Sign in with
Sign up | Sign in
Your question

Stolen laptop

Last response: in Networking
Share
March 8, 2009 11:00:37 PM

Hi, I had a MacBook Pro laptop stolen last year. I now have a Dell desktop pc w/ Vista home premium. I have since moved from my address where laptop was stolen. I did not connect wirelessly to internet - only wired dsl/broadband connection. My problem is...on my new computer Kapersky 2007 started scanning my pc, it was taking hours so I looked at what it was scanned, I was shocked to see the items being scanned were from my stolen laptop - software I had previously installed and purchased for my MacBook. I then noticed a roaming profile with the name I used to set up my MacBook. And then another time my computer said that there were two computers with the same IP on my network...and would not let me connect? Is this person, whomever stole my MacBook connectiog remotely thru my Desktop to the internet? Please help....I'm so frusterated.

More about : stolen laptop

March 22, 2009 12:35:27 PM

It is quite possible that the thief is tracking you even though you moved to new address. This is possible, for i.e, if your old MAC contains personal IDs like SSN or any ID that will link to a web site with your mailing address. When you change address, your new address reflected on that site and he can track it since he has access to it. That is why it is never a good idea to choose "Remember me on this computer" login options for any given site.

Now there is also a good side of this too. If I am the thief, I will hide my real IP in your situation. Look at the IP address he is using to connect to your Desktop. IP addresses are allocated to ISPs, meaning you can tell his ISP by knowing his IP. Google "geolocation IP" to learn more. Then contact that ISP to see if they can provide you with his real identity; you may have to get legal authorities involved to get around privacy issues. Then you can go grab him with theft. Note that IP geolocation are changing all the time.

If his IP address changes during a single session, for i.e, his initial IP is x, 15 minutes later, changes to y but during this 15 min. he never disconnects, he is using a proxy. So don't let your assumption fixed on the IP address.

Another way you can (possibly) catch him is drop a trojan in your old MAC that will notify you back on his actual location, etc. Now you'll have to do a lot of digging for this option to work.

Consult knowledgeable friends in both cases.
March 22, 2009 1:06:02 PM

Another thought:

You won't have to go too far to catch him. He is around your old city or new city physically.

Some tools *for your desktop*:
Check out sysinternals at: http://technet.microsoft.com/en-us/sysinternals/default...
Programs with possible usefulness: TCPView, RootKitRevealer (if he drops rootkits, you can track him by tracking where that rootkit stuffs sending/responding back to; this will be his real IP location), LogonSessions

More tools at: http://sectools.org/
Related resources
March 22, 2009 9:47:12 PM

JustAGuy51 said:
Another thought:

You won't have to go too far to catch him. He is around your old city or new city physically.

Some tools *for your desktop*:
Check out sysinternals at: http://technet.microsoft.com/en-us/sysinternals/default...
Programs with possible usefulness: TCPView, RootKitRevealer (if he drops rootkits, you can track him by tracking where that rootkit stuffs sending/responding back to; this will be his real IP location), LogonSessions

More tools at: http://sectools.org/


Thank you sooo much for this information...I'll have to read over it again and try to figure everything out. He did put a rootkit on my new computer - Micro Center found it. Can I just hire you to get him?
March 23, 2009 6:27:12 AM

Before you spend time chasing the wrong lead, I made some assumptions in my first post and may have given you "too much" encouragement. I like to correct myself a bit here.

Q1) Did you buy desktop after your laptop is stolen?
If yes, it is unlikely (unless you're significant) he is coming back to you.

Q2) Are you somebody of significant status in terms of power? wealth? Don't post your answer, rhetoric Q.

Q3) Are your desktop directly connected to the Internet or through SOHO router?
If directly connected, easier to come in from Internet. If through SOHO router, it is possible but NAT issue has to be resolved to access your desktop.

Q4) What exactly do you mean by roaming profile? Some sort of remote access software profile? Remote access hosted service profile? Wireless profile?

I am the thief and here is what I'll think and do to get back to you.
--- Start Scenario ---
1. (bought-desktop-after-laptop case) I need to find his new IP address on the Internet since he move and with new ISP. Why bother unless he is somebody significant. He is significant! In this case, how can I find his new mailing address? Oops, he just updated his address in one of his site and I have access to that web account.

2. Now I know his new living address. I still need to find out his new IP address. I'll drive to his place to see if he has wireless network. He has wireless network with WEP. I'll crack it and access to it. Now I am in. I visit www.whatismyip.com to find out his new IP address. Let me look around to see if he has any new computer. He has. Sweet! I'll drop in some trojan/rootkit so that whenever his IP changes, it will notify me

3. I drove back home. Now let me see if I can access his new desktop through Internet. I tried his the IP I just found. I might have to get around NAT implemented in SOHO routers. Good, I did it. Wait, let me secure myself a bit by connecting to the proxy (or other IP I've stolen from different people) before connecting to him

4. At this point, I can access his desktop whenever I want to.
--- End Scenario ---


I am you and here is how I'll think and do to catch the thief.
--- Start Scenario ---
1. I suspect my desktop is having unauthorized access. I'll do the following steps *during* the time he is connected to me
2. Lets see what are my network connections. Run TCPView. Lets look at any connection with remote IP addresses (not 192.168.x.x). For remote names instead of IP, I can do 'nslookup remote_name' to translate to IP address.
3. Let me weed out legitimate remote connections (for i.e my yahoo account opened with a browser at that time). Now I am left with suspicous remote IP's
4. For every suspicous remote IP's,
4.1 do reverse name lookup, 'nslookup x.x.x.x' and write down the name. Note that this could also be a proxy name (mentioned in my 1st post about changing IP address). Example is tor proxy.
4.2 if no name comes up for reverse name lookup, the IP can belong to
- legitimate web site you are connected to (but purposely no name associated with it)
- proxy address
5. For all the suspicious names I wrote down, if it looks something like dynamic IP address, i.e dslxxxx.west.qwest.com, I'll be more suspicious and follow this lead further. Remember my point about physical location in 1st post.
6. If the name doesn't make sense, for example from different country or far away region of same country, it can be anything including a proxy name and including totally unrelated/new attacker
7. Now, I tried IP route and lead me no where. I am chasing a ghost
8. Let me try trojan route
9. What was my MAC version and what kind of program are running after reboot? Btw, MAC may be hard since its roots are in BSD kernels.
10. Let me dig up any vulnerabilities for any of those auto-started services and for my MAC version if any
11. Now I have to use this (found) vulnerability to gain access to my MAC so that I can drop in a trojan
12. Let me also find any trojan that can notify me about host machine current IP once it is dropped in. My IP is static; I can just tell it to notify me back to this static IP. My IP is dynamic? I need to obtain a fixed DNS name (dyndns.com) and specify it
13. Unlike IP route, the IP address the trojan notify me back is most likely attacker's genuine IP address

14. Once I find and confident, then I will see what ISP does that IP belong to
15. Contact that ISP with legal authorities and find out what his real identity is
16. Go and grab him
17. "Geolocation IP" I mentioned in my 1st post is useful as an aid for finding out what his location might be in case that info is not known.
--- End Scenario ---

Finally, it is a long road and you chances of success are low and uncertain, esp he is a smart guy. Now these are basic courses, there will be variations
!