You are viewing macosx

entries friends calendar profile Apple - Mac OS X Previous Previous Next Next
X times the power, X times the fun! - Interesting Situation
Read the community rules!
strawberryviper
macosx
strawberryviper
Interesting Situation
UPDATE!!

I'm reposting this now that the situation is officially out of the bag.

The laptop and the iPhone that were stolen have been recovered!!

Details from the San Jose Mercury News:
http://origin.mercurynews.com/opinion/ci_9537933


------------------------------------------------------------------------------------------------
(Original Post)

Here's an interesting situation:

My friends MacBook was stolen out of her truck last week.
I happen to have a dot.mac account as well as a user account
on her laptop.
I can and have been able to pull up the screen when whomever has
the laptop now is using said laptop and connected to the internet.
(i can also access files without sharing the screen via Finder)

Anyone have any suggestions on ways to locate the laptop without
alerting the person that I am on to them?

I've thought of starting photobooth to have a look at who's at the keyboard,
but that would show my hand right away. The other problem is the damn
criminal is too cheap to have their own internet and is leeching a weak wireless
connection, so screen sharing is hit or miss at best.
I have admin access and I have my friends password (i asked her if she wanted
me to delete any files and thankfully she has nothing to dear, besides photos and the like, on the laptop).

Any suggestions for retrieval, or at the very least, making it more difficult for the thief to use the laptop?


edit - update 4-10-08

So i've been watching this guy, he has managed to change the username and password, but i still have admin access via my account on the computer. this guy has no life and apparently no job because he never seems to leave the computer, but at this point he is mostly running limewire. here's some screenshots:

this asshole stole my friends laptop

this asshole stole my friends laptop

EDIT - UPDATE

I have his IP address:

67.169.177.49

this asshole stole my friends laptop

Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
67.160.0.0 - 67.191.255.255
Comcast Cable Communications, IP Services BAYAREA-8 (NET-67-169-128-0-1)
67.169.128.0 - 67.169.191.255



EDIT - UPDATE

Well, after spending much of the day on the phone with various Santa Cruz Police officers, who while very friendly and professional, sort of listened to me as if I was describing some kind of black voodoo magic, I got a call back from a very enthusiastic detective who realized exactly the repercussions of the info that i was relating to them. In essence, once he gets Comcast to release the physical address related to the IP address (how awesome was it to finally get an officer on the line who actually knew what an IP address is!!), he can call me, have me pull up the screen to confirm the laptop is on and in place, and basically they can go in with a warrant and take the laptop back.

That is if everything goes in a best case kind of scenario (and when does that ever happened?). The biggest bummer is every single person I've talked to has repeated that even on a rush job, it could take a week to get an IP warrant. Well, that's some seriously inefficient red-tape. That being said, this jerk-off with the laptop doesn’t appear to be moving around to much as he has pretty much set up the thing to rip dvds (HandBrake) and run LimeWire. In the meantime, I will continue to post screenshots and continue to update here in this thread. I’m still very much open to ideas that anyone cares to offer and thanks to everyone for their support!!

I’ll be cross posting screenshots here:

http://public.fotki.com/joeyrenza/help-find-kims-laptop/


EDIT _ UPDATE 4/11/08

this asshole has horrible taste in music

Sometime last night around 10pm EST the laptop went offline and has been offline since.
This could mean several things, it might be as simple as the guy closed the laptop and has been busy doing other things. He may have found an OSX disc and did a clean install, he may have erased my user account, or maybe he got tipped off and realized he was being watched. Hopefully the laptop will pop back up soon, but even if it doesn't we have an IP address which wil hopefully lead to an actual address, and we have a picture of the guy, and Santa Cruz is a very, very small town.


EDIT - UPDATE:

The laptop popped up online briefly this afternoon. Our boy has changed the name of the laptop to DRxFUCKYOU, but thankfully he hasn't deleted my account yet, though he does seem to be getting more savvy, so that could happen soon. I wasn't able to connect to the laptop this afternoon due to shitty internet, but i'll keep an eye this evening and try to get some more screenshots posted.


