Join 3,372 readers in helping fund MetaFilter (Hide)


Help me track down stolen laptop please!
August 24, 2009 6:09 PM   Subscribe

Quick! I right at this fleeting moment have remote access to a stolen laptop of mine that had logmein installed. what files can i copy over from it that might hold any type of identifying information? i can see that the thief uses firefox, so are there firefox logfiles that would track what websites he's visited, even his online email account or something along those lines? any other useful files anyone can think of that can help me track this guy down?

By the way, Logmein provides me with the IP address so i have that. i might also try to install computrace, though it would be tricky installing a program without him seeing -- i'd have to make sure the computer has been inactive for a while, and hope he's not looking at the screen either.

thanks for any help!
posted by grammalvsu to Computers & Internet (22 answers total) 29 users marked this as a favorite
 
This page has some FF password info that's dated but probably still helpful.
posted by sageleaf at 6:20 PM on August 24, 2009


C:\Users\(yourname)\Appdata\Roaming\Mozilla\Firefox\Profiles (Vista)

C:\Documents and Settings\(yourname)Application Data\Mozilla\Firefox\Profiles (XP)

Also just take a look at your desktop and my documents folders, and maybe even my pictures, in case the guy is a giant idiot.
posted by Inspector.Gadget at 6:21 PM on August 24, 2009


That IP is a non-public ip. Windows? OSX? If windows, from a command prompt, type:

tracert google.com

copy all of the text and paste somewhere. Depending on the layout, the 1st, 2nd or 3rd will be the person's real IP (at the very least, you can determine their ISP).

From OSX or linux:
traceroute google.com

(google.com is completely arbitrary)
posted by Cat Pie Hurts at 6:22 PM on August 24, 2009


Can you possibly remotely install Undercover? That would be a huge help.
posted by autojack at 6:23 PM on August 24, 2009


To clarify: the LogMeIN IP address is only routable on the LogMeIn vpn (established by the LMI clients) not in public IP space.
posted by Cat Pie Hurts at 6:23 PM on August 24, 2009


Oh sorry, I just assumed this was a Mac...
posted by autojack at 6:24 PM on August 24, 2009


It's a PC; sorry I didn't include that info originally.

sageleaf & Inspector.Gadget
I'm copying over the C:\Users\(yourname)\Appdata\Roaming\Mozilla\Firefox\Profiles right now. i'll try the signons3 and key3 thing.

cat pie hurts
So the IP i'm getting from logmein couldn't be used to track him down eh? shoot. ok, i'l try tracert, though i'd need to "remote control" to do it, so i'll have to wait until he leaves the computer hopefully. we'll see..
posted by grammalvsu at 6:35 PM on August 24, 2009


Can you take screenshots of his desktop? You might get lucky.
posted by bonobothegreat at 6:43 PM on August 24, 2009


this is great! I hope the thief gets caught!
posted by patnok at 7:44 PM on August 24, 2009


If you can get a browser up, go to:

http://www.ip-adress.com/

This will tell you the IP address he's connected to the Internet with, his rough location, and his ISP. (Try it on your own PC first, of course...)
posted by GJSchaller at 7:52 PM on August 24, 2009


If you can, get a keylogger on there. The only free one I know of is the Simply Python Keylogger, but if you are willing to pay there are many good ones out there such as Ghost or Perfect Keylogger. You can set these up to email you the results automatically. The next time they type their name into a field, or their telephone number, or whatever, you've got them.
posted by sophist at 12:19 AM on August 25, 2009 [1 favorite]


Thanks for your help everyone.

I copied over the Profiles directory, but unfortunately wasn't able to recover any PW info from it -- it looks like he had the option to store passwords unchecked.

As for the other solutions -- involving the command line, installing programs, loading websites -- I'll try them if I get a chance. But it might be difficult -- I'll need to "Remote Control" his computer in order to do any of these things; but if he's at the computer at the time he'd notice me doing this; so I'll need to wait until he's not actively using the computer, and hope he's also not looking at the screen. It's risky.

I'd prefer if there was a solution that merely involved modified for copying over files to the computer -- I can use Logmein's file manager and manipulate files without the thief being notified (unlike with "Remote Control").

