Announcement

Collapse
No announcement yet.

Need Help catching Thieves: Two laptops stolen.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need Help catching Thieves: Two laptops stolen.

    Need help figuring out how to catch the assholes who stole two (2) laptops.

    I have googled, but with my limited server knowledge, I am wasting time and don't want to risk information getting lost on server. I do not have access to server but our IT guy has just received his diploma and may not know of this site nor be willling to ask for help.

    We are running Windows 2000 on server. Within last three to four days, some one broke in and absconded with two laptops. One of the laptops was connected to the network and signed on. (according to the last guy on laptop)

    According to IT guy, the only way to have captured the time the laptop was removed was if there was an audit program running. I know for a fact (was told by IT guy) that the audit program was not logging. I can't believe that there was not some other record or program that may have recorded or logged this termination. Wouldn't the IP have to be recognized and allowed access or the password logged.
    It is crucial to determine at what point the laptop was disconnected from the server.

    Would appreciate any help or guidance. I have tried to google, but knowing the right question to google is the problem. And, time is of the essence.


    )&^)&Asshole thieves.
    Last edited by Transporter; August 10, 2004, 13:05.

  • #2
    Sorry to sound callous, but stolen property really is more of a matter for law enforcment than for hackers. I'd get the fuzz on it. However, working in the IT industry as well, my advice to you is to learn from the experience and move on; you probably arent going to see those laptops again. More than likely they've been sold for drugs several times now. Even if you did find out what time the laptops were stolen, it probably wont help you much. If they were in a 'secure' area, have your facilities manager check the door logs to see who came in and out of that area. Other than that, file a police report, pause and reflect, then get two new laptops.

    I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

    Comment


    • #3
      Originally posted by noid
      Sorry to sound callous, but stolen property really is more of a matter for law enforcment than for hackers. I'd get the fuzz on it. However, working in the IT industry as well, my advice to you is to learn from the experience and move on; you probably arent going to see those laptops again. More than likely they've been sold for drugs several times now. Even if you did find out what time the laptops were stolen, it probably wont help you much. If they were in a 'secure' area, have your facilities manager check the door logs to see who came in and out of that area. Other than that, file a police report, pause and reflect, then get two new laptops.

      Agreed, I have no problem with the callousness and it has been reported and is being investigated. The area is not very secure and I have been in the area, therefore I have a vested interest in finding the perpetrators.

      As for hackers, let me try it this way: If you were a suspect and you wanted to make sure that every avenue was being investigated, as a hacker, what would you do? And, if knowing the exact time the laptop in question was removed could help eliminate certain person(s), how would you retrieve that information. Is it available?

      Thanks for responding, maybe I hould have posted in security forum.

      If the laptops could be determined to have been taken during the weekend or any particular time, it could eliminate several suspects as they would have airtight alibi's.

      Going back to google, will check back often.








      The laptops are not really the issue. b

      Comment


      • #4
        Noid addressed the police part so I'll skip that.

        Originally posted by Transporter
        I ... don't want to risk information getting lost on server. I do not have access to server but our IT guy has just received his diploma and may not know of this site nor be willling to ask for help.
        Obviously, if you have not done this yet, remove the stolen laptops from the AD/Domain and change the passwords on the accounts which were "logged in to the server."

        Expire all passwords or require users to change them on next login.

        Check all machines which the thief had physical access for trojans. (Not likely they installed any since theft of hardware suggests less skill to get information without being noticed.)


        According to IT guy, the only way to have captured the time the laptop was removed was if there was an audit program running. I know for a fact (was told by IT guy) that the audit program was not logging.

        It is crucial to determine at what point the laptop was disconnected from the server.
        With Windows NT, things like login are recorded by default in the system logging and should be available with the system logging tool. (Don't recall what it is called in 2000 ATM.) As such, it takes an effort to disable them.

        If you have policies or domain logins set to store user files on the server upon login (such as desktop, etc) then it may be possible to examine the files which are created/modified on the server by the client to find the most recent file updated. That may help to figure when the laptop was disconnected.

        Some filesystems support dates for "access" "modify" and "create" times/dates. See if yours does. If so, one of these may help you to identify a date/time when the laptop was removed.

        Does your networking equipment log port connections/disconnections? Check it. If so, see when a disconnection from the port in use by the laptop took place.

