Help- Stolen iMac

Kevin
Contributor II

We had an iMac stolen. The thief has upgraded the OS and deleted users, but is still using the computer. It is faithfully reporting in to the JSS every 15 minutes. How can I copy the users home directory to a location on my servers to try ti identify the bad guy?

I obviously have his IP address, but the last time we had a situation like this, Comcast told LE that it would take 3-4 weeks to identify the crook by IP. (BS)

Anyway, I was thinking that if we could copy his home folder, we could possibly identify him I have an ftp server I could copy files to. I could make a policy to copy the files and hopefully pull some incriminating info.

35 REPLIES 35

chriscollins
Valued Contributor

I would set yourself up with a Prey account and then create a custom installer and push it to the machine. Then you can get screenshots, etc.

https://preyproject.com

davidacland
Honored Contributor II
Honored Contributor II

If you can run commands on the remote machine it will just be a case of either using scp to copy from HD to a server of your choice. I would use scp over ftp so its invisible to the user. Are there any new user accounts on the Mac you can identify from the JSS record?

It would be worth contacting the police though as they would be able to advise you better on the direction to take.

dpertschi
Valued Contributor

Search the word stolen here, there have been other recent discussions. Sounds like Prey is the best tool though from what I've seen.

Ditto on talking to law enforcement about what you should/should not do. Your actions without their advise and approval might be unactionable and/or inadmissable.

stevewelgoss
New Contributor

The IP address should identify the ISP. You may consider reaching out to local law enforcement with that info so they can contact the ISP to determine exact location for recovery

GaToRAiD
Contributor II

@Kevin as david has already said, I would use something like SCP to the ftp.

Here is a little bit of info you can use to do it.

#!/bin/sh
#this will transfer every users folder
for D in `find /Users/ -type d`
do
    /usr/bin/sftp user@host "${D}" /path/to/where/you/want/files/ 
done

#now for fun, you can do this if you want :)

/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.loginwindow.plist
/bin/rm -r -f /System/Library/LaunchDaemons/com.apple.loginwindow.plist
/sbin/shutdown -r now

btw, i just through together the code and didn't test it.

Kevin
Contributor II

Good advice guys. Loss Prevention is on the way (former Detroit PD detective) to advise and direct next steps. Prey looks awesome. I created a policy to push it to the unit, but haven't yet. (created, but disabled)
I don't see how to deploy this and then connect to it unless the device is in my control during the install.

If I push the install, how can I identify it and connect to it in the Prey console?

roadrunner2348
Contributor

Definitely reach out to local law enforcement, they would be the best people to handle this, but in the meantime anything you can do to help identify the person that you can give to the police would be best. +1 to installing prey as well, should give the police something they can take action on, if what you already have isn't enough.

jjones
Contributor II

Another thing I would do now, set a firmware password on that iMac to prevent him from having full control of the system. Also, if you have a login AUP, that will discourage any "good" pawn shops from buying it, and should get hold of authorities in the event of it being found.

Kevin
Contributor II

Firmware password policy set.

Kevin
Contributor II

How can I set up a custom installer for Prey?

chriscollins
Valued Contributor

@Kevin After you have created your account, in the Prey interface you go to your account settings and on the bottom left in blue you will see your API key which is unique to your prey account. Copy it.

Download the installer package from the site. Put the installer file somewhere like /tmp/.

Drag in that package installer so that the raw .pkg file is actually the file thats going to be installed on the end computer.

Make a new bash post install script for the package in Composer. Make it look like this:

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3


API_KEY=<your api key> sudo -E installer -pkg /private/tmp/prey-mac-1.3.6-x86.pkg -target /
rm /private/tmp/prey-mac-1.3.6-x86.pkg


exit 0      ## Success

What that post install script does is set the API-KEY environment variable to your api key (obviously don't include the "< >") Then when you run sudo -E it preserves the environment variables.

When you deploy it Prey will know to register that machine with your API key and it will dump it into your accounts inventory. If you have Prey's notification emails enabled you should get a notification when the stolen machine is registered.

Kevin
Contributor II

The API key was the missing piece. I was trying to figure out how to link the device with my account. "Officially" Prey says it can't be done.

THANKS for the workaround!

Kevin
Contributor II

OK, Prey installed on the device and is reporting in.

