Stolen laptop - suggestions.

pbenham
Contributor

Hi,

we recently had a Casper managed laptop stolen from a faculty member. It just checked in with our JSS (after being dormant for a week or so). I have passed on the new IP info etc to the authorities but would like to know if there's a straightforward way to use Casper to copy the user's home folder back to one of our servers on campus?
Any suggestions or ideas would be appreciated.

thanks,

Paul



Paul Benham
Desktop Operations Analyst
Bates College
110 Russell Street
Lewiston, ME 04240
PH: 207-786-6382
pbenham at bates.edu

8 REPLIES 8

tlarkin
Honored Contributor

If you have HTTP downloads and your JSS is outside reachable you can set it to a distribution point that it can download from over the interwebs and then push out a lowjack package or some sort of tracking software.

Just a thought

-Tom

Not applicable

Well, first, I would Apple's ARD (or Casper's equivalent) to try and
connect to the laptop. Then, I would take over the laptop on the sly and
turn on the camera to see if you can see the user. Try and capture the
screen shot. Try and get as much info to pass on to the police. If Casper
is connecting, then a) the thief managed to hack the security on the
laptop (there was security, right?). You should be able to write a script
to use in either ARD or Casper to copy back important data files. I do not
think you will be able to get back the entire home, though. Good luck!

Roy

sean
Valued Contributor

Use isightcapture to take a picture of the user. Of course you then need to get the picture back to you. If you can get this installed though, then you should be a able to configure mail and get it mailed back.

Once you have it installed and you have a picture back, I would then suggest configuring a launchd process to get regular pictures. The more the better! Look at startcalendarinterval

http://www.devdaily.com/mac-os-x/launchd-plist-examples-startinterval-startcalendarinterval

You could also use a launchd for network state changes (the user is likely to be in front of the machine for these)

Assuming you place the script in /usr/local/bin, then something like:

{ Label = "edu.bates.takepicture"; OnDemand = 1; ProgramArguments = ( "/usr/local/bin/isightcapture" ); WatchPaths = ( "/Library/Preferences/SystemConfiguration" );
}

If you add to program arguments the output file location as well, as I think it defaults to the users directory which you don't want.

Run a whois on the ip of the provider.

isightcapture

http://www.applausible.com/blog/?p=144

I haven't tried it, but you could also try ImageSnap if you have problems with isightcapture.

http://www.iharder.net/current/macosx/imagesnap/

Sean

rockpapergoat
Contributor III

copy the data back to your site? you'd need the machine to be online long enough to do so, and you can't guarantee that.

sign up for prey pro: http://preyproject.com

then scope a policy to it to install the prey deployment pkg, and mark it missing in the web console. you should get details about the machine next time it's online and checks in.

ernstcs
Contributor III

I see you have lots of answers about catching who, but to not to get the users data. The best answer would be to have had CrashPlan Pro running. ;) Then again, ask me if we're doing that either…

Wonder if you could trigger a remote SCP command on that computer to a known system on your site to copy? You'd like need to do it with the –o flag and provide an ssh_config file to pass credentials for you.

You'd want to be very mindful of how that script worked in terms of using a temporary account located on the remote computer on your site you'd copy to.

Let me know if this as a concept makes sense? Not sure I have time to go into more detail today…

sean
Valued Contributor

Services like Dropbox, that synchronise data between machine and websites, may be of use, but can be complicated to configure at this point. The advantage, however, is this should be standard http traffic. These sites normally use some kind of login and a running service, which may show in the menu bar.

https://www.dropbox.com/teams?tk=adwords&ag=branded&ad=standard&kw=dropbox&gclid=CIWMqbTI6KsCFRJc4Qo...

Do you have your own website for your users to push data to already? If you do and you can get a non authenticated area to push data to then this may be easier. Check out the man page for 'curl'

You could try and configure a vpn for the machine to connect to and transfer the data or maybe use ftp instead, but if the ports required are blocked on the users router, then none of this will work! I guess you could set up an EA that is a report of a port scan.

I guess the reason you had a bunch of replies about the capture is because this is easier and if you get the machine back, then you get the data back anyway.

Did you run a whois?

Sean

Not applicable

As for data sync, why not use rsync with options to get the most valuable data?

I recently had a laptop stolen. I scoped a policy that downloaded a few scripts (using the "unix command" field InAdvanced) that would run things like zipping up the Firefox profile and sending it to a FTP server. It also took a screenshot of the users desktop and once I'd gathered enough info, I started taking pictures of the user using the built in camera. Presenting the user with the evidence convinced them to turn it into the police.