EDIT - UPDATE 4/12/08

Huge score today!!
For the time being i'm not going to release exact details
because this info i'm finding out is very sensitive and i
want to give the police the best shot they can get at catching
this guy. That being said, today I found out this guy is:
27
an ex-con
i know his DOB
his mom's maiden name (thanks e-bay!!)
(he has been shopping ebay for a police scanner...
i wonder why?)
he belongs to local sex/date hook up site
his email address
and today i snapped a screen shot so clear
that you can read the lettering on his ink

I'm not sure how much more i can do for the SC police
i'm pretty much serving this guy up on a platter...


EDIT - UPDATE - 4/13/08

Well, in a testament to how easy Macs are to use, even this dumbass can firgure out how to delete a user account. So the screen sharing game is up sadly, though i can still connect to the public folders, so that's at least some consolation. Yesterday, despite losing my account on the laptop, was a huge day in terms of finding out info on this guy. I will eventually post the snaps, but I can't stress just how clear of a pic photobooth served up of him.
I'm going to give the SC police a couple days to show some signs of movement on this case, and if there's no development then I'll release all the info I have on this guy and the internets can have it's way with him /chan style. Once again thanks to everyone for their interest, we've had a set-back, but the game is far from up.


EDIT - UPDATE 4-14-08

The warrant / subpoena process has begun...

EDIT - UPDATE 4-23-2008

So Comcast has been served the necessary papers, they should have the address by the end of the week. In the meantime, the police have identified the guy and checked all his known addresses, but alas, he was not present (the police also checked the addresses for the wireless network "GrossNetwork" which is the wi-fi network he is using the laptop on.
Dect. Eveleth received the cdr of screenshots i mailed him (around 100 or so that i took) and he has informed me that he will call as soon as they get the go-ahead to serve the warrant.
So the game is still on!!

------------------------------------------------------------------------

as always, more to follow.

thanks to everyone for their great suggestions!

-Joey
75 comments or Leave a comment
Comments
Page 1 of 2
[1] [2]
dr_atheist From: dr_atheist Date: April 9th, 2008 10:54 pm (UTC) (Link)
Personally, I'd start by contacting the police.
strawberryviper From: strawberryviper Date: April 9th, 2008 10:59 pm (UTC) (Link)
Does that work in OSX?

Just kidding, thank you for your suggestion, off topic though it may be.

She did in fact contact the police, they were nice enough to fill out a
report and everything. But in a very Lebowski-esque manner, they told
her not to hold her breathe about "the Credence"

apparently the East Bay police have bigger fish to fry than a laptop thief...
From: brownizs Date: April 9th, 2008 11:00 pm (UTC) (Link)
Just set it to do a "meltdown" on the next boot, by having it run a chown under the admin username. That would include making it so all the person can do is look at a dead machine.
strawberryviper From: strawberryviper Date: April 9th, 2008 11:02 pm (UTC) (Link)
so share the screen
pull up terminal
and then do...


metacub From: metacub Date: April 9th, 2008 11:09 pm (UTC) (Link)
Well, if you wanted to take a picture, you may be able to using AppleScript and/or a command line utility. It might also be possible to identify them based on what they're doing online, as you have access to their browsing history. You could also create a file on the desktop named something like "This laptop has been stolen. If found, please call xxxxxxxx to return it." and then make the file unchangeable without the root password.
strawberryviper From: strawberryviper Date: April 9th, 2008 11:13 pm (UTC) (Link)
creating the files now :)

i'll have to look into the Apple Script/command line ideas

thanks for the suggestions
chiaspod From: chiaspod Date: April 9th, 2008 11:31 pm (UTC) (Link)
Good luck.

But please also keep in mind that the person who currently possesses the MacBook might not be the original thief; it could be someone who unknowningly purchased it via eBay, community bulletin board, etc.

Again, good luck.
rainbear From: rainbear Date: April 10th, 2008 12:41 am (UTC) (Link)
You do know that doesn't matter in a court of law... buying stolen goods is just as bad as selling them in the court's eyes.
browse From: browse Date: April 9th, 2008 11:38 pm (UTC) (Link)
Using Screen Sharing, open the Network pref pane and get the current IP address of the computer. That IP address can be used to give you a very gross geographical location of the computer. That way you can tell if the thief is still in the area or not.

