Retrieving a Stolen Laptop By IP Address Alone? 765
CorporalKlinger writes "My vehicle was recently burglarized while parked in a university parking lot in a midwestern state. My new Dell laptop was stolen from the car, along with several other items. I have no idea who might have done this, and the police say that without any idea of a suspect, the best they can do is enter the serial number from my laptop in a national stolen goods database in case it is ever pawned or recovered in another investigation. I had Thunderbird set up on the laptop, configured to check my Gmail through IMAP. Luckily, Gmail logs and displays the last 6 or 7 IP addresses that have logged into your account. I immediately stopped using that email account, cleared it out, and left the password unchanged — creating my own honeypot in case the criminal loaded Thunderbird on my laptop. Sure enough, last week Gmail reported 4 accesses via IMAP from the same IP address in a state just to the east of mine. I know that this must be the criminal who took my property, since I've disabled IMAP access to the account on all of my own computers. The municipal police say they can't intervene in the case since university police have jurisdiction over crimes that take place on their land. The university police department — about 10 officers and 2 detectives — don't even know what an IP address is. I even contacted the local FBI office and they said they're 'not interested' in the case despite it now crossing state lines. Am I chasing my own tail here? How can I get someone to pay attention to the fact that all the police need to do is file some RIAA-style paperwork to find the name associated with this IP address and knock on the right door to nab a criminal and recover my property? How can I get my laptop back — and more importantly — stop this criminal in his tracks?"
IP not precise enougn (Score:5, Informative)
That IP could be behind a router at a School or Library with thousands of computers behind it.
There is no way to determine who is leasing that IP without forcing ip block owner to cough up records. That will probably take a court order, and they won't tell you, (fearing you will show up gun in hand).
If you get a court order they will tell the local authorities in the jurisdiction where the IP resides. That could be any one of 20 different police departments if it is in an urban area.
But if you can track it to a specific area, (traceroute is your friend), you might get a cop from an small not too busy department to go out and check the address.
I say MIGHT.
Busy departments will laugh you off and tell you to file an insurance claim.
Replevin (Score:5, Informative)
See if you can file a civil replevin action against John Doe to recover the laptop. That will give you the ability to issue subpoenas to trace the IP address. Once you have the identity of the thief, report the information to both the campus police (for the theft) and to the local police (for possession of stolen property). Good luck!
If you do most of the work... (Score:3, Informative)
the school cops may be more willing to help
This site claims to get it down to the ISP or provider:
http://www.ip-adress.com/ip_tracer/ [ip-adress.com]
SO, then you would have to look up your local laws and what is needed to identify the person or block that the IP is assigned to. Next, you have to start "kicking down doors" (it might take a few) and recover your property in a stunning raid.
Probably not, get an encrypted hard drive on your next laptop so that it just becomes a brick for anybody that takes it
Report it to Dell (Score:5, Informative)
I have cases like this a lot (Score:5, Informative)
I'm a cybercrimes detective and computer forensics examiner in a Sheriff's Department and do this all the time. It simply requires a subpoena to the ISP that the IP address returns to. If the campus police and city police won't do it, try your county or state police agencies (both which also have jurisdiction). In my state, all police officers have power anywhere in the state and I could "technically" investigate and/or charge anyone with a crime anywhere in the state. We just don't typically do this because it's stepping on each other's toes. As a county officer though, I frequently investigate crimes involving cases inside city or town limits if that agency doesn't have the capability. If the IP address ends up being from another state, we just contact the local police there to ask for their assistance.
Keep asking and ask to talk to a supervisor if they are not helping as much as you would like. While there is no obligation from a police agency to necessarily do everything they can on a property crime, most department heads will do what they can to keep the public happy.
Like others have said though, you may simply get a return to a campus, business, or open wireless network.
Good luck.
Re:I have cases like this a lot (Score:3, Informative)
You don't need jurisdiction to investigate it. You send out the subpoena, the ISP responds, and you then contact the local police there to investigate further. Most states also allow prosecution of Internet crimes in either the place of the victim OR suspect. Not to mention, the original theft occurred where the victim is at...
