoryView, MozillaCacheView, MozillaCookiesView, and PasswordFox in an attempt to find any identifying information on the thief. No luck though. He only went to some random sites and Ebay (which would be handy later though...), and he didn't store any PWs in Firefox.

-I also downloaded NirSoft's powerful and awesome command-line utility. One of the capabilities of which is to take periodic screenshots. So this was promising, and it felt pretty cool to finally have images of what he was seeing and spy on him in that manner. But it also might've taken a bloody lot of images to eventually get one with the info I needed.

-Fortunately I didn't have to wait on it. After WEEKS of him logging in everyday, but *never* being away from the computer -- I would check his Logmein status and always see that "Keyboard and mouse are currently active" -- FINALLY one day they'd been inactive for 7 minutes. So I decided to go for it. I used NirSoft's command line-utility again, this time to shut-off his monitor so he couldn't see Logmein's notification from afar, then I portaled in using LMI's remote control mode. I also changed the LMI remote control preferences so the host's mouse/keyboard were locked, and so his monitor *stayed* disabled (Nirsoft's monitor disabling only lasts until keyboard/mouse input).

So I was in. And I got lucky as he was currently on Ebay. So I navigated to My Ebay-->Account-->Personal Information and got his address! Then I looked in My Docs for any identifying files (this was locked to me from the command line), but no luck. And at that point I believe he came back because notices would pop up indicating he was cycling through the Function keys in an effort turn on the monitor again. And then I lost my connection, so I'm guessing he restarted the computer.

But no problem, I had his name and address. I called the police, and the receptionist said he'd pass it on to the detective. So I was thinking, maybe not that day, but maybe the next day they'd bust him and I'd have my laptop back. So I waited.......

And 2 weeks later I continue to wait. I continue to see the computer come online every day. I've called the police several times to check on the status, but am unable to get an update nor get in direct contact with the detective "on the case".

It's very frustrating. I'm considering going around the police and contacting him directly at this point.
 
Have you looked at the Prey software?
If you can still log on remotely then it may be worth putting it on so it can provide evidence if it gets sold on.


I wouldn't approach the person directly. You could spook him and cause him to destroy the laptop or wipe the hard drive
 
With a Louisville Slugger?lol

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
So basically it goes like this:
- crime is committed
- you report it to police
- police do nothing
- you investigate the crime to the best of your ability and solve it
- you inform police of solution to crime
- police do nothing


Frankly, I myself am sick and tired of police doing nothing - it's the same where I live. I reckon there are two solutions:
- As it appears the police have abdicated their responsibility, it becomes your duty to enforce the law: you take 10 buddies around there and bust the thief. (Think the Koreans in LA during the Rodney King riots).
- Contact the media and give them the story of do-nothing cops: try to shame them into doing their job.
 
you should storm in to that police head quarters and start tearing up someones azz! what part of protect and serve do they not understand?? I would also let my mayor know of their utter laziness! another idea, not sure where you live, but local tv stations have those investigative reporters. tell them, they may stick a camera in his face and put it on the news. hopefully they will tell other viewers the cops did nothing
 
It's very frustrating. I'm considering going around the police and contacting him directly at this point.
That's precisely what you should do. It's a lot more difficult to fob somebody off if they're there in person instead of on the phone.

And yeah, consider going to the media and/or local politicians if you don't get any joy. Give the cops a chance to do the right thing first though - they don't deserve it, but you don't really want to rub them up the wrong way.

Do not tackle the perp yourself though - that's asking for a whole lot of trouble you don't need.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top