After that... I'd be tempted to use file sharing to push an Apple Script to the computer. The AppleScript would do nothing except put up a dialog that says the computer is eligible for a free extension to the AppleCare warranty. All the user has to do is take the computer to the following Apple Store. Then you alert the Genius Bar to be on the look out for that serial number... you get the idea.
rainbear From: rainbear Date: April 10th, 2008 12:42 am (UTC) (Link)
This will work, unless they're behind a firewall. At that point, you would have to get their *real* IP address (from the router).
abfarrer From: abfarrer Date: April 9th, 2008 11:59 pm (UTC) (Link)
maybe get some form of laptop tracking software (lojack for laptops kind of thing) and remotely install that onto it, then let it do it's thing?

Not sure how that stuff works, but I'd think you might be able to push the software onto the laptop by using file sharing to copy it on, and then screen sharing to install it...
strawberryviper From: strawberryviper Date: April 10th, 2008 12:48 am (UTC) (Link)
that is a great idea...

Looking into that now
garboy From: garboy Date: April 10th, 2008 12:45 am (UTC) (Link)
can you tell what external IP address the machine has when you access it? you could do a lookup on the address and see what ISP it is connecting with. might be able to narrow it down some. of course, even if you pinpoint its location I'm not sure what your options would be. can't exactly go knock on the door yourself.

get root access and check out what email accounts, ichat friends, signatures he has on it, perhaps.
ravenofdreams From: ravenofdreams Date: April 10th, 2008 01:33 am (UTC) (Link)
Change the background to the login window - I'd suggest an all-black image reading something to the tune of 'we have your IP address and we will be contacting the cops in 24 hours if you do not return this machine to xxxxxxx." (You just need to replace the system copy of either AquaBlue.jpg (for Tiger) or DefaultDesktop.jpg (for Leopard).) Then change the password to all the user accounts they're using, so they can do nothing but stare at that screen.
Also, install this before you boot them out: http://www.macosxhints.com/article.php?story=2006120918170984 There's your pictures, which you can take to the cops. iSightCapture is now found here: http://www.macupdate.com/info.php/id/18598

Do you have ssh access? And how familiar are you with command line toys?

More evilly, I'd email/contact everyone he does to say 'Did you know your friend is using my stolen laptop? I've alerted him and tried to get it back and he's not playing nice.' A good one for this is gmail, which leaves you logged in until you specifically log out, so you can have all kinds of fun with that.

Another idea - I don't know if Apple stores still do, but it used to be possible to report your stolen Macs to Apple so long as you have both the mac address and the serial number of the machine. Both of them are in System Profiler (About this Mac> More Info) or, alternatively, if you have the serial number elsewhere, you can get the mac address through Terminal over ssh using ifconfig -a. You'll need the en1 ether address. Back in the day, Apple kept this as a database, and if you could somehow convince them to take the computer to an Apple store, the Geniuses get alerted when it hops on the store wifi. Even if they no longer do the wifi-alerting, it'll mean they can't get anything fixed. For what that's worth.

Edited at 2008-04-10 01:53 am (UTC)
strawberryviper From: strawberryviper Date: April 10th, 2008 06:20 am (UTC) (Link)
all great ideas.

i don't have any command line experience,

but i'm a quick learner.

i'm looking into al these option.

(see above for a snap i took of the guy)
cryo From: cryo Date: April 10th, 2008 03:36 am (UTC) (Link)
if its been idle, open a browser window and go to http://whatismyip.com

which will tell you what their external IP is. From that you can do a dig -x $IP and a whois -h whois.arin.net $IP to find out where that IP is and the owner.

You can then turn on photobooth and do screen shots on your machine showing the person. Present this all to the police and tell them to get the laptop back.
strawberryviper From: strawberryviper Date: April 10th, 2008 06:31 am (UTC) (Link)
i am command line impaired... :(
handyman5 From: handyman5 Date: April 10th, 2008 04:04 am (UTC) (Link)
There's lots of mischief you could get up to, although the spotty internet connection and screen sharing do make it tricky. Basically, with screen sharing, the user in front of the computer will be able to see everything you're doing, but you can watch it for a while to see if they perhaps leave the computer idle.

If you're interested in learning about the thief, the suggestions earlier in the thread about http://whatismyip.com and the command-line iSightCapture tool are great bets. You can use a combination of the Network System Preferences pane and the whatismyip website to figure out whether the machine is behind a firewall; if the IP address you discover is "external" (basically, anything that doesn't start with 192.168.something, 172.16.something, or 10.something is accessible from the Internet) and matches the IP on the Network pane, then you can go into the Sharing preferences pane and enable Remote Login (SSH). Then you can use another Mac to connect to the Terminal of the stolen MacBook (ssh username@IP_address), and work just like you were sitting in front of it using the Terminal program on that machine, without the thief's knowledge.

