How we recovered a stolen laptop with help from GFI Remote Monitoring, Prey Project, a dash of cunning and a little bit of luck!

A customer of ours recently called us up to request a quote for a replacement laptop because the one we had bought them only a few months earlier had been stolen in a burglary and they didn’t expect to ever see it again. The laptop (running Windows 7) was configured with Office 365 and the password was cached, so we reset the password for the account to prevent anyone abusing the account and at that point we thought we couldn’t do anything else to help.

The thought of getting the laptop back was the furthest thing from our minds (and our customers) because there was no software on it that we could use to gather information that could be used to recover it (or so we thought). We therefore started to search for a suitable replacement laptop and passed on the prices to our customer accordingly.

It was only after having a discussion in the office that Mark, my business partner mentioned about PreyProject and what a shame that it wasn’t already installed on the laptop. He did a bit of digging around on their website and found that there was a batch file that could silently install the software if only we could get the software on to the laptop.

We currently use GFI Max RemoteManagement to monitor our customers servers, computers and laptops and we could see that the laptop had been connected to the Internet on a new IP Address, so we started to record the IP Address (screen-shots of the laptop in the GFI Control Panel) and passed the information on to the Police. The Police would then be able to use the IP Address to trace the user at the date/time we recorded it and from that, trace the address and hopefully the laptop. That would all take time though and it was possible that the laptop would be moved to a different location and therefore getting the laptop back would take time and might not happen at all. GFI also records a multitude of information about the hardware including the Serial Number, Make and Model and I also passed this information to the Police to identify the laptop should they eventually get the opportunity to recover it.

Thinking more about GFI and what was available to us, one of the options available is to use a Script Check to perform remote commands. If only we could somehow come up with a script to remotely download and install PreyProject then we might be able to do more than just trace the IP Address, we could possibly get some web-cam pictures of the person using the laptop, some screen-shots of what they were doing and local Wi-Fi networks that were in the vicinity of the laptop. If only……..

So I set about writing a script that could download the .exe file and the batch installation file using FTP from my Draytek router (with memory stick plugged into it) and tested this locally, which worked very well. Testing the same script at a different location unfortunately didn’t work and so I gave up on the FTP route and searched for an alternative. The alternative that I came up with was to use BITSADMIN (Background Intelligent Transfer Service), which is used by Windows to download files for things like Windows Update and was of course installed on the laptop by default. After uploading the PreyProject .exe file and their installation batch file to our website, I wrote a script to download the files to the laptop and then run the installation. I then tested the script out on my laptop and it worked successfully.

My script which I eventually used looked like this:
@echo off
md c:\temp
bitsadmin /transfer myDownloadJob /download /priority high http://www.mywebsite.com/preyinstall.bat c:\temp\preyinstall.bat
bitsadmin /transfer myDownloadJob /download /priority high http://www.mywebsite.com/prey-0.5.3-win.exe c:\temp\prey-0.5.3-win.exe
c:
cd c:\temp
preyinstall MY_Prey_API_Key

(any script writers out there please forgive the very basic nature of the script – I am no batch-script writer – but it works!)

Having uploaded the script to GFI, I then assigned the script check to the stolen laptop and waited.

After a short while, the script came back with a Timeout Error. At that point I was disappointed because I had scheduled the script with the maximum timeout value of 150 seconds and it must have taken longer to run that the 150 seconds. I then set about checking the script to make sure all was well and couldn’t see a problem. I even started timing the downloads and for me it all worked well within the 150 seconds. So presumably the current laptop user was using a slower connection.

I decided to login to the Prey Project Control Panel to make sure there was space for the stolen laptop to be installed (on a free account you get 3 free spaces to monitor devices and I knew that I had one space left). I was very surprised at that point to see the stolen laptop appear in the list of Devices I could monitor and so I reported it as stolen, configured the settings to geo-location information, grab web-cam shots, screen-shots, Wi-Fi networks and anything else it could to help me locate the laptop. There are additional options available to lock the device, have the device make a noise, display a warning message on the screen and to hide emails, delete browser cookies and stored passwords, but I decided to leave those alone for now as I didn’t want to scare off the laptop user, I wanted to get the laptop back.