THANK YOU GUYS SO MUCH!

Kevin
Contributor II

Lots of photos of this guy's kitchen, but so far, no faces.

Kevin
Contributor II

Update. We were advised by LE to stop capturing the photos. Apparently even bad guys have an expectation of privacy inside their homes.

Argh.

So I set the camera to NOT take photos and to send me screen captures instead. I am still getting photos and no screen captures. Anyone else use the Prey software that can tell me if this is a limitation of the free account or simply a bug?
UPDATE: screen captures suddenly started working overnight…

zanb
New Contributor III

@Kevin

Capture the output of their browser history through script policies or Extension Attributes. This may help you figure out where they've been and might be able to collect data on who they are.

For each line below change "XXX" to the username.

Chrome:
cat /Users/XXX/Library/Application Support/Google/Chrome/Default/History

Safari:
/usr/libexec/PlistBuddy -c "Print" /Users/XXX/Library/Safari/History.plist

Firefox: (Replace "YYY" with the Firefox profile name)
sqlite3 /Users/XXX/Library/Application Support/Firefox/Profiles/YYY.default/places.sqlite "SELECT * FROM moz_places;"

Perhaps the next step I would take is to get some information about their network.

List current Wi-Fi network:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport --getinfo

List nearby Wi-Fi networks: (this will be helpful because some people list geographical info in their SSIDs)

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport --scan

List DNS servers: (this may provide who is their ISP)

#!/bin/bash
OLDIFS=$IFS
IFS=$(echo -en "
")
networkServiceArray=( $(networksetup -listallnetworkservices | grep -vE "^An" | sed 's/^*//g') )
for SERVICE in "${networkServiceArray[@]}";do
    networksetup -getdnsservers "${SERVICE}"
done
IFS=$OLDIFS
exit

Of course you could see if they were stupid enough to put in their real name as the current username. If not it may give you a clue as to who they are or what their pseudo-name is.

#!/bin/bash
currentuser="$(ls -l /dev/console | awk '{ print $3 }')"
dscl . read /Users/"${currentuser}" RealName

That's all I could think of right now. Best of luck!

daz_wallace
Contributor III

Hi @Kevin

I'm loving reading this story!

However, I do wonder that if you've been asked to stop capturing pictures due to 'privacy concerns', I think that would also cover any sort of data collection relating to screenshots, browser history etc? I'd imaging only location information would be consider ok?

I don't wanna stop the fun but just wanna make sure no-one innocent gets in trouble!

Darren

Kevin
Contributor II

@daz_dar

I was advised to stop collecting photos only. I have it set to pull screen shots, but all I am getting (so far) is the screen saver.

I can see all of the Wi-Fi networks the unit can see, and the map pinpoints it in a specific apartment building. Our loss prevention team is going to go out today to see if they can sniff those same networks. That would prove the location is correct. From there, it will be turned over to local LE (who have already been consulted).

EliasG
Contributor

I have been following this that last 2 days, its great!!

Kevin
Contributor II

I can see from the JAMF application logs that my friend used Safari late last night for 1 hour and 4 minutes. I pulled his browsing history this morning and it is almost completely empty… one entry–Apple's home page. I guess he either cleared it when he was done, or he went in private mode right after he fired up the browser.

Now that I am getting screen shots, I will hopefully get something tonight. He didn't touch the system for almost 18 hours yesterday…

Kevin
Contributor II

So last night just before time for the bad guy to get home and start using his new Mac, a car hit a utility pole on the main road in front of his apartment complex. Comcast was down all night in that area. We lost contact with the unit. Repaired at 6AM today. The unit popped right back online.

Argh. I will have to monitor over the weekend…

Over the past two days, Prey has given me a list of Wi-Fi networks that the Mac can connect to. Pulled up in front of the building shown on the Map. Was able to pick up 5 of the networks on an iPhone. We have it narrowed to the correct building. There are only three units in the building.

Getting close.

dpertschi
Valued Contributor

@Kevin I'm curious about the legal and law enforcement aspect of this.

Are you in constant dialog with the police and only acting upon their guidance as to what is and is not legal for you to do? Are they actively engaged or not so until you can generate actionable information?

mm2270
Legendary Contributor III

@Kevin When you say

I was advised to stop collecting photos only.