Re:Post the IP address (Score:5, Informative)
Here's the IP: 208.102 (DOT) 223.137
I split it up so auto-filters and bots wouldn't find it.
Thank you everyone and anyone who may be on the inside of 'Ma Bell who can help me track this thief down. I apologize if this is a TOS violation for Slashdot, but I am really at wit's end and have PROOF that this is the IP that's violating my account. I need your help.
Re:Post the IP address (Score:3, Informative)
208.102.223.137 resolves to
"MW-ESR1-208-102-223-137.fuse.net"
Administrative Contact, Technical Contact:
Hostmaster, Fuse hostmaster@fuse.net
Fuse Internet Access
Cincinnati Bell Telephone
209 W. Seventh St., 121-550
Cincinnati, OH 45202
US
800-387-3638 fax: 999 999 9999
Contact them.
Re:Post the IP address (Score:1, Informative)
PP already knew it's "Cincinnati Bell's Fuse Network (a home internet service)" and had called their customer service. Unless he hadn't called their Admin Contact, that is.
and plan better for the next time. (Score:5, Informative)
Maybe I'm paranoid. Or maybe I just really want to reign hell down on whom ever steals my laptop.
First, most thieves are dumb, they're not going to wipe it. They're going to sell it as fast as possible to get cash.
All of this is free and open source and should work on Mac and Linux, not sure how to create services in Windows.
1) Prey Project [preyproject.com]. An OSS theft recovery tool. Uses google geo location, web camera if it comes installed.
2) AutoSSH [wikipedia.org]. I have an autossh run as a service that creates a link between my home router and my laptop. ssh -R 2222:127.0.0.1:22 home.example.com. So no matter where I leave my laptop, if it can get out to the internet, I can ssh into it from my home router.
3) OpenVPN [openvpn.net]. AutoSSH * 10. No matter where my laptop is, it IS no my home network. Leave it at a friend's house.
4) Keylogger. [google.com]. I have a launchd (cron) set up to sftp me the log every day and then restart the log.
So now I know: 1) Where my laptop is and possibly have a photo of who is using it. 2 & 3) Can access my laptop and play fun tricks [macosxhints.com] 4) Know exactly what said person is up to and when they login to gmail, facebook, etc. I have their passwords.
Sadly my laptop hasn't been stolen yet.
Re:Post the IP address (Score:4, Informative)
Re:Report it to the Univeristy's judicial board... (Score:5, Informative)
Icebike gives the answer that matters. You send a copy of the original police report to the police WHERE THE IP IS LOCATED, and ask them to pick up your computer. The cops in your state cannot do anything, but the cops in the state where the computer is located certainly can. IF they are tech savvy enough to understand your evidence, and to subpoena the ISP for the address.
Re:Report it to the Univeristy's judicial board... (Score:5, Informative)
There are multiple jurisdictions involved, any of which could choose to pursue the case if they wanted to. They include:
The best revenge is that which you can obtain for yourself. Find out what ISP has the IP address. Contact the local police where that ISP is and ask that they contact the ISP to get the subscriber data for that IP. If that doesn't work, you can sue John Doe from your own jurisdiction and force the ISP to provide the information you seek. The police may be more willing to take up the case if you do the legwork.
Another option too is to contact the prosecuting attorney who handles the university polices cases. They might be able to pressure the police to take action, considering the ease with which the criminal can be identified.
Lastly, but certainly not leastly, post the IP address to 4chan. They have more than enough unscrupulous individuals that could find the person for you. If nothing else, they will at least DDOS the IP for you.
Re:Let us take care of it (Score:2, Informative)
OP: Sorry about the loss, but it's one of life's little lessons and you won't do it again. The $1000 laptop doesn't mean shit to cops, feds, or anyone else, particularly considering the amount of coordination and paperwork involved - you are literally asking for expenditures of many thousands of $$ and a lot of man hours just to recover a machine that isn't worth what you paid for it anyway, and truthfully *they do not care*. The ISP *does not care* and will not give you customer information anyway. If you can plug that IP into an accurate geolocation service you might be able to go issue a beatdown yourself, but really I think that's unlikely to happen.