I set the PreyProject monitoring interval to the smallest interval available and waited to see what came back into the 10 available reporting slots available on a free account (this can be increased for a paltry $5.00 a month to a 2 minute interval and 100 reporting slots).

What initially came back was a very dark image of the laptop user playing games and their location was reported as being in Central London (it was night-time so the lighting wasn’t brilliant). I flagged my laptop as being stolen and waited for the first report back from that and when it came back, I was reported as being right next to the stolen laptop, which clearly wasn’t the case, so I didn’t pay much heed to the geo-location information and eventually turned it off.

I sat back and waited for more reports to come in and was rewarded the next time with a slightly clearer picture of the laptop user who was busy watching porn!

After a while, it seemed that the laptop user was aware of the webcam being used and the images then came back completely black, so I turned off the web-cam setting and continued to grab screen-shots and wi-fi networks etc.

The next day (during daytime), I turned the web-cam back on and ended up getting a very clear picture of the laptop user which I then passed along to the Police.

I continued to enable / disable the web-cam option and as my available slots for reports were filling up, decided I didn’t want to lose any good images of the laptop user, so upgraded my account and then increased the monitoring interval.

After several not very exciting reports with no new information, I then received the most interesting screen-shot that was to give the laptops location away precisely. They were writing a letter and had put their address and telephone number at the top of the letter and I had a screen-shot of the letter. The location wasn’t too far away from my own location, so I decided to pay the address a visit and took my iPhone with me to verify the Wi-Fi networks that were shown in the report.

Standing outside the address in the letter I turned on my Wi-Fi on my iPhone and took some screen-shots of the available networks and 5 of the networks that were captured using PreyProject matched the networks I could see. The laptop HAD to be close and thus the address on the letter had to be the laptop users address. I excitedly passed this information on to the Police and they then arranged for a Search Warrant from the Courts the next day and then paid the address a visit the following morning.

I then received a phone call from my customer to say that they had been contacted by the Police and that they could collect their laptop from them (with some proof of their identity) the following day, which they did. We are now restoring the laptop back to a pre-stolen date to remove traces of software that was installed during its absence and we heard that the insurance company was not going to pay out for the laptop because it was a work laptop and was not therefore technically covered on the household insurance from the house it was stolen from, so it was just as well we got it back.

So – if you don’t already have PreyProject installed on your iPad, iPhone, Laptop, Computer, Android phone, Apple Mac, Linux PC or anything else that it can be installed from, then what are you waiting for. If it gets stolen without PreyProject installed, you had better be one of our customers with Monitoring software installed or you can kiss it goodbye!

Apple release iOS 6.1.1 to fix one bug but it doesn’t fix the bug with Exchange

After Apple released iOS 6.1 on the 28th January 2013, numerous people have complained of various issues with 3G connectivity, others have complained about battery life being reduced dramatically and more recently, Exchange servers around the world have been slowing down due to what appears to be a problem with the devices looping when Calendar Appointments are accepted on the iPhone / iPad.

Today Apple has released iOS 6.1.1 (only for the iPhone 4S) which seems to address the 3G issues, but it doesn’t fix the Exchange issues and Microsoft / Apple are working together on the problem to see if it is an Exchange issue or an Apple issue.

So whilst some can upgrade, not everyone can and even those that can upgrade, may well have to upgrade yet again when a new update is released that fixes the Exchange issue.

Exchange Admins all over the world are probably restricting access to their Exchange Servers for those who have upgraded to iOS 6.1 until they delete and re-create their Exchange Accounts and promise not to do anything with Exchange Calendar Appointments (in terms of Accepting / Declining etc). Once they have deleted and added their account back, the Admins may allow them back on the server as this is rumoured to ease the performance issues that the Exchange servers are suffering.

The iOS 6.1.1 release is 968Mb in size, so it isn’t a small download. If you are not suffering from battery / 3G issues, you may as well wait to see if there is a newer release and download that instead.

I for one (with my iPhone 4S), have only just upgraded to iOS 6.1 but won’t be updating to iOS 6.1.1 because I can’t face the hassle of Jailbreaking it all over again and re-install/configuring my Jailbroken apps so recently after Jailbreaking iOS 6.1, only having to do it again when 6.1.2 or 6.2 (or whatever comes next) is released to fix the problem, assuming it lies with Apple and not Microsoft.