Advised by whom exactly? Hopefully this came from local law enforcement, because if it just came from your company, I'm not sure I'd take that advice and continue down this road. Hopefully you're in contact with law enforcement on this and passing information on to them?

EDIT: Never mind. I didn't read through all the posts before, but I see now that you are in touch with law enforcement and that advice came from them. Kind of surprised they are OK with capturing any browser history, but if they say its ok...

Vagabond
New Contributor

So, updates? :) I'm curious on how this played out in the end.

May
Contributor III

Hi @chriscollins @Kevin

When you created the installer in Composer did you just download the prey installer, move it to tmp, then drag it into Composer and convert to source ?

When i drag the pkg into Composer it's asking me to convert to source, rather than listing it in the source section.

Thanks for the post install script!!

Cheers
Andy

chriscollins
Valued Contributor

Hey @May, I did as you described. You really have two options. You can either drag a dummy text file out of /tmp/ into composter just to create the new package project, then drag in the prey installer pkg file from /tmp/ into the window in the sources window.

OR as I really prefer to is just drag whatever .pkg file I need to do this kind of thing in to /tmp/, rename it with a different extension like .blah, then drag that into composer. It will create a new package project and add the /tmp/package.pkg.blah to the sources section, and then inside the sources section I just rename the file and take the .blah off the end of it. That way it doesn't trigger the convert to source thing.

Then after you do that just add a post-install action as we discussed above to install the package with your API key environmental variable set and you are good to go :)

May
Contributor III

Hi @chriscollins

That's a handy trick, thank you for the quick response!

package is waiting to install when they come online again...

Did you ave to wait for the device to show up in your Prey web page before you can choose what info you wish to collect ? or does that get set another way ?

Thanks again!
Andy

chriscollins
Valued Contributor

Its been a little bit since I used it but you can have Prey's server email you when a new device registers. After that though I think you have to go into the interface and turn on the actual information gathering/tracking by clicking the "Set Device To Missing" or something similar. Its basically the big RED button. haha.

May
Contributor III

@chriscollins

Package is installed and device is now showing up in the interface (where the screenshots and photos can be enabled/disabled)

What a great piece of software,
Thanks again for the configuration info!!

mattware
Contributor

I'm dying for an update. What was the end result? @Kevin

jjones
Contributor II

This is quite a interesting story, I am wondering what the update is as well, being if you are allowed to say anything at all currently. @Kevin

Nick_Gooch
Contributor III

I just tested prey on a couple machines and set it to not take pictures, just screenshots. It works until a reboot. Once the device is rebooted it then only takes pictures and no screen shots, the exact opposite of how it was set. Anyone else have that issue?

roiegat
Contributor III

Well if you have Casper access to his machine and he's checking in...in theory you could remote into his machine and watch what he's doing. Not sure about legality of what you can and can't do. Personally, I would screw with him and just have the mac keep playing "Somebody's watching me" over and over.

There was a famous case here in PA (my old high school) where kids were given mac laptops and admins apparently where turning on the cameras to spy on them. One kid was reprimanded for doing something at home that was not up to "school code". The principle actually showed the student the picture taken by the laptop. Of course, lots of media jumped in and it became a huge thing. According to the school, the laptop was reported stolen and they were trying to find it.

Work with your local police authority and document everything you get. Good luck. I'm enjoying following this story.

Kevin
Contributor II

Update.

It took a while, but my loss prevention team finally got something going. They are being quiet about details, but told me to wipe our data from the unit and remove our JAMF agent (as well as the Prey software). The current "owners" bought it "legitimately" from a local pawn shop, and it looks like that are going to keep it. Ugh.

LE is going after the pawn shop and the person they bought it from.

If it were up to me, we make LE go get the iMac back. You buy a hot computer, you lose it. On the other hand, it is a 7 year old iMac…

So today, I get to clean it up and let it go.

roiegat
Contributor III

@Kevin Hopefullly the pawn shop will have some good security footage of who sold the iMac to them.

Reminds me of a great story I saw recently about a guy who had his iPhone stolen. Apparently a large percentage of stolen iPhones go to china. One person noticed a year after his phone was stolen that pictures would show up on his iCloud feed on a chinese man. He took to twitter and was able to local the person and they became good friends. He even visited China and was treated like a local celebrity. So sometimes these stories have a happy ending.

Good luck with the Pawn shop!