Although I never thought of it until afterward, you can run the airport ap discovery to see nearby ap's and Mac addresses which might help locate the machine.

For data transfer, FTP worked, but rsync would have been better as it would skip files that were uploaded. I would have used rsync but had nothing that was on a public ip.

Not applicable

Here's what I have for a policy. I put this in "Run command" of the advanced
section as I don't have HTTP or AFP exposed on the JSS distribution point.
It essentially just downloads a script, moves and executes it. That script
can be whatever you want it to be, wherever you want. I just put it on a
webserver. I was using FTP to upload collected data. If I was more familiar
with it, I think I would try rsync instead as I had to start thinking about
deleting things that I was collecting etc. rsync would take care of not
moving data that existed on the host.

sudo curl -o /usr/local/bin/administration/locate.sh
http://example.com/locate.sh; sudo chmod +x
/usr/local/bin/administration/locate.sh; sudo
/usr/local/bin/administration/locate.sh

Once you can do that, you can do whatever you can script. Some examples.

#takes a screen capture without sound

screencapture -x /$foldername/capture_${date}.png

#this (with correct username) will grab firefox profile which can provide
some good user info (in cookies, saved sites/passwords etc)

echo "Grabbing firefox profile" >> ${FILEPATH}${FILENAME}

ditto -v -c /Users/${currentuser}/Library/Application
Support/Firefox/Profiles ${foldername}/firefox_${date}.cpio

# Create the compressed file from the /tmp/find folder

ditto -c /tmp/find /tmp/find.cpio

sleep 5

#code below will upload it to a FTP account. Be sure it's a temporary
account.

HOST='ftp.host.com'

USER='username'

PASSWD='pAssword'

ftp -n -v $HOST << EOT

user $USER $PASSWD

prompt

binary

put $LOCALPATH $DESTINATIONNAME

bye

EOT

-------------------------------------

Here's a quick script that I wrote to grab screen caps when the machine was
being actively used and ultimately to deliver the message to a user once we
had collected enough info. I'm sure it could me much improved. I'm not much
of a script wizard. I used it in combination with another policy that would
FTP the data up to our webserver

---------------------------------------

#!/bin/sh

# Check idle station time

idletime=`ioreg -c IOHIDSystem | awk '/HIDIdleTime/ {print
int($NF/1000000000); exit}'`

# get current user

currentuser=stat -f%Su /dev/console

# message we are going to send

messagetitle="Hello Tommy"

message1="Tommy,"

message2="We regret to inform you that the laptop you are using is stolen
property. A police report has been filed and we will take action if you do
not return it. "

message3=" We are giving you one opportunity to return this computer and we
would be willing to pay a reward if you can provide verifiable information
as to the person(s) responsible for the theft. "

message4="I hope that you do the right thing and return this machine TODAY.
You can drop this computer off at the Police HQ or at the local
precinct in _
."

message5=""

message6=""

#get a big file listing

#ls -lR /Users/ > /tmp/find/file_listing.txt

#get current wifi network

echo "Current connection: " > /tmp/find/wifi.txt

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport
-I >> /tmp/find/wifi.txt

#get nearby wifi networks

echo "WIFI SCAN: " >>/tmp/find/wifi.txt

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport
-s -r 3 >> /tmp/find/wifi.txt

echo "*end of scanning*"

#start moving user data

#rsync -av $datarecover $rsynchost

if [ $currentuser != 'root' ]; then

# only snap screenshot if iactively using machine

if [ "$idletime" -lt "50" ]; then

mkdir -p /usr/local/bin/administration/

mkdir -p /tmp/find/hellotommy/

chmod 777 /tmp/find/hellotommy

screencapture -x /tmp/find/hellotommy/screencap_date +%Y%m%d.png

curl -o /tmp/imagesnap.cpio http://domain.com/imagesnap.cpio

ditto -x /tmp/imagesnap.cpio /usr/local/bin/imagesnap

chmod +x /usr/local/bin/imagesnap

/usr/local/bin/imagesnap/imagesnap /tmp/find/hellotommy/cap_`date
+%H%M%S`.jpg

#popup message comment out to not alert user

#/Library/Application
Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud
-title "$messagetitle" -description "$message1 $message2 $message3 $message4
$message5 $message6" &

#logger -i "message delivered"

sleep 15

#get another pic

/usr/local/bin/imagesnap/imagesnap /tmp/find/hellotommy/cap_`date
+%H%M%S`.jpg

ditto -c /tmp/find/hellotommy /tmp/hellodate +%H%M%S.cpio

else

logger -i "machine not active. Waiting."

fi

fi

exit 0