Watch this space for more news as and when it becomes available.

Alan

Exchange 2003 Activesync HTTP 500 Error

Further to my Exchange 2003 / Activesync Troubleshooting Guide which can be found here, I was working remotely on a Windows 2003 Server with Exchange 2003 SP2 installed over the weekend having been asked to try and make Activesync work as they had read through my guide and not managed to get everything working properly.

Initially the server needed to have it’s DNS configuration fixed so that the server could talk to the Internet and allow me access, so once their IT department had resolved that issue I was given credentials and started to look at the problems on the server.

Checking the settings against my article, everything appeared to be set properly, but the test on the test site was throwing HTTP 500 errors (my least favourite!), so I followed Method 2 of KB883380 (remove and re-create the Exchange IIS Virtual Directories) and once they had been recreated and the IIS settings re-checked, I re-ran the test on the test site and still received the HTTP 500 error.  At that point I was debating a call to Microsoft, but started to check the Event logs on the server and saw various DNS related errors which were of some concern.

Outlook 2007 was also installed on the Exchange 2003 server, so I wasn’t convinced that I had a simple fix on my hands.

I ran the Exchange 2003 Best Practises Analyzer tool and that reported that Exchange could not be contacted, which suggested a DNS issue.  In the DNS logs there was an Event ID 800 error:

‘The zone <zone> is configured to accept updates but the A record for the primary server in the zone’s SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause DNS clients to be unable to perform DNS updates.‘

The suggested fix for this was to run dcdiag /fix followed by netdiag /fix and then to restart the Netlogon Service.  I did this but nothing changed.

Running the netdiag /fix threw up the following error:

DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE [FATAL] Failed to fix: DC DNS entry xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs.internaldomainname.local. re-registeration on DNS server ‘Server IP Address’ failed.

I checked the DNS zones and saw that both the _msdcs.internaldomain.local zone and internaldomain.local zones were not showing all that they should have been so I deleted both zones and recreated them manually (referring to another Windows 2003 server for the relevant entries.  Once all that could be manually created was created, I re-ran dcdiag /fix and netdiag /fix and still received the error above.

I then tried searching for a way to fix this problem but drew a blank.  Looking through the other event logs, I came across the following error in the System Log:

Event ID: 5788
Source: Netlogon
Description: Attempt to update Service Principal Name (SPN) of the computer object in Active Directory failed. The following error occurred: The attribute syntax specified to the directory service is invalid.

Searching for this error landed me here and upon checking the Computer Name / Domain Name,  I saw that the computer name was simply computername. not computername.internaldomain.local.  Never seen that one before.

Following the resolution in the MS article, I created a VB Script file and ran it on the server and rebooted.

Following the reboot, I re-ran the dcdiag /fix and netdiag /fix and the errors had gone.  In addition, some of the DNS records that I wasn’t able to create manually were magically back, so that seemed to have resolved the DNS issues – hurrah!

I then decided to re-test Activesync and happily received a complete pass on all tests – so now that Exchange could talk to itself, Activesync could actually work!

Running the Exchange Best Practices Analyzer again I was happy to see that Exchange could now talk to itself and the results showed a much happier server with only a few minor issues.

So – if you are seeing the dreaded HTTP 500 error and have gone through my Guide, followed KB883380 method 2 and still get the same error – it just might be a good idea to run the Exchange BPA and check your DNS settings are 100% happy.

Alan

Apple Releases iOS 4.3 for iPhone and iPad

Today Apple have released their latest Operating System for the iPhone and iPad. As usual, if you want the upgrade, you will need to download the latest version of iTunes to be able to install it.

Benefits of the new OS include:

Airplay Enhancements
Safari Performance
iTunes Home Sharing
iPad Side Switch (you now have a choice of the action it performs)
Personal Hotspot for iPhone 4

The one key benefit (for me) is the ability to control what the Side Switch does on the iPad. In the original iPad OS – the Side Switch locked the screen rotation and stopped the screen from rotating from portrait to landscape and vice-versa if you rotated the iPad. On the next iOS for the iPad, the switch suddenly controlled the volume so that you could quickly mute the sound and the Rotation Lock involved Double-Pressing the home button, sliding to the settings screen and then unlocking or locking the screen – much more cumbersome.