Re:Report it to the Univeristy's judicial board... (Score:4, Informative)
The purchase of stolen merchandise is being an accessory to the crime itself, unless you can provably argue that there was no criminal intent in the purchase of that item. That would still require you to get a paper trail (as the owner of a 2nd hand computer that is stolen property) to document just who you got that computer from and to demonstrate in a provable fashion that you had no idea that the merchandise was stolen.
Buying from a pawn shop is such a proof, but then again the pawn brokers routinely register the serial numbers of everything they buy and require photo identification associated with that purchase. Those pawn brokers who don't can and often do end up in jail.
If you are buying something from another person, you had better trust their reputation enough to know if you are purchasing something stolen or not. If you have knowledge of a past criminal history with a friend, buy something from them that you aren't sure they got legally, you would simply be screwed if you just happen to be in possession of that stolen property.
Regardless, even if you can prove that you were acting on good faith to buy the stolen merchandise, it can still be confiscated from you and your only recourse to get your money back (if you paid money for it) is to sue the person who sold it to you as a breech of contract. Presuming that you have ratted them out, a friend sitting in jail is not likely to have much money to give to you in that situation either.
Re:Post the IP address (Score:1, Informative)
Good try, but it's wrong. That's an edge router, probably something like this [cisco.com]
MW-ESR1-208-102-223-137.fuse.net
While hostnames are frequently cryptic, sometimes, they hold valuable information.
Re:Post the IP address (Score:1, Informative)
Uh oh?
Re:Post the IP address (Score:2, Informative)
Re:Post the IP address (Score:5, Informative)
OK, That IP address resolves to New Richmond outside CIncinatti. http://geotool.flagfox.net/ [flagfox.net]
Call the New RIchmond Police: 102 Willow Street New Richmond, OH 45157-1354 (513) 553-2001
You're welcome
ping! it's online. (Score:3, Informative)
ping 208.102.223.137
PING 208.102.223.137 (208.102.223.137): 56 data bytes
64 bytes from 208.102.223.137: icmp_seq=0 ttl=49 time=91.270 ms
64 bytes from 208.102.223.137: icmp_seq=1 ttl=49 time=102.547 ms
64 bytes from 208.102.223.137: icmp_seq=2 ttl=49 time=85.332 ms
64 bytes from 208.102.223.137: icmp_seq=3 ttl=49 time=91.327 ms
traceroute to 208.102.223.137 (208.102.223.137), 64 hops max, 52 byte packets
7 pos-0-10-0-0-cr01.denver.co.ibone.comcast.net (68.86.86.22) 44.308 ms 36.699 ms 26.050 ms
8 pos-0-7-0-0-cr01.dallas.tx.ibone.comcast.net (68.86.86.210) 72.804 ms 70.635 ms 86.250 ms
9 pos-0-1-0-0-pe01.1950stemmons.tx.ibone.comcast.net (68.86.86.94) 85.642 ms 80.102 ms 83.993 ms
10 sl-st31-dal-0-5-2-0.sprintlink.net (144.232.25.33) 75.552 ms 85.975 ms 69.215 ms
11 sl-crs2-fw-0-6-3-0.sprintlink.net (144.232.19.179) 91.875 ms
sl-crs1-fw-0-6-5-0.sprintlink.net (144.232.19.59) 74.784 ms
sl-crs3-fw-0-0-2-0.sprintlink.net (144.232.18.73) 96.481 ms
