Track Down Stolen Computer - Using Prey

TroyP
New Contributor II

Hi Guys

I thought id share this with you, some of you might find it usefull. Let me say im no expert and there maybe a better way but this worked for me.

Sometime ago we had a 27" imac stolen which was sporadically checking in with Casper. We kept forwarding information of the ip-address to the Police but they were having a hard time tracking it down.

With our casper setup we don't have a Casper Distribution Point available to us externally. So we were a bit limited in what we could do. So we ran this command to download and install prey using a free account.

cd /Library/Application Support/ && sudo curl -O https://preyproject.com/releases/0.6.0/prey-0.6.0-mac-batch.mpkg.zip && sudo unzip -XKo /Library/Application Support/prey-0.6.0-mac-batch.mpkg.zip && sudo chmod 777 prey-0.6.0-mac-batch.mpkg && API_KEY="PUT_IN_YOUR_OWN_API_KEY" sudo -E installer -pkg /Library/Application Support/prey-0.6.0-mac-batch.mpkg -target /

The machine downloaded and installed prey and we have been able to get more information that will assist us in the recovery of this stolen machine.

I hope this helps anyone else who maybe in a similar situation. C&C welcome :).
Links that assisted
http://support.preyproject.com/kb/installation/how-to-deploy-prey-in-batch-mode-mac-os
https://preyproject.com/releases/

Cheers

16 REPLIES 16

hkim
Contributor II

Interesting stuff here. Sounds like an interesting project to piggy back off of for JSS to be able to do some of the reporting for geo location. I see that the client code is all open source, some of the server code is open source, maybe it's possible to build your own prey server and have clients check into that and then have JSS tie in via extension attributes.

HHhmmmmmmmm.......

TroyP
New Contributor II

One thing i would also like to point out.
When taking snaps using the inbuilt webcam, please be aware that the green light activates.

So if you get a pro account and set the report to every 2 minutes it might be a good idea to turn the webcam feature off, after you get a good facial picture.

jacob_salmela
Contributor II

I would be interested in figuring out how to make a Prey server. Has anyone attempted it or wants to join forces to figure it out?

Izquierdo
New Contributor

Hi Jack!
I'm interested in doing a Control Panel to prey
This is the information I found.

Information to create a Control Panel ( Preyproject ) in Codeigniter

Database

-------------------------------------------------- --------------
Table " devices"
-------------------------------------------------- --------------
integer " device_id "
integer "account "
string "name"
integer "delay" , default = > 20
string " modules" , default = > "geo module module"
boolean "missing " , default = > false
datetime " created_at ", null = > false
datetime " updated_at ", null = > false
-------------------------------------------------- --------------

-------------------------------------------------- --------------
Table " users"
-------------------------------------------------- --------------
string "email" , default = > "" , : null = > false
string " encrypted_password " , default = > "" , : null = > false
string " reset_password_token "
datetime " reset_password_sent_at "
datetime " remember_created_at "
integer " sign_in_count " , default = > 0
datetime " current_sign_in_at "
datetime " last_sign_in_at "
string " current_sign_in_ip "
string " last_sign_in_ip "
string " auth_key "
datetime " created_at ", null = > false
datetime " updated_at ", null = > false
-------------------------------------------------- --------------

index " users" , [ "email" ] , : name = > " index_users_on_email " , : unique = > true
index " users" , [" reset_password_token "] , : name = > " index_users_on_reset_password_token " , : unique = > true

-------------------------------------------------- --------------

Logica .

Preyproyect searches a server ( http://your.server.com ) DEVICE data .
For example , if the ID of your newly created device is 000000123456 , the full url Should look like:
http://your.server.com/devices/000000123456

NOTE : I think , that also sends the API KEY also in the URL like this:
http://your.server.com/devices/000000123456/MY_API_KEY
It is a matter of safety for any user without api_key can access the data

This I infer from the following line :

File C : Prey core functions (1 hit )
Line 401: send_request "$ control_panel_url / devices.xml " "- connect-timeout 20 -u $ api_key : x - d " $ params " "

File C : Prey core pull ( 2 hits)
Line 75: send_request "$ control_panel_url / devices.xml " " -u $ api_key : x "

File C : Prey core push ( 1 hit )
Line 13: send_request "$ check_url / devices / $ device_key.xml " " - connect- timeout 10 - X PUT- u $ api_key : x - d " $ 1 ??" "

XML data

'missing ' = > ' true' ,
'delay' = > '10 ' ,
'network ' = > ' true' ,
'wifi_nearby ' = > ' y',
'active_connections ' = > ' y',
' traceroute ' = > ' n' ,
'session ' = > ' true' ,
'screenshot ' = > ' y',
'running_progs ' = > ' y',
'modified_files ' = > ' n' ,
'modified_files_time ' => '10 ' ,
'modified_files_path ' = > '$ home_path '
'webcam ' = > ' true' ,
'geo' = > ' true' ,
'alarm' = > ' false' ,
'alert' = > ' false' ,
'alert_message ' = > ' This is a stolen computer . '
'say_message ' = > ' n' ,
'lock ' = > ' false' ,
'unlock_pass ' = > ' preyrocks ' ;

Controller

# Login:
Account Access

# Devices
Show all Devices that I have

# Devices / api_device
Displays the configuration of the specified Device

# Devices / api_device / report
Sample reports captured

# Devices / add
Add the device

# Profile
User Account Information ( Name , Email, Password )

# Settings
Configure the following options: " Marked as missing " , " Reach new reports " , "You detect hardware changes " , " PCs do not

seen by more than x days " PCs are seen after X time."
NOTE : You have to create a table with this info .