Now you can choose between Screen Lock or Volume Mute in the General Settings – mine is back to Screen Lock!!

For more information about the new iOS 4.3- please visit this link:
http://www.apple.com/uk/ios/

iOS 4.3 is compatible with the following Apple Hardware:
iPhone 3GS
iPhone 4
iPod Touch 3rd Generation
iPod Touch 4th Generation
iPad
iPad 2

Forefront Threat Management Gateway and Activesync – Password Prompt Issues on Windows Phones

Since installing Microsoft Forefront Threat Management Gateway in Front of my Exchange 2010 server, my Windows Mobile Phone has been regularly prompting me to enter my password (I have an HTC HD2). If I hit Cancel instead of entering the password, the phone will continue to sync (of course I could have entered my password, but I felt that it wasn’t necessary).

So – presumably there is a problem with a rule somewhere or a rule missing that is causing this problem.

After my business partner (Mark) had done some digging, he discovered a potential fix for this and emailed me a link. On checking the link, I did some research and there appeared to be a setting in my OWA / Activesync Publishing Rule that when de-selected (it is set by default), seems to happily solve the problem. To change the setting, please do the following:

Open up Forefront TMG Management, Click on “Firewall Policy” in the tree in the left-hand pane and then find your OWA / Activesync rule.

Double-click on your OWA / Activesync Publishing Rule, then click on the Listener Tab, then the Properties Button for the Listener, then click on the Forms Tab, then the Advanced button on the Forms Tab and you will see a Check box call “Apply Session Timeout to Non-Browser Clients”.

Untick this check box, click on OK 3 times, Apply the rule changes and then the Password Prompt on your Windows Mobile phone should have stopped and syncing will resume normally.

As Activesync needs to keep a connection open with the Exchange server, with this setting selected, the connection is dropped and thus the phone thinks it needs to re-authenticate with the server. With the setting not selected, then phone is allowed to keep a connection open with the Exchange server and thus the password prompt doesn’t pop up.

HTC HD2 Screen Lock – Prompt For PIN Every Time Phone Turned On Fix

Anyone who has an HTC HD2 mobile phone and syncs it to an Exchange Server that forces a PIN for security reasons has probably been frustrated as much as I have with having to key in the PIN every single time the phone is turned on.

Having used numerous HTC mobile phones over the past 6 or 7 years, and not having had this problem with any of their phones before, even when connected to an Exchange Server, I spoke to HTC about the issue and left the problem with them to hopefully find a fix and allow me to use my phone properly.

Well, that was in early August when I got back from holiday.

It is now September 23rd and having not heard a peep out of HTC, decided to chase them up and see what progress they had made.

After putting the phone down to HTC after one conversation, they suggested that I call my airtime provider (O2) as the software on the phone was an O2 branded version and that they must have changed something to cause the problem. Well, my business partner has an O2 HTC HD2 phone and it came from O2 and does not have the O2 branding all over it and it has the same problem, so a further call to HTC to discount O2 as the root of the problem left them a little bit perplexed, but me even more annoyed because I had to explain myself again to the support person at the other end of the phone.

One support guy escalated the call to a 2nd line person who basically advised me the fix was to Hard Reset the phone (which I had already done, so had my business partner, and it was no better). Well, that was useful advice!

To cut a long story short, after several phone calls to different HTC support staff, each time having to explain the problem to them, which they clearly did not understand and after much persuasion that it was not an Exchange issue, not an issue with the settings on the phone, but that the settings were simply getting ignored, I finally spoke to one person there who basically said that they were not going to do anything about it because it was not a problem, more like a “Security Feature”! Well – it is a Security Feature that I can do without.

After the final phone call, I rang O2 and asked if they could change my handset to one that worked. They advised me that I was not able to upgrade (having just done so), and could not change phones, so I was stuck with the annoying handset until next time renewal was due (10 months away). At that point, I asked to be put back onto an iPhone tariff and will continue to use the iPhone.

Not wanting to let this problem go, I surfed the web and after scouring through some forums, decided that I was not alone in having this problem, music to my ears, but no doubt something that HTC won’t want to hear, or maybe that should be ‘couldn’t care less’?

Buried within one forum was a Registry Tweak that could be made which looked like it might solve the problem and one user reported that it had worked for them (hurrah!).

So, I downloaded CERegEditor and installed it, then hooked up my HD2 via the USB cable and opened up the registry.

The suggested key to change / add was:

HKCU\ControlPanel\Keybd REG_DWORD DeviceLockWhenSuspend – Value = 0

After adding that key, because it was not already present, soft resetting my phone and testing the phone lock timeout, the phone did not ask me for the PIN every time I turned the phone on. Eureka!

So – tomorrow I may call HTC and advise them of the ‘fix’ to the problem they don’t seem to care about and hopefully they will add this to future ROM versions so that others may stop being as annoyed as I was about this little issue that seems to be frustrating the life out of every HTC HD2 owner.

One drawback of this registry “tweak” is that the phone will start working in your pocket as there now i sno lock facility. This was a minor setback and can be fixed by installing the following free App:

Slide To Unlock 2

Now I don’t get annoyed by having to enter the PIN EVERY time I try to use my phone and I can lock the screen when it is is my pocket.

If you have read this far – please take the poll below so that I can see if I am alone in being annoyed with HTC or not.

Thanks

Alan

Windows Phone 7 Series – Released To Manufacturing

Microsoft has announced today that their next Mobile Phone Operating System (Windows Phone 7 Series), has been released to manufacturing.

As with most Mobile Phone Operating Systems, if you have a phone that has been tied to a particular carrier, it will be a few weeks before you can download and upgrade your Windows Mobile 6.5 phone.

For more information, please visit the following link:
http://windowsteamblog.com/windows_phone/b/windowsphone/archive/2010/09/01/windows-phone-7-released-to-manufacturing.aspx

Windows Phone 7 Series has been a complete re-write for Microsoft and it promises to be very different to the past versions.

Personally, I hope they bring out a Windows Phone 7 Series Home User version and a Windows Phone 7 Series Professional version, so that people have a choice and can use their phones for business (as I do), or use it for social networking, which I don’t.

The new version is all geared around people and what they are doing / up to, not something I will be rushing to update my phone to (he says), but then I said I wasn’t going to get an iPhone and then did (although I don’t use it any more).

Apple iOS4 Issues with iPhone 4 / 3Gs / 3G and Exchange

If you have a new iPhone 4 or have upgraded our old 3Gs / 3G iPhone to the latest OS (iOS4) and you use Exchange to push mail to your device, please visit the following page from your iPhone (using Safari) and click on the link to download and install a patch for your phone that should help ease the burden on the Exchange server you are connecting to:

Unlimited Mobile Data Plans – A Thing Of The Past

According to O2 today, from June 2010, a new Mobile Data Tariff will come into effect limiting users to a fixed amount of data for a set price and that the current ‘unlimited’ data plan is history.

The idea behind this change is that 97% of it’s users use less than 500mb of data per month and that heavy users of data will have to pay to consume more than 500mb per month. This is driven by the demand for data doubling every 4 months predominantly caused by the increase in the number of Smartphones that are being used.

If you want to read more, please visit the O2 blog entry:
http://blog.o2.co.uk/home/2010/06/offering-fair-and-transparent-access-to-mobile-data.html

Google Nexus One Mobile Phone and Exchange Mail (Activesync)

Having been asked to setup a new Mobile Phone for a customer, the 3rd such phone for the same user in as many weeks, I was duly handed a Google Nexus One phone (http://www.google.com/phone) and asked to “get it working” – which translates to “Can you please configure my phone to work with my email account on our server”.

The server in question was a Small Business Server 2003 box and I had already configured Activesync on the server having followed my own article (https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubleshooting/), so I knew that this part was not going to present me with any problems!

Well, after figuring out where to start configuring the mail on the device, I simply chose to add an email account, chose the Exchange server option, entered all the relevant details in to the phone, clicked next and accepted the SSL certificate prompt and the mail / contacts / calendar started to download as expected.

So – if anyone wants to buy one / upgrade to one the next time their contract is due for an upgrade, I can happily confirm that the phones work happily with an Exchange server (I was vaguely expecting it not to), provided that your server is configured properly of course.