12 sl-crs2-atl-0-8-0-0.sprintlink.net (144.232.18.148) 166.932 ms
sl-crs1-atl-0-8-0-0.sprintlink.net (144.232.18.146) 143.757 ms
sl-crs2-fw-0-7-0-0.sprintlink.net (144.232.1.46) 72.344 ms
13 sl-crs1-atl-0-6-0-0.sprintlink.net (144.232.8.20) 167.941 ms 109.164 ms
sl-crs2-atl-0-8-0-0.sprintlink.net (144.232.18.148) 116.084 ms
14 sl-crs1-dc-0-4-0-1.sprintlink.net (144.232.8.147) 110.353 ms
sl-st31-ash-0-2-0-0.sprintlink.net (144.232.25.15) 111.318 ms
sl-crs2-dc-0-4-0-1.sprintlink.net (144.232.8.161) 151.998 ms
15 sl-cinci3-362168-0.sprintlink.net (144.228.205.54) 110.992 ms 104.999 ms 111.631 ms
16 10ge0-2-0-0.core2.core.fuse.net (216.68.7.199) 133.034 ms
sl-cinci3-362168-0.sprintlink.net (144.228.205.54) 122.794 ms
10ge0-2-0-0.core2.core.fuse.net (216.68.7.199) 136.687 ms
17 10ge1-2.sw2.core.fuse.net (216.68.7.198) 80.569 ms
10ge0-2-0-0.core2.core.fuse.net (216.68.7.199) 136.431 ms 164.560 ms
18 10ge1-2.sw2.core.fuse.net (216.68.7.198) 76.720 ms
10ge2-2.ws-osr2.zoomtown.com (216.68.7.205) 101.821 ms
10ge1-2.sw2.core.fuse.net (216.68.7.198) 78.362 ms
19 mw-esr1-72-49-32-1.fuse.net (72.49.32.1) 77.202 ms 95.935 ms 87.240 ms
20 * mw-esr1-72-49-32-1.fuse.net (72.49.32.1) 82.678 ms 80.115 ms
21 * * *
22 * * *
23 * * *
24 * * *
208.102.223.137 isn't responding on port 21 (ftp).
208.102.223.137 isn't responding on port 23 (telnet).
208.102.223.137 isn't responding on port 25 (smtp).
208.102.223.137 isn't responding on port 80 (http).
208.102.223.137 isn't responding on port 110 (pop3).
208.102.223.137 isn't responding on port 139 (netbios-ssn).
208.102.223.137 isn't responding on port 445 (microsoft-ds).
208.102.223.137 isn't responding on port 1433 (ms-sql-s).
208.102.223.137 isn't responding on port 1521 (ncube-lm).
208.102.223.137 isn't responding on port 1723 (pptp).
208.102.223.137 isn't responding on port 3306 (mysql).
208.102.223.137 isn't responding on port 3389 (ms-wbt-server).
208.102.223.137 isn't responding on port 5900 ().
208.102.223.137 isn't responding on port 8080 (webcache).
It's in Batavia OH, Lat 39.0972 -84.1225 (Score:3, Informative)
http://www.infosniper.net/index.php?ip_address=208.102.223.137 [infosniper.net]
hostname: mw-esr1-208-102-223-137.fuse.net
google maps for: Lat 39.0972 -84.1225 (Score:4, Informative)
http://www.gorissen.info/Pierre/maps/googleMapLocation.php?lat=39.0972&lon=-84.1225&setLatLon=Set [gorissen.info]
there you go, it's on Bauer rd near the intersection with 276 in Batavia Ohio. Assuming the infosniper geolocater is working.
Re:If you do most of the work... (Score:2, Informative)
I have a method that is pretty foolproof to get his actual ip (I used to work with perverted-justice.com a bit). Please send me a e-mail and I'll run it down for you. compserv gee-mail
Re:Report it to the Univeristy's judicial board... (Score:5, Informative)
Have you tried calling your insurance company and telling this to them?
First, file a claim. You have renter's insurance, right?
Assuming you haven't...
Do an nslookup on the IP address to find out what you can glean about which ISP/node the user is at. You might be able to do some sort of geographical IP lookup, I know mine narrows it down to about three houses.
