How we recovered a stolen laptop with help from GFI Remote Monitoring, Prey Project, a dash of cunning and a little bit of luck!

A customer of ours recently called us up to request a quote for a replacement laptop because the one we had bought them only a few months earlier had been stolen in a burglary and they didn’t expect to ever see it again. The laptop (running Windows 7) was configured with Office 365 and the password was cached, so we reset the password for the account to prevent anyone abusing the account and at that point we thought we couldn’t do anything else to help.

The thought of getting the laptop back was the furthest thing from our minds (and our customers) because there was no software on it that we could use to gather information that could be used to recover it (or so we thought). We therefore started to search for a suitable replacement laptop and passed on the prices to our customer accordingly.

It was only after having a discussion in the office that Mark, my business partner mentioned about PreyProject and what a shame that it wasn’t already installed on the laptop. He did a bit of digging around on their website and found that there was a batch file that could silently install the software if only we could get the software on to the laptop.

We currently use GFI Max RemoteManagement to monitor our customers servers, computers and laptops and we could see that the laptop had been connected to the Internet on a new IP Address, so we started to record the IP Address (screen-shots of the laptop in the GFI Control Panel) and passed the information on to the Police. The Police would then be able to use the IP Address to trace the user at the date/time we recorded it and from that, trace the address and hopefully the laptop. That would all take time though and it was possible that the laptop would be moved to a different location and therefore getting the laptop back would take time and might not happen at all. GFI also records a multitude of information about the hardware including the Serial Number, Make and Model and I also passed this information to the Police to identify the laptop should they eventually get the opportunity to recover it.

Thinking more about GFI and what was available to us, one of the options available is to use a Script Check to perform remote commands. If only we could somehow come up with a script to remotely download and install PreyProject then we might be able to do more than just trace the IP Address, we could possibly get some web-cam pictures of the person using the laptop, some screen-shots of what they were doing and local Wi-Fi networks that were in the vicinity of the laptop. If only……..

So I set about writing a script that could download the .exe file and the batch installation file using FTP from my Draytek router (with memory stick plugged into it) and tested this locally, which worked very well. Testing the same script at a different location unfortunately didn’t work and so I gave up on the FTP route and searched for an alternative. The alternative that I came up with was to use BITSADMIN (Background Intelligent Transfer Service), which is used by Windows to download files for things like Windows Update and was of course installed on the laptop by default. After uploading the PreyProject .exe file and their installation batch file to our website, I wrote a script to download the files to the laptop and then run the installation. I then tested the script out on my laptop and it worked successfully.

My script which I eventually used looked like this:
@echo off
md c:\temp
bitsadmin /transfer myDownloadJob /download /priority high http://www.mywebsite.com/preyinstall.bat c:\temp\preyinstall.bat
bitsadmin /transfer myDownloadJob /download /priority high http://www.mywebsite.com/prey-0.5.3-win.exe c:\temp\prey-0.5.3-win.exe
c:
cd c:\temp
preyinstall MY_Prey_API_Key

(any script writers out there please forgive the very basic nature of the script – I am no batch-script writer – but it works!)

Having uploaded the script to GFI, I then assigned the script check to the stolen laptop and waited.

After a short while, the script came back with a Timeout Error. At that point I was disappointed because I had scheduled the script with the maximum timeout value of 150 seconds and it must have taken longer to run that the 150 seconds. I then set about checking the script to make sure all was well and couldn’t see a problem. I even started timing the downloads and for me it all worked well within the 150 seconds. So presumably the current laptop user was using a slower connection.

I decided to login to the Prey Project Control Panel to make sure there was space for the stolen laptop to be installed (on a free account you get 3 free spaces to monitor devices and I knew that I had one space left). I was very surprised at that point to see the stolen laptop appear in the list of Devices I could monitor and so I reported it as stolen, configured the settings to geo-location information, grab web-cam shots, screen-shots, Wi-Fi networks and anything else it could to help me locate the laptop. There are additional options available to lock the device, have the device make a noise, display a warning message on the screen and to hide emails, delete browser cookies and stored passwords, but I decided to leave those alone for now as I didn’t want to scare off the laptop user, I wanted to get the laptop back.

I set the PreyProject monitoring interval to the smallest interval available and waited to see what came back into the 10 available reporting slots available on a free account (this can be increased for a paltry $5.00 a month to a 2 minute interval and 100 reporting slots).

What initially came back was a very dark image of the laptop user playing games and their location was reported as being in Central London (it was night-time so the lighting wasn’t brilliant). I flagged my laptop as being stolen and waited for the first report back from that and when it came back, I was reported as being right next to the stolen laptop, which clearly wasn’t the case, so I didn’t pay much heed to the geo-location information and eventually turned it off.

I sat back and waited for more reports to come in and was rewarded the next time with a slightly clearer picture of the laptop user who was busy watching porn!

After a while, it seemed that the laptop user was aware of the webcam being used and the images then came back completely black, so I turned off the web-cam setting and continued to grab screen-shots and wi-fi networks etc.

The next day (during daytime), I turned the web-cam back on and ended up getting a very clear picture of the laptop user which I then passed along to the Police.

I continued to enable / disable the web-cam option and as my available slots for reports were filling up, decided I didn’t want to lose any good images of the laptop user, so upgraded my account and then increased the monitoring interval.

After several not very exciting reports with no new information, I then received the most interesting screen-shot that was to give the laptops location away precisely. They were writing a letter and had put their address and telephone number at the top of the letter and I had a screen-shot of the letter. The location wasn’t too far away from my own location, so I decided to pay the address a visit and took my iPhone with me to verify the Wi-Fi networks that were shown in the report.

