I would set yourself up with a Prey account and then create a custom installer and push it to the machine. Then you can get screenshots, etc.

https://preyproject.com

If you can run commands on the remote machine it will just be a case of either using scp to copy from HD to a server of your choice. I would use scp over ftp so its invisible to the user. Are there any new user accounts on the Mac you can identify from the JSS record?

It would be worth contacting the police though as they would be able to advise you better on the direction to take.

Search the word stolen here, there have been other recent discussions. Sounds like Prey is the best tool though from what I've seen.

Ditto on talking to law enforcement about what you should/should not do. Your actions without their advise and approval might be unactionable and/or inadmissable.

The IP address should identify the ISP. You may consider reaching out to local law enforcement with that info so they can contact the ISP to determine exact location for recovery

@Kevin as david has already said, I would use something like SCP to the ftp.

Here is a little bit of info you can use to do it.

#!/bin/sh

#this will transfer every users folder

for D in `find /Users/ -type d`

do

    /usr/bin/sftp user@host "${D}" /path/to/where/you/want/files/ 

done



#now for fun, you can do this if you want :)



/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.loginwindow.plist

/bin/rm -r -f /System/Library/LaunchDaemons/com.apple.loginwindow.plist

/sbin/shutdown -r now

btw, i just through together the code and didn't test it.

Good advice guys. Loss Prevention is on the way (former Detroit PD detective) to advise and direct next steps. Prey looks awesome. I created a policy to push it to the unit, but haven't yet. (created, but disabled)
I don't see how to deploy this and then connect to it unless the device is in my control during the install.

If I push the install, how can I identify it and connect to it in the Prey console?

Definitely reach out to local law enforcement, they would be the best people to handle this, but in the meantime anything you can do to help identify the person that you can give to the police would be best. +1 to installing prey as well, should give the police something they can take action on, if what you already have isn't enough.

Another thing I would do now, set a firmware password on that iMac to prevent him from having full control of the system. Also, if you have a login AUP, that will discourage any "good" pawn shops from buying it, and should get hold of authorities in the event of it being found.

Firmware password policy set.

How can I set up a custom installer for Prey?

@Kevin After you have created your account, in the Prey interface you go to your account settings and on the bottom left in blue you will see your API key which is unique to your prey account. Copy it.

Download the installer package from the site. Put the installer file somewhere like /tmp/.

Drag in that package installer so that the raw .pkg file is actually the file thats going to be installed on the end computer.

Make a new bash post install script for the package in Composer. Make it look like this:

#!/bin/sh

## postinstall



pathToScript=$0

pathToPackage=$1

targetLocation=$2

targetVolume=$3





API_KEY=<your api key> sudo -E installer -pkg /private/tmp/prey-mac-1.3.6-x86.pkg -target /

rm /private/tmp/prey-mac-1.3.6-x86.pkg





exit 0      ## Success

What that post install script does is set the API-KEY environment variable to your api key (obviously don't include the "< >") Then when you run sudo -E it preserves the environment variables.

When you deploy it Prey will know to register that machine with your API key and it will dump it into your accounts inventory. If you have Prey's notification emails enabled you should get a notification when the stolen machine is registered.

The API key was the missing piece. I was trying to figure out how to link the device with my account. "Officially" Prey says it can't be done.

THANKS for the workaround!

OK, Prey installed on the device and is reporting in.

THANK YOU GUYS SO MUCH!

Lots of photos of this guy's kitchen, but so far, no faces.

Update. We were advised by LE to stop capturing the photos. Apparently even bad guys have an expectation of privacy inside their homes.

Argh.

So I set the camera to NOT take photos and to send me screen captures instead. I am still getting photos and no screen captures. Anyone else use the Prey software that can tell me if this is a limitation of the free account or simply a bug?
UPDATE: screen captures suddenly started working overnight…

@Kevin

Capture the output of their browser history through script policies or Extension Attributes. This may help you figure out where they've been and might be able to collect data on who they are.

For each line below change "XXX" to the username.