Is there a startup file (like boot.ini) that I can insert code into, so the next time he starts up his computer, it'll run and email me back is IP? or better yet, start a keylogger running or something else that would help me identify him?
posted by grammalvsu at 12:58 AM on August 25, 2009 [1 favorite]


If you manage to find a keylogger that 'just runs' and doesn't need installation, you could create a shortcut to wherever you place it on your laptop and put it in the Startup folder of the Windows menu e.g. C:\Documents and Settings\*your username*\Start Menu\Programs\Startup
posted by jzed at 1:43 AM on August 25, 2009 [1 favorite]


add a bookmark on the desktop to some free offer; free widescreen teevee, free tickets to a sports or musicevent, etc. Build a web page just for that offer and post it. Nice form with space for name, address, email and phone,. Provide info to police.
posted by theora55 at 6:34 AM on August 25, 2009 [6 favorites]


Does the laptop have a camera? You can set logmein to blank the screen and lock the local keyboard/mouse inputs when you remote control, if you're fast you can maybe snap a photo of him wondering why his new stolen laptop just went black.
posted by T.D. Strange at 9:03 AM on August 25, 2009


Look quickly for any pictures!!!
posted by xammerboy at 10:02 AM on August 25, 2009


If possible, capture a WiFi scan. Knowing the names of visible access points could give you a geographic location. The idea option would be to take pictures of the thief via the webcam, assuming you have one built in.
posted by chairface at 11:01 AM on August 25, 2009


Wait, oh shoot I'm an idiot. It looks like I can use the command prompt and edit the registry directly through Logmein without it notifying the thief.

With this I'll run:
tracert google.com

and also

ipconfig

What else can I do with this capability?

Thanks! (though not sure if anyone is reading this anymore...)
posted by grammalvsu at 6:37 AM on August 26, 2009 [2 favorites]


[Yes we're still reading, and we're waiting for updates, because this could happen to anyone...]
posted by Namlit at 8:07 AM on August 26, 2009


[and waiting...]
posted by rokusan at 12:23 AM on September 14, 2009 [1 favorite]


I apologize for leaving everyone waiting for so long. Here are some of the things I did in trying to recover the laptop:

-I copied over all the Firefox profile files, and then used Nirsoft's Firefox MozillaHistoryView, MozillaCacheView, MozillaCookiesView, and PasswordFox in an attempt to find any identifying information. No luck though. He only went to some random sites and Ebay (which would be handy later though...), and he didn't store any PWs in Firefox.

-I also downloaded NirSoft's powerful and awesome command-line utility. One of the capabilities of which is to take periodic screenshots. So this was promising, and it felt pretty cool to finally have images of what he was seeing and spy on him in that manner. But it also might've taken a bloody lot of images to eventually get one with the info I needed.

-Fortunately I didn't have to wait on it. After WEEKS of him logging in everyday, but *never* being away from the computer -- I would check his Logmein status and always see that "Keyboard and mouse are currently active" -- FINALLY one day they'd been inactive for 7 minutes. So I decided to go for it. I used NirSoft's command line-utility again, this time to shut-off his monitor so he couldn't see Logmein's notification from afar, then I portaled in using LMI's remote control mode. I also changed the LMI remote control preferences so the host's mouse/keyboard were locked, and so his monitor *stayed* disabled (Nirsoft's monitor disabling only lasts until keyboard/mouse input).

So I was in. And I got lucky as he was currently on Ebay. So I navigated to My Ebay-->Account-->Personal Information and got his address! Then I looked in My Docs for any identifying files (this was locked to me from the command line), but no luck. And at that point I believe he came back because notices would pop up indicating he was cycling through the Function keys in an effort turn on the monitor again. And then I lost my connection, so I'm guessing he restarted the computer.

But no problem, I had his name and address. I called the police, and the receptionist said he'd pass it on to the detective. So I was thinking, maybe not that day, but maybe the next day they'd bust him and I'd have my laptop back. So I waited.......

And 2 weeks later I continue to wait. I continue to see the computer come online every day. I've called the police several times to check on the status, but am unable to get an update nor get in direct contact with the detective "on the case".

It's very frustrating. I'm considering going around the police and contacting him directly at this point.
posted by grammalvsu at 10:42 PM on September 15, 2009


Awesome! I have to think some local news reporter would love to get his hand on this. I think you've waited plenty long enough for the police to act.
posted by bonobothegreat at 11:04 AM on September 19, 2009


« Older Can you help me identify this ...   |  Where can I find a crepe cake ... Newer »
This thread is closed to new comments.