additional information

https://github.com/houqp/ownPrey
https://github.com/geniass/prey-standalone-python/tree/master/webapp
https://github.com/extrakt/prey-rails-server
https://groups.google.com/forum/ #! searchin/prey-security/xml/prey-security/9ircwJ8L4sI/wyut1dWR_KUJ

--

andy
New Contributor

LockItTight is way better with better and refined features, less intrusive, reliable and of course with better support.

fsjjeff
Contributor II

Andy. I'd never heard of LockItTight, so just checked it out. Looks like LockItTight it's Android / Windows only, so not really that useful for a group of people mostly focussed on iOS and Mac.

geekyink
New Contributor II

We rolled our own recovery scripts. We have 2 shell scripts that we can install/enable when a computer is lost/stolen. Once installed the script will install it's own LaunchD instance so it then runs independently. The first takes a desktop screenshot and will FTP it back to us every 1 minute. The second will do the same thing but from the camera. We typically save the camera script as a last resort because honestly it is not that useful to have a pic of the perp. These scripts could also be installed as part of your base build and just "enabled" when needed, thus not requiring a distro to be open to the outside.

I have recovered over 20 laptops in the last 3 years and almost every time it is because the person using the laptop will eventually login to email/Facebook or fill out an online form and I get their contact information.

We have been advised by multiple authorities to always attempt "scare tactics" first by sending them an email or calling them before involving police. We plainly explain that they are using lost company property, prove to them that we own it and we see them using it, and communicate that we are only interested in recovering our equipment and are not looking to press charges. Only once did someone not cooperate and we sent the police straight to their door.

Scripts if anyone is interested:
https://gist.github.com/geekyink/9621805
https://gist.github.com/geekyink/9621838

musat
Contributor III

Thanks @colleyryan, Those are really helpful. I have modified mine to include some code I had created for renaming the Macs.

serialNumber=$(system_profiler SPHardwareDataType | grep "Serial Number" | awk '{ print $4 }')

Adding this line I was able to include the $serialNumber as part of the file name. Just in case there was more than one Mac I was looking to track.

Tim

jaferguson
New Contributor II

I have been using VUWER which I remotely install when laptops leave our network. After installing, the computer will email me screen shots, ip geo-location with google maps location and nearest street address, and iSight photos on a customizable schedule.

I have recovered several stolen computers as well as documented when computers (although not in fact stolen) are inappropriately removed from the campus to which they are assigned.

The software is available from http://stumpy.vuse.vanderbilt.edu/VUWER.htm and works with OS X through Mavericks.

rcastorani
New Contributor II

Edit: never mind - ignore post.

Rayfield
New Contributor III

Hey @musat ,

serialNumber=$(system_profiler SPHardwareDataType | grep "Serial Number" | awk '{ print $4 }') Adding this line I was able to include the $serialNumber as part of the file name. Just in case there was more than one Mac I was looking to track.

We've tried adding this on our script and it never seemed to work. In testing I was able to get it to display the serial number of the laptop, but not with the date, it only allowed me to do one or the other, seemed like it was being shortened.

We also tried to make it name a folder with the $serialNumber variable and that do anything at all. That would actually be ideal.

any suggestions?

musat
Contributor III

These are the lines we use in the script. I haven't had a need to use it recently, but it worked the last time I used it about a year ago.

currTime=$(date +%Y%m%d%H%M%S)
serialNumber=$(system_profiler SPHardwareDataType | grep "Serial Number" | awk '{ print $4 }')

screencapture -x /tmp/$serialNumber-$currTime.png

Of course, the '$' is escaped because these lines are in a script in JAMF that echos these lines out to a text file. The resulting file just has regular '$' characters.

Rayfield
New Contributor III

Thanks @musat

Got it to work, looks like my issue was not putting the between the $serialNumber and $currTime

sean
Valued Contributor

This is assuming the time is correct on the machine and perhaps with something stolen this may not be the case.

You may also find some useful info from:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport  -s

roiegat
Contributor III

Is there a way to capture all the screens attached using the screencapture tool? I looked at the help file but wasn't really sure. We have a lot of users that have 3-4 screens connected.

While in regards to stolen equipment, I could see a laptop being connected to a monitor, or even using airplay to display on a tv. Any way to capture that?

OSX_Admin
New Contributor

Quick MBP Prey success story. Machine was stolen, but was enrolled with jamf via DEP. Thief decided to reinstall OS and rolled back to 10.13.6 which in turn allows access to the camera. I then ran a policy to download, install Prey. I also ran another policy disabling a potential 10.14 upgrade assuming it might cause a disruption based on the OS changes as "This new version of the operating system brings changes to the App Security protocols. Apple now requires third-party applications to request specific access to the device's camera to allow the use of features such as ours" Not wise to tip off the thieves as they're not going to consent right? I then began taking and logging desktop screenshots, pictures of the individual via camera. Once I dialed in the users name (screenshots) I then used FB, Spokeo, Google Earth along with user screenshots, desktop screenshots and coordinates to locate the whereabouts of the device and build a quick case. I created a binder with Police Report, proof of purchase, proof of enrollment (jamf) and supporting screenshots, images, name, details etc. etc. I provided this to local PD and they easily retrieved my machine. I also met with them prior to all of this to clarify my plan, make certain it was legit and have them agree to enforce via their badge (no Jason Statham here man). Patience along with supporting details totally key in this scenario. What gets me is the alleged thief had to have seen the enrollment screen upon installing the OS which clearly identifies my ability to take control, add/remove apps etc. I guess they felt it was worth the risk. Maybe 3-4 total hrs invested for a $3,000 machine. Oh, Prey business Plan is around $1.50 per node a month.