Chrome:
cat /Users/XXX/Library/Application Support/Google/Chrome/Default/History

Safari:
/usr/libexec/PlistBuddy -c "Print" /Users/XXX/Library/Safari/History.plist

Firefox: (Replace "YYY" with the Firefox profile name)
sqlite3 /Users/XXX/Library/Application Support/Firefox/Profiles/YYY.default/places.sqlite "SELECT * FROM moz_places;"

Perhaps the next step I would take is to get some information about their network.

List current Wi-Fi network:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport --getinfo

List nearby Wi-Fi networks: (this will be helpful because some people list geographical info in their SSIDs)

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport --scan

List DNS servers: (this may provide who is their ISP)

#!/bin/bash

OLDIFS=$IFS

IFS=$(echo -en "

")

networkServiceArray=( $(networksetup -listallnetworkservices | grep -vE "^An" | sed 's/^*//g') )

for SERVICE in "${networkServiceArray[@]}";do

    networksetup -getdnsservers "${SERVICE}"

done

IFS=$OLDIFS

exit

Of course you could see if they were stupid enough to put in their real name as the current username. If not it may give you a clue as to who they are or what their pseudo-name is.

#!/bin/bash

currentuser="$(ls -l /dev/console | awk '{ print $3 }')"

dscl . read /Users/"${currentuser}" RealName

That's all I could think of right now. Best of luck!

Hi @Kevin

I'm loving reading this story!

However, I do wonder that if you've been asked to stop capturing pictures due to 'privacy concerns', I think that would also cover any sort of data collection relating to screenshots, browser history etc? I'd imaging only location information would be consider ok?

I don't wanna stop the fun but just wanna make sure no-one innocent gets in trouble!

Darren

@daz_dar

I was advised to stop collecting photos only. I have it set to pull screen shots, but all I am getting (so far) is the screen saver.

I can see all of the Wi-Fi networks the unit can see, and the map pinpoints it in a specific apartment building. Our loss prevention team is going to go out today to see if they can sniff those same networks. That would prove the location is correct. From there, it will be turned over to local LE (who have already been consulted).

I have been following this that last 2 days, its great!!

I can see from the JAMF application logs that my friend used Safari late last night for 1 hour and 4 minutes. I pulled his browsing history this morning and it is almost completely empty… one entry–Apple's home page. I guess he either cleared it when he was done, or he went in private mode right after he fired up the browser.

Now that I am getting screen shots, I will hopefully get something tonight. He didn't touch the system for almost 18 hours yesterday…

So last night just before time for the bad guy to get home and start using his new Mac, a car hit a utility pole on the main road in front of his apartment complex. Comcast was down all night in that area. We lost contact with the unit. Repaired at 6AM today. The unit popped right back online.

Argh. I will have to monitor over the weekend…

Over the past two days, Prey has given me a list of Wi-Fi networks that the Mac can connect to. Pulled up in front of the building shown on the Map. Was able to pick up 5 of the networks on an iPhone. We have it narrowed to the correct building. There are only three units in the building.

Getting close.

@Kevin I'm curious about the legal and law enforcement aspect of this.

Are you in constant dialog with the police and only acting upon their guidance as to what is and is not legal for you to do? Are they actively engaged or not so until you can generate actionable information?

@Kevin When you say

I was advised to stop collecting photos only.

Advised by whom exactly? Hopefully this came from local law enforcement, because if it just came from your company, I'm not sure I'd take that advice and continue down this road. Hopefully you're in contact with law enforcement on this and passing information on to them?

EDIT: Never mind. I didn't read through all the posts before, but I see now that you are in touch with law enforcement and that advice came from them. Kind of surprised they are OK with capturing any browser history, but if they say its ok...

So, updates? I'm curious on how this played out in the end.

Hi @chriscollins @Kevin

When you created the installer in Composer did you just download the prey installer, move it to tmp, then drag it into Composer and convert to source ?

When i drag the pkg into Composer it's asking me to convert to source, rather than listing it in the source section.

Thanks for the post install script!!

Cheers
Andy