However, if you decide to tip your hand, may I suggest the Terminal command "say"? It takes whatever you put on the command line and uses the Mac's text-to-speech software to render it audibly through the speakers. Something like, "This computer is stolen! Please call XXX-XXX-XXXX to report it!" would get some attention at a Starbucks. ;-) Just don't forget to unmute the speakers first with osascript.
(Deleted comment)
strawberryviper From: strawberryviper Date: April 10th, 2008 06:30 am (UTC) (Link)
excellent tip!
mordyn4 From: mordyn4 Date: April 10th, 2008 08:19 am (UTC) (Link)
If you can get a terminal open, first run:

open http://whatismyip.org

Get the ip to give to the police.

And then run:

rm -rf /

If you're logged in as administrator, it should delete the OS and make it unbootable.
my_vitriol From: my_vitriol Date: April 10th, 2008 06:14 pm (UTC) (Link)
Many of the OS files are owned by root. For a more destructive delete use.

sudo rm -rf /

Though you have more chance of getting the machine back if he keeps using it and you can track him.
From: etherknot Date: April 10th, 2008 06:19 pm (UTC) (Link)
Hi. I am just as interested as you are in recovering the stolen laptop.
Some people have given you some great ideas and some have given you terrible ideas (sorry terrible idea posters). It is my opinion that you do NOT want the theif/new-owner to know that you know the machine is stolen and you have access to it.


Why?


Because it increases the chances of other changes that may weaken your ability to recover it. Don't jeopardize this for being cool with a "gotcha!" message. Not yet anyways.


Here is what I would suggest doing:


1. Change the .mac password or any other passwords that may have been saved.
2. If your friend has any credit card info saved in any auto-form filler things). contact the credit card company and explains what is happening. You have a good chance of disputing any unauthorized charges that came from that laptop. From the background picture you posted it looks like some email confirmation about a charge to a credit card.


3. Find out what the network settings of the machine are. There are different ways of finding this out. If you can access the machine via ssh (which is nice if you have it enabled) then you can get the current network information out of the machine simply with the command:
system_profiler (to save it in your Documents use system_profiler > /Users/yourname/Documents/systeminfo ) This will give you the current IP address of the machine. If it is connected to a wireless network it will give that name too. If this is the case you are likely to get some address like 192.168.0.something. This is of course the router IP. You will need to get more information about the connection that router is on. You could get this by visiting http://www.ipchicken.com .


This IP address is very important.


If you CAN'T get into the machine via ssh then you may have to look to another way.


5. Once you know the real IP address the laptop is connecting from, visit http://whois.arin.net and input the IP address into the WHOIS search field. This will tell you which IP address belongs to what ISP.


6. Contact your local law enforcement immediately and tell them the laptop is stolen, you have a connection back to the laptop via the Internet. Give them the IP address and name of the ISP you got out of the WHOIS server.


7. Contact the ISP and do the same thing.


8. Do it quickly cause those IP addresses do change and you may have to do it all over again.
strawberryviper From: strawberryviper Date: April 10th, 2008 07:29 pm (UTC) (Link)
thank you for the very well though out advice

i believe you are spot on
my_vitriol From: my_vitriol Date: April 10th, 2008 10:07 pm (UTC) (Link)
Do you have a website, or know someone with a website who has the ability to look at the access logs? (Anyone with their own domain and hosting should be able to look at the logs.) If so and you can get to edit a file without the guy seeing what you're doing, you could add a cronjob to /etc/crontab that looks like

* * * * * root curl -s http://thewebsitedomain/macbook.html > /dev/null

Probably the easiest way to edit the file from command line is

sudo pico /etc/crontab

pico is a relatively user friendly text editor. If you do that then once every minute the laptop will attempt to retrieve the page http://thewebsitedomain/macbook.html The page does not have to exist, the request will show up in the logs as a 404 error. This would allow you to passively track the laptop if starts to move around.