        Does your DHCP server still have a lease for the latops in question? When was the last time they asked for a renewal of their IP address? (Search for laptops by MAC Address.)

        Do your servers run web servers? Any of them show connections from the laptop's IP? When was it?

        Got to go to work now.

        [Edit: added content below here]

        Switches often have MAC/Port lookup tables with timers. Most of the time, these timers are set in minutes not days. However, you could check to see what your switch says it has for the MAC/Port in use by the laptop. If you somehow (not likely) have 3 or 4 days for each MAC address/port entry, then you can look to see how much time is left on the timer and perform date math to find when the last ethernet frame was sent through the switch by that laptop.
        Last edited by TheCotMan; August 10, 2004, 14:14.

        Comment


        • #5
          Obviously, if you have not done this yet, remove the stolen laptops from the AD/Domain and change the passwords on the accounts which were "logged in to the server."

          Expire all passwords or require users to change them on next login.
          Passed along and thanks.

          Check all machines which the thief had physical access for trojans. (Not likely they installed any since theft of hardware suggests less skill to get information without being noticed.)
          More than likely a crackhead smash and grab.

          With Windows NT, things like login are recorded by default in the system logging and should be available with the system logging tool. (Don't recall what it is called in 2000 ATM.) As such, it takes an effort to disable them.
          According to lead Detective, the original server guy (who is gone, of course) disabled all admin/audit log filling because it had to be monitored and occasionally purged(?).

          If you have policies or domain logins set to store user files on the server upon login (such as desktop, etc) then it may be possible to examine the files which are created/modified on the server by the client to find the most recent file updated. That may help to figure when the laptop was disconnected.

          Some filesystems support dates for "access" "modify" and "create" times/dates. See if yours does. If so, one of these may help you to identify a date/time when the laptop was removed.
          Will pass along.

          Does your networking equipment log port connections/disconnections? Check it. If so, see when a disconnection from the port in use by the laptop took place.
          YES, Trillion has been contacted and we are waiting on reponse.

          Does your DHCP server still have a lease for the latops in question? When was the last time they asked for a renewal of their IP address? (Search for laptops by MAC Address.)
          Got me on this one, dont have any idea what this is, but I will pass along.

          Do your servers run web servers? Any of them show connections from the laptop's IP? When was it?
          NO


          Thank you for taking your time to respond.

          Some of what you suggested is being looked into, the other suggestions will be passed along.
          Last edited by Transporter; August 10, 2004, 14:37.

          Comment


          • #6
            Would you mind altering your quoting style for posts? The way you quoted the replies makes it look like the person being quoted as forming your replies is me.

            Also, the last line "off to work" can just be removed.

            Originally posted by Transporter
            Originally posted by TheCotMan
            With Windows NT, things like login are recorded by default in the system logging and should be available with the system logging tool. (Don't recall what it is called in 2000 ATM.) As such, it takes an effort to disable them.
            According to lead Detective, the original server guy (who is gone, of course) disabled all admin/audit log filling because it had to be monitered and occasionally purged(?).
            It has been a while, but I seem to recall that MS Windows loging services and application supports log file limits. This means you can tell it that log files should be no bigger tha X MB.

            Originally posted by Transporter
            Thank you for taking your time to respond.

            Some of what you suggested is being looked into, the other suggestions will be passed along.
            You're welcome.

            Comment


            • #7
              Would you mind altering your quoting style for posts? The way you quoted the replies makes it look like the person being quoted as forming your replies is me.

              Also, the last line "off to work" can just be removed.
              Crap, fixed it......sorry.


              It has been a while, but I seem to recall that MS Windows loging services and application supports log file limits. This means you can tell it that log files should be no bigger tha X MB.
              I am sure you are correct, but for some reason it was disabled.

              Comment


              • #8
                Originally posted by Transporter
                Crap, fixed it......sorry.
                Thanks.


                Originally posted by Transporter
                I am sure you are correct, but for some reason it was disabled.
                Incompetence? Audit trails are one of the three most important parts to security and are often overlooked. To go beyond overlooking logging and choose to disable it is SOOOO STUPID! (Quote from UHF -- the movie.)