Call the local police in -that- area and tell them that you've identified your stolen property, conference a police detective in with the ISP and see if the ISP folks fold and give an address/account that's actionable. There's still no warrant, so the officer will likely stop by and 'ask politely' (especially if you offer to ride-along). Failing that (meaning that the thief knows their rights), you'll have to ask the officer to get a warrant, which he will bitch and moan about, and it likely won't happen.
By this time, that insurance deductible is looking mighty reasonable, and you should get a policy.
If you're dead-serious about justice and you know the address/account... Take the person to small claims. You won't need a lawyer if you have everything written down and articulated, and have friendly municipal workers in your area. I'm not entirely sure, but I think that those judges have an easier path (a fellow judges' number) to get a warrant issued, and then you're back to the cops.
Now... In the future... Keep a better eye on your stuff, get an insurance policy, and -always- stash enough money to pay the deductible somewhere where you won't spend it. I guarantee the $12/month and $250 in your 'unlinked' savings account would be more than worth this kind of effort. Plus, acting like a fat-cat and having a new laptop paid for is much more rewarding than rarely-served justice.
LoJack for laptops (Score:2, Informative)
Good advice (Score:4, Informative)
Except for the 4chan part. The IP they DDoS might not be assigned to the thief when they get it. (also illegal blah blah)
To add to the IP address part:
When you find the ISP, call them. Wait on the phone, get transfered to people. Always be nice and polite and say stuff like "I understand you are really busy.." and "I know this is an unusual request but..." and patiently wait, acknowledging their apologies and asking advice like "what can you do for me?" and "is there anyone else I can talk to?"
Doing this will get you far.
Now, tell the person who you finally get on the phone with the IP address and the TIME it was accessed. If the IPs were of the same ISP then ask if each one used the same MAC address at the time it was accessed. Then ask "Can you give me the information on that account or do I have to do something else?" You might get someone who does, you might get transferred to someone who can give it to you or you might be told that it might have to be done with more formal measures.
Then get the address of where the company receives subpoenas, get the person's name who you talked to. Ask them who to ask for next time if you have any more questions. Thank them for their time and their help and then call the cops with the information you got.
This works. I have done it before (but not with a stolen laptop). Sometimes the information you get is astounding. Sometimes they blow you off (Verizon will do both but they have big call centers so try many times)
Good luck.
Re:Actually, that's NOT what insurance is good for (Score:4, Informative)
I totally agree with you. I had a similar rant typed in about expensive yachts and skyscrapers, but I've posted such here before and it doesn't generally go anywhere productive.
With regards to the third party insurance issue I thank you for correcting me. I was writing on the assumption of an American audience and it's not too surprising I got it wrong.
In my country of residence we can't be sued into bankruptcy, due to a government department that pays for injuries arising from accidents. We are still liable for actual damages, but million dollar lawsuits for pain and suffering don't happen. As a result my yearly premium on a V6 sedan is 127 dollars.
PS - My father is in fact an actuary. Your expected return on most policies is 50 - 70 cents on the dollar.
Re:Report it to the Univeristy's judicial board... (Score:3, Informative)
Yeah, you were lucky in that instance, pretty much all internet connections here are behind a NAT firewall.
I know if my laptop is stolen its game over, so I just make sure its insured for full value, has a bios password and the drive is truecrypted and fully backed up every night, if the thing gets stolen, I get a free upgrade :)
Re:My laptop security (Score:3, Informative)
I have tried a number of utilities. The most effective daemon has been sleepwatcher from http://www.bernhard-baehr.de/ [bernhard-baehr.de]
// Process item looks like:
/usr/local/sbin/sleepwatcher -d -V -s /etc/rc.sleep -w /etc/rc.wakeup
Which basically just runs a ~/.wakeup or ~/.sleep if it exists.
That bash script ~/.wakeup is where I do data collection;this is a rough approximation:
// Google iSightCapture
/sbin/iSightCapture /output/file
// This gets the OS to try all hardline/wifi networks, which it doesnt have after waking as some kind of side-effect to the powersaving feature
// