Before you spend time chasing the wrong lead, I made some assumptions in my first post and may have given you "too much" encouragement. I like to correct myself a bit here.
Q1) Did you buy desktop after your laptop is stolen?
If yes, it is unlikely (unless you're significant) he is coming back to you.
Q2) Are you somebody of significant status in terms of power? wealth? Don't post your answer, rhetoric Q.
Q3) Are your desktop directly connected to the Internet or through SOHO router?
If directly connected, easier to come in from Internet. If through SOHO router, it is possible but NAT issue has to be resolved to access your desktop.
Q4) What exactly do you mean by roaming profile? Some sort of remote access software profile? Remote access hosted service profile? Wireless profile?
I am the thief and here is what I'll think and do to get back to you.
--- Start Scenario ---
1. (bought-desktop-after-laptop case) I need to find his new IP address on the Internet since he move and with new ISP. Why bother unless he is somebody significant. He is significant! In this case, how can I find his new mailing address? Oops, he just updated his address in one of his site and I have access to that web account.
2. Now I know his new living address. I still need to find out his new IP address. I'll drive to his place to see if he has wireless network. He has wireless network with WEP. I'll crack it and access to it. Now I am in. I visit www.whatismyip.com to find out his new IP address. Let me look around to see if he has any new computer. He has. Sweet! I'll drop in some trojan/rootkit so that whenever his IP changes, it will notify me
3. I drove back home. Now let me see if I can access his new desktop through Internet. I tried his the IP I just found. I might have to get around NAT implemented in SOHO routers. Good, I did it. Wait, let me secure myself a bit by connecting to the proxy (or other IP I've stolen from different people) before connecting to him
4. At this point, I can access his desktop whenever I want to.
--- End Scenario ---
I am you and here is how I'll think and do to catch the thief.
--- Start Scenario ---
1. I suspect my desktop is having unauthorized access. I'll do the following steps *during* the time he is connected to me
2. Lets see what are my network connections. Run TCPView. Lets look at any connection with remote IP addresses (not 192.168.x.x). For remote names instead of IP, I can do 'nslookup remote_name' to translate to IP address.
3. Let me weed out legitimate remote connections (for i.e my yahoo account opened with a browser at that time). Now I am left with suspicous remote IP's
4. For every suspicous remote IP's,
4.1 do reverse name lookup, 'nslookup x.x.x.x' and write down the name. Note that this could also be a proxy name (mentioned in my 1st post about changing IP address). Example is tor proxy.
4.2 if no name comes up for reverse name lookup, the IP can belong to
- legitimate web site you are connected to (but purposely no name associated with it)
- proxy address
5. For all the suspicious names I wrote down, if it looks something like dynamic IP address, i.e dslxxxx.west.qwest.com, I'll be more suspicious and follow this lead further. Remember my point about physical location in 1st post.
6. If the name doesn't make sense, for example from different country or far away region of same country, it can be anything including a proxy name and including totally unrelated/new attacker
7. Now, I tried IP route and lead me no where. I am chasing a ghost
8. Let me try trojan route
9. What was my MAC version and what kind of program are running after reboot? Btw, MAC may be hard since its roots are in BSD kernels.
10. Let me dig up any vulnerabilities for any of those auto-started services and for my MAC version if any
11. Now I have to use this (found) vulnerability to gain access to my MAC so that I can drop in a trojan
12. Let me also find any trojan that can notify me about host machine current IP once it is dropped in. My IP is static; I can just tell it to notify me back to this static IP. My IP is dynamic? I need to obtain a fixed DNS name (dyndns.com) and specify it
13. Unlike IP route, the IP address the trojan notify me back is most likely attacker's genuine IP address
14. Once I find and confident, then I will see what ISP does that IP belong to
15. Contact that ISP with legal authorities and find out what his real identity is
16. Go and grab him
17. "Geolocation IP" I mentioned in my 1st post is useful as an aid for finding out what his location might be in case that info is not known.
--- End Scenario ---
Finally, it is a long road and you chances of success are low and uncertain, esp he is a smart guy. Now these are basic courses, there will be variations