Help us catch a thief

wanryu
New Contributor

One of our school laptops was stolen at the end of last school year, but the thief was too dumb to erase it. He somehow created a local admin account to use, but didn't touch our admin/root info. We realized the computer is still checking in to JSS, and we can still push policies and software to it.

I have an IP address, and I'm working with the police to get the ISP to divulge the location of that customer, but! This is an exciting opportunity to remotely install software and run commands.

What would you do to a Mac laptop (OS X 10.8.5) to find out where it is and how it's being used? Identifying information would be great. I've been trying to write a program that will zip up web browser history and data stores and email them to me, but I thought that the great Internet Hivemind would have some clever ideas, too.

18 REPLIES 18

mhayden
New Contributor III

Can you push an app to take screenshots?

CasperSally
Valued Contributor II

Call the police and let them do their job.

adamcodega
Valued Contributor

The easiest to push would be Prey Project. Of course, you should lock and wipe if the laptop has important data on it but sounds like that's not the case.

blindauer
New Contributor

+1 to Prey. I've used it in the past to gather screenshots, camera shots, and geolocation info which were handed over to the police. The recovered the machine and the guy in possession narced out our cleaning guy, who was arrested.

brad
Contributor

I know of someone that grabbed their browser caches and saved passwords. Pretty easy to tell who is using it when they save their Facebook password. Luckily it was an existing employee and was able to get it back pretty easily.

yan1212
Contributor

Prey is indeed the best solution to this.

Have a look at the post below. You can install prey on a remote host easily by pushing an easy script that includes your API key.

https://jamfnation.jamfsoftware.com/discussion.html?id=11113

jesseshipley
Contributor

These are two extension attributes I wrote for a similar situation. One reports the SSID of the network the machine was connected to when it checked in and the other reports the SSIDs of all nearby wifi networks. When this happened to us I was able to see a bar's SSID and then get an address to the Police along with the user's public IP and personal SSID.

Last connected network

#!/bin/sh
echo '<result>'$(/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '{sub(/^[ 	]+/, ""); print}' | awk '/^SSID/ {print $NF}')'</result>'

Nearby networks

echo '<result>'$(/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s | awk '{print $1}' | sort | uniq | grep -v SSID | tr '
' ' ')'</result>'

davidacland
Honored Contributor II
Honored Contributor II

Thanks for the EAs @jesseshipley . Very cool.

Lots of possibilities spring to mind, zipping up the home folder and using SCP to send it somewhere would be possible.

I'm sure the police would have trouble using any evidence gathered through this method and if thats not a goal, there probably isn't much point.

You could always get the Mac to talk to them:

say -v "Whisper" "We want the computer back"

jesseshipley
Contributor

I'm adjusting my extension attribute scripts now actually. Aren't working for me in Yosemite and are way more cumbersome than they need to be now that I'm looking at them. Already fixed the first one and working on the second now.

davidacland
Honored Contributor II
Honored Contributor II

Oops, wandering off topic here but you could use:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport

Its got a bunch of options like --scan that will show you available wireless networks. Would be fairly easy to grep and sed into an EA

jesseshipley
Contributor

@davidacland, that's what my scripts use

davidacland
Honored Contributor II
Honored Contributor II

Good point, ignore me. I should learn to read!

jesseshipley
Contributor

Both are fixed now. Could be cleaner but they give the information as I described.

johnnasset
Contributor

We had this happen years ago in rural Alaska. With the help of JAMF support, we created a script to take a picture with the iSight camera and upload it to an internal file share as the students were coming back to the school at night to sit outside the building and use the wi-fi. It was like Christmas morning to wake up on a Saturday and find 30+ pictures on that file share. Needless to say, we got the computer back.

tlarkin
Honored Contributor

At a previous gig when this happened IT just gathered the information (WAN IP Address, serial number, last check in time, maybe check in history) and then filed a police report with the information about the stolen computer and let them handle it. The police can contact the ISP, get the physical address of where it is phoning home from, and take it from there.

We also had a product called Computrace, which was the enterprise version of Lowjack. They would work with police to track it down and recover it. To protect everyone involved I would definitely suggest you contact the local police department and file a report and let them take it over from there. That way all parties involved are protected and you are letting the police do their job.

I would advise avoiding using the isight camera to take any pictures, that could create more legal issues. This is the method we used and I think we had a recovery rate of over 95% of missing laptops.

JPDyson
Valued Contributor

I'd underscore a point that was just raised by @tlarkin, and @CasperSally earlier: Let the police do their job. Anything else you do can only hurt you. The stories of robbers suing homeowners for injuries sustained during a break-in ought to be coming to mind right about now. This guy is going to turn up with Saul Goodman in civil court and nail you for violating his privacy.

etimothy44
New Contributor

+1 to Prey too. We have used it on 3 stolen laptops at our school. Specifically, we report the IP address to the local police department (I'm at a private school, so we do not have our own police department like the larger school districts). We were able to recover 1 Stolen laptop that was still within our local PD jurisdiction. 1 Laptop was out of the jurisdiction, so the PD would not recover the unit (they contacted the other city's PD...no results). The final laptop was reporting from outside the US....so that one was definitely a loss. Remote wiped the 2 that we could not be recovered.

Rayfield
New Contributor III

We used a free solution recently for this.

There is a script on here that takes screenshots or the desktop and camera then sends it back via FTP. One thing to keep in mind, to obtain the camera pictures you will need to have imagesnap installed. This can be pushed out through Casper as well, but our casper does not push out packages currently, and it wasn't a huge deal for us.

https://jamfnation.jamfsoftware.com/discussion.html?id=7328 - https://gist.github.com/geekyink/9621805 - https://gist.github.com/geekyink/9621838

I'd also suggest editing the name of the files with it send back so it has some type of identifying information in it, or send each stolen computer to its own folder, we had three missing at once, so it would have been a mess. We did it manually, but I'm sure there's a way to make it pull something from the missing computer automatically.

We also used another script that displayed the geolocation of the laptop that was more accurate then the built in geolocation of casper.

https://jamfnation.jamfsoftware.com/discussion.html?id=12300

From there we created a new extension attribute (With a drop down menu) and added our missing laptops to this group. It then will automatically install the scrips on first connection to the server and start sending stuff back to us. It will also report a geo-location on every check in as well.

We actually recently obtained a desktop screenshot of someone filling out a student loan, so it had their full name, address, phone number, email address, and even social security number.

We're still waiting for a resolution, but that information was forwarded over to the police a few weeks back.