Standing outside the address in the letter I turned on my Wi-Fi on my iPhone and took some screen-shots of the available networks and 5 of the networks that were captured using PreyProject matched the networks I could see. The laptop HAD to be close and thus the address on the letter had to be the laptop users address. I excitedly passed this information on to the Police and they then arranged for a Search Warrant from the Courts the next day and then paid the address a visit the following morning.

I then received a phone call from my customer to say that they had been contacted by the Police and that they could collect their laptop from them (with some proof of their identity) the following day, which they did. We are now restoring the laptop back to a pre-stolen date to remove traces of software that was installed during its absence and we heard that the insurance company was not going to pay out for the laptop because it was a work laptop and was not therefore technically covered on the household insurance from the house it was stolen from, so it was just as well we got it back.

So – if you don’t already have PreyProject installed on your iPad, iPhone, Laptop, Computer, Android phone, Apple Mac, Linux PC or anything else that it can be installed from, then what are you waiting for. If it gets stolen without PreyProject installed, you had better be one of our customers with Monitoring software installed or you can kiss it goodbye!

Advertisements

Windows 8 – After actually using it for 24 hours

My first impressions of Windows 8 were not very favourable as like most people, I am a creature of habit and change for the sake of change doesn’t sit well with me, so seeing the new Metro UI on Windows 8 for the first time when I installed the Release Candidate onto a PC for testing was a little bit of a shock to the system to say the least.

I had ignored Windows 8 for as long as I possibly could but being in IT Support it wasn’t long before some of our customers had bought a new PC / laptop with Windows 8 on it and ultimately I would end up having to support it, so felt that it was time to take my head out of the sand and swallow the pill, however bitter it was going to taste.

I had also read Mark Minasi’s recent newsletter about Windows 8 and the Surface Tablet (not something that is going to be purchased by me – I love my iPad / iPhone) and decided that perhaps it might not be quite as horrendous as I had first thought it might be.

So I took the already burned DVD with Windows 8 Enterprise on it home and popped it into my laptop and let it install (I decided upon a fresh installation for cleanliness, which is usually a much better way to install Windows).

Once installed, it took a little while to figure out where to find everything but after finding the desktop, customising it to add things like Computer / Control Panel / Networks etc, my favourite background photo of a Tornado GR4 flying past me at Biggin Hill Air Show, I already began to feel at home again and it wasn’t long before I had joined the office domain from home (via my LAN to LAN VPN), had installed Office 365, configured my various email accounts (you can never have too many!) and various other bits of software and was merrily using Windows 8 just as I had done with Windows 7.

Not sure I’ll ever get to like the Tiles on the Metro UI, but then I didn’t ever think I would like Windows 8, so watch this space.

Activating Windows didn’t work initially as it apparently couldn’t find the Internet, despite browsing working happily, so I searched for a solution and ended up using slmgr.vbs to get it activated using an Administrative Command Prompt (slmgr.vbs /ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY followed by slmgr.vbs /ato).

The next problem I had was installing some software which needed to install .NET Framework 3.5.  Now .Net Framework 4.5 comes pre-installed on Windows 8, but to get 3.5 installed seemed a little tricky as yet again, it couldn’t seem to find the internet!  What the heck was going on?  Trying to add it again from Control Panel> Programs and Featrues> Turn Windows Features on or off failed for the same reason, so I was beginning to get a bit frustrated.

After a bit of searching using a well-known search Engine (that doesn’t rhyme with Ping), I came upon an article that allowed me to manually install it using the command prompt again!  Is there a pattern forming here or am I suffering from a ‘feature’ of the version I happened to download from Technet?

So, with .NET Framework 3.5 installed, I could complete the Office 365 installation / customization and install other software that wouldn’t install without it (Roxio RecordNow Premier).

I am now trying to install Skype, so search for it in Chrome (I stopped using IE a long time ago – despite being forced to use it on a few Microsoft sites otherwise it just doesn’t work) and it suggests I visit the Microsoft Store, which I do, then just type Skype and it finds the App.  I go to install it and it insists that I log in to be able to install it using a Microsoft Account which I find a little annoying.  I just want to install it!  So having signed in using my seldom used hotmail account, I am allowed to install it and off I go.

One feature I have just found is the ability to turn off the Live Tiles – excellent – most are now being turned off 🙂 (Sport / Finance / Travel / People etc) – I don’t like the constant moving tiles as it is annoyingly distracting, especially for things I couldn’t care less about.

Windows 8 Music is now happily playing my iTunes music, so that’s a useful feature and the added information about artists that is available for each artist is quite nice to have.

So – all in all, the rollercoaster ride that I thought I was going to have with Windows 8 hasn’t materialized and despite not being a fan of the Metro UI, I am not rushing to switch back to Windows 7.

If you are debating whether to make the switch to Windows 8 and are used to Windows 7, then there isn’t that much to be upset about as they are virtually one and the same, you just lost the Start Menu Flag and gain lots of pretty colour tiles instead!  Once you have worked out how to switch to the desktop using the Desktop Tile, you are back in home territory and should be feeling warm and cosy again.  My laptop isn’t touch-screen capable, so using a keyboard / mouse is what I am used to and although I now have to press the Windows Key more than I ever have before, I can get used to it.

If you are switching from Windows XP as I am sure one or two are, then it will be quite a radical change and may take some getting used to, but in all fairness, I would take the plunge as you won’t be disappointed (once you are a little bit more familiar with Windows 8).

Alan