How I Recovered A Stolen Laptop (Story Of An It Guy)

[Dan O.]

The happiest place on earth: How I recovered a stolen laptop

"I work as the IT guy for a nonprofit organization with a number of programs, one of which is a summer camp. For the last few years, the leadership team of the summer camps has had an intensive planning retreat at a major Orlando-area resort facility (wink wink, nudge nudge).

The year was 2008. A new staff member joined us in January, and I set him up with a nice new laptop. May rolled around, and upon returning from the trip to Orlando, he informed me his laptop had been stolen. But not just stolen — stolen from a conference room that had been locked by a staff member of the resort when our group left the room, and was (allegedly) not unlocked again until our group returned. His laptop, along with another person's personal laptop and a couple of iPods were all missing. Understandably, the resort staff was unsympathetic and explained that signed release forms freed them from any liability.

We replaced the staff member's laptop, but he continued to be in contact with the internal investigative agency of the resort, and was consistently frustrated by them. Finally, in mid-June, he found out that he had to file a report with the county police department himself. So, he did, and an investigator was assigned to the case.

I had installed LogMeIn Free edition on the laptop when I set it up for the user back in January so I could support him remotely. The thief had not bothered to change anything about the laptop. Each time he turned the machine on and connected to the Internet, LogMeIn recorded the IP address from which it had been connected. So, I asked the staff member to put the investigator in touch with me. I provided the investigator with the dates and times the computer had been connected to the Internet, from what IP address, and even the Internet service provider, for good measure.

By mid-July, he had obtained a street address for the IP address, which took him to a crowded trailer park with Wi-Fi signals everywhere. Simply put, the laptop could have been anywhere in a surrounding trailer to the one where the IP address had been assigned at the time. He called me to explain the situation and apologize. He said it would be simply too hard to figure out where it was, unless I could tell him the computer was turned on and he could go to the trailer park immediately. He also suggested that if there was any way I could give him more specific information it would be very helpful. I explained that if the computer was turned on I could connect to it and see exactly what was happening on-screen and provide him screenshots. He said this would indeed prove very helpful.

Well, over the next few months, I saw the laptop was occasionally turned on, but never when I logged into LogMeIn. Suddenly, in late September, I started to notice the computer was online a lot more and more often when I actually logged into LogMeIn. I started remote-accessing the computer to watch what was going on. I found a few different things, including his email address. The laptop had a built-in webcam, so I could remote-access the computer, turn on the webcam, and look at what was happening in the room. One day I logged in and saw no one in the room, so I opened up a web browser and began emailing myself data from the machine, including a folder full of photographs of (possibly) the alleged thief. Each time I was able to connect to the machine, I grabbed screenshots. Everything I got I emailed to the investigator, but nothing was definitive enough.

A day in October, I connected to the machine and saw no activity, so I installed a keylogger on the computer. After looking through Internet Explorer logs and cache files, I just didn't find anything useful, so I figured keylogging would allow me to not miss anything.

Several weeks went by and nothing new. I was watching him surf his pr0n websites, check his email, etc., but nothing else. Then, on a Friday in December I logged in and found no activity on the computer. I fired up the webcam, and found the user asleep in front of his keyboard. A group of my coworkers were gathered outside my office debating the color of tile to be installed in the adjacent restrooms, so I called them into my office and showed them what was going on. I quickly emailed myself the data file from the keylogger software and then asked them if they'd like to have a little fun. They agreed, so I fired up Windows Media Player, which revealed an enormous playlist. I selected a great tune, “Disco Inferno.” I muted the speakers, rolled about 1-minute into the song, and then unmuted the speakers at full blast. All the while, we were watching our friend on the webcam. He jumped several inches and then pulled the pillow over his head and reached toward the laptop, trying to figure out how to silence it. I hit the pause button. His eyes dropped closed, and he became still again. So, like any good IT guy, I let loose on him again with more loud music just inches from his ears. This time, he reached over and shut the laptop, which sent the machine into sleep mode and booted me off. It was great fun to bat around the guy who had our laptop. And all the while I was grabbing screenshots to document our sleeping beauty.

Later that evening, as I was telling my wife all about this, I remembered the keylogger data file I had sent to my email during the remote access session. I opened it up, and found where he had typed in his complete name, date of birth, email address, street address, phone number, and social security number. I banged out an email to the investigator with all this information. The investigator didn't see it until Monday afternoon, and he called me to explain he would get on it first thing Tuesday morning.

Tuesday morning, the investigator called me and said that the investigation arm of the resort company confirmed that the name I found matched up to the name of one of their employees, and he was in fact at work on that day in one of the cafés at the resort. The investigator printed out several of the screenshots and went to meet him. He told me he was looking forward to the look on the guy’s face when he presented the photos of him sleeping.

A short while later, they were en route to the trailer park, but when they got there, there was no laptop. The investigator was told that the previous evening, the guy’s girlfriend's brother took it and was on the way to Mexico with it. I spent the next several hours kicking myself for not looking at the keylog earlier.

Late Tuesday afternoon, the investigator called me back to say that somehow the laptop was now back at the trailer of the man he had questioned earlier in the day, and he'd be going to pick it up Wednesday afternoon! Apparently the people involved got scared when they found out the police were involved and wanted to get it out of their hands as quickly as possible. The investigator explained to me that he wouldn’t be filing charges because the guy had been very cooperative and had claimed to have bought it out of the trunk of a person's car in the trailer park — many of the residents of the trailer park were also employees of this large resort.

So after the laptop cleared the evidence room, I was able to get it shipped back to my office. I thoroughly cleaned and reimaged it. Although it’s no longer a primary machine, we still use it for a few things around the office. I don’t think I will ever get rid of this one — it’s too much of a trophy.

What did I learn? First and foremost, this story is a testament to the utility of LogMeIn. I use it routinely to support my users when they’re out of the office. I never thought I would be using it to track down a stolen machine.

Second, it’s one we hear over and over: Have good backups. Because the user was remote, I had asked more than once if he was backing up his data, and he assured me he was. You can probably guess the rest of this one.

Third, inventory-tagging laptops works as a deterrent. I had applied steel serial number tags from STOPTheft.com to three or four laptops in the room (the tags that are near impossible to remove, and if removed they reveal a bright red label that says “stolen property.”) Those laptops weren’t stolen, though they were mildly tampered with. I had a tag for the laptop that was stolen, but I hadn’t yet had a chance to install it.

Finally, be prepared to provide law enforcement with the most detailed information possible because one laptop is a little fish in a big pond. Police have much bigger cases to deal with than a stolen computer. If you can lead them directly to it then you will get somewhere.

Have you ever successfully recovered any lost or stolen equipment? What did you learn from the process, and what do you do now to increase the likelhood of tracking down your company property?"


source: Spiceworks


Funny and interesting story. One reason LogMeIn rules!