                Now, like noid said:
                Originally posted by noid
                working in the IT industry as well, my advice to you is to learn from the experience and move on.
                Now is the time to review policy, and set new procedures or requirements for servers and logging. Perhaps review physical access, and password management. Maybe you can go out and hire a local security person to perform an audit of your site. Maybe you should consider replacing the present Admin.

                Comment


                • #9
                  Incompetence? Audit trails are one of the three most important parts to security and are often overlooked. To go beyond overlooking logging and choose to disable it is SOOOO STUPID! (Quote from UHF -- the movie.)

                  Now, like noid said:

                  Now is the time to review policy, and set new procedures or requirements for servers and logging. Perhaps review physical access, and password management. Maybe you can go out and hire a local security person to perform an audit of your site. Maybe you should consider replacing the present Admin.
                  True, in defense of the new guy, he is in the process of physically moving the servers in order to get control and on a limited budget.

                  Very good idea on site audit.

                  I understand the ramifications of having the servers set up the way they were, but that was out of my control.

                  My primary concern for now is: With audit/admin logging disabled, is there a way to determine exactly what time the "connected" laptop was disconnected from the net.

                  Thanks again.

                  Comment


                  • #10
                    Originally posted by Transporter
                    True, in defense of the new guy, he is in the process of physically moving the servers in order to get control and on a limited budget.
                    This is not a valid excuse. Logs can be auto-rotated out, or setup to purge by date or setup to have a limit in size where older logs fall into the bit bucket.

                    Originally posted by Transporter
                    Originally posted by TheCotMan
                    Does your DHCP server still have a lease for the latops in question? When was the last time they asked for a renewal of their IP address? (Search for laptops by MAC Address.)
                    Got me on this one, dont have any idea what this is, but I will pass along.
                    DHCP is a method by which larger organizations and some residences use to hand out IP Addresses, gateway (router IP), DNS and other network information to clients as they boot and desire network access. DHCP Servers hand out leases based on MAC Address reported by clients (hosts on your network) and these leases are time sensitive. The DHCP Server should have lease information to show the last time the client renewed its lease (date/time.) If you associate the MAC of the laptops(s) to the leases they used, you can see the last time they asked for a lease renewal or new lease.

                    If logging was disabled on the DHCP Server as well, then you probably do not have much time left to check the leases before the leases for these laptops EXPIRE and then new leases are handed out to a new machine. (Of course, YMMV on leases and their duration and how DHCP was being used on your site, assuming it was used at all.)

                    My primary concern for now is: With audit/admin logging disabled, is there a way to determine exactly what time the "connected" laptop was disconnected from the net.
                    Other ideas:
                    (I included this in my earlier post as an edit, so you may have overlooked it)

                    Originally posted by TheCotMan
                    Switches often have MAC/Port lookup tables with timers. Most of the time, these timers are set in minutes not days. However, you could check to see what your switch says it has for the MAC/Port in use by the laptop. If you somehow (not likely) have 3 or 4 days for each MAC address/port entry, then you can look to see how much time is left on the timer and perform date math to find when the last ethernet frame was sent through the switch by that laptop.
                    Another idea:
                    Do you have a caching proxy like squid? A SOCKS 4/5 proxy? Are clients configured to use it? Can you see if the caching web proxy in use has tracking to show what clients were visiting what URL when. Find the IP address of the latop and see if it is in the logs as well as date/time.

                    [Edit: added content]
                    If they are part of a domain, log into the PDC and/or BDC and before you remove them from the AD/Domain see if there is information about the greyed out machine. Maybe it will include a date/time when the machine last logged into the network.
                    Last edited by TheCotMan; August 10, 2004, 16:32.

                    Comment


                    • #11
                      Windows does keep a large number of logs of various things. If you really need those computers, then you should probably make an image (copy) of the server, so that Windows does not erase the logs during its natural function. If law enforcement really wanted to, I'm sure they could find traces. However, using the MACs is probably the best way.

                      I'm not sure if Windows server keeps network logs in the event viewer, but you could check.

                      And there is a chance that the theif will try to use the laptops to hack your network. Therefore, you may want to consider previous suggestions, and create a honeypot as well.

                      What you need is better securty guards. If some crackhead can simply enter and take the computers, you will have a big problem maintaining network security.
                      " Life is like a sewer... what you get out of it depends on what you put into it."
                      -Tom Lehrer

                      Comment

                      Working...
                      X