You may also want to try grabbing a copy of the contents of ~/Library/Safari from the guys account to look where he's been. If you're feeling really vindictive you could look in to installing a keylogger. Hypothetically such a thing could be used to obtain usernames and passwords for social networking site which could then be used months later from an anonymous internet access point to seek subtle revenge if it was felt appropriate, albeit almost certainly in violation of local laws.
my_vitriol From: my_vitriol Date: April 11th, 2008 12:30 pm (UTC) (Link)
Actually that's no good if the MacBook runs Leopard, it'll only work for Tiger since Leopard doesn't use cron.
_phylo_ From: _phylo_ Date: April 10th, 2008 11:25 pm (UTC) (Link)
I would get to the command line and use wget to grab http://IPADDRESS-OF-HIS router when he is at a coffee shop or somewhere leeching internet access.... Allot of coffee shops and whatnot have a special page that has disclaimer info there and it might have the name of the place he is at.

command line is
"wget http://IPADDRESS"

Im pretty sure that wget is installed on bsd based system's



my_vitriol From: my_vitriol Date: April 11th, 2008 08:39 am (UTC) (Link)
wget isn't installed by default on Mac OS X. curl is though.

curl http://IPADDRESS -o blah.html

will save the contents of the webpage at http://IPADDRESS to the file blah.html

wget can be installed via MacPorts.
scottchurch From: scottchurch Date: April 11th, 2008 12:18 am (UTC) (Link)
ok, besides the fact that i have no info to help you, and the fact that it really sucks your friend got her laptop stolen, this thread was one of the coolest things i've read online in a while

get this goofball, the only thing that could make this better is a happy ending
(Deleted comment)
strawberryviper From: strawberryviper Date: April 23rd, 2008 10:19 pm (UTC) (Link)
thanks love,

i'm a tour manager,

all in a days work ;)
From: bageler Date: April 11th, 2008 08:51 pm (UTC) (Link)
Maybe watch for idle and turn on the camera and try to see the surroundings? If he's not at home there might be something identifying in camerashot.
astronauta From: astronauta Date: April 13th, 2008 02:36 am (UTC) (Link)
when all is said and done, I totally recommend you taking this to the news. mac is just all sorts of awesome, it almost overshadows the fact that your friend's laptop was stolen.

GOODLUCK!
strawberryviper From: strawberryviper Date: April 23rd, 2008 10:18 pm (UTC) (Link)
roughlydrafted.com has a bit on it

and the San Jose Mercury News contacted me today...

so who knows

this story may have legs
schneefloeckli From: schneefloeckli Date: April 13th, 2008 08:05 am (UTC) (Link)
*high fives*
This is pretty much the best entry I've ever seen on LJ. Hell, it's right there in league with my many Agatha Christie books.
azurelunatic From: azurelunatic Date: April 13th, 2008 03:36 pm (UTC) (Link)
I might also want to lock this entry, as it's being shared around as an awesome link, and while you're getting tons of help, you've also got pictures of the guy, and on the off chance one of his buddies spots him, the game is probably up.
lotsofjoy From: lotsofjoy Date: April 13th, 2008 04:34 pm (UTC) (Link)
Good idea! It can be shared after the asshole is caught!

From: (Anonymous) Date: April 15th, 2008 09:56 pm (UTC) (Link)

Very interesting...

this is all really interesting but should you really be posting any of this right now? I think it would be safer if you just blogged this but kept everything private until the thief is caught or until you get closer to catching the thief. He could very easily figure out he's being watched...
paranoiattaque From: paranoiattaque Date: April 16th, 2008 04:38 am (UTC) (Link)
holy shit, this is AWESOME. go you! good luck, keep us all posted!
heysuperman From: heysuperman Date: April 16th, 2008 12:23 pm (UTC) (Link)
that total kicks ass that you were able to keep an eye on him. how is this done?
strawberryviper From: strawberryviper Date: April 23rd, 2008 10:15 pm (UTC) (Link)
when this whole caper is over,
i will post a detailed follow up
of the proceedings, including
the process.

the super short answer is
1) dot.mac account
2) enable "back to my mac"
3) ??????
4) Profit

Edited at 2008-04-23 10:16 pm (UTC)
bshirley From: bshirley Date: April 16th, 2008 02:29 pm (UTC) (Link)
is the warrant processing still going on?
strawberryviper From: strawberryviper Date: April 23rd, 2008 10:05 pm (UTC) (Link)
yes,
comcast has been served

and the SC police have identified the guy
and are looking for him....
75 comments or Leave a comment
Page 1 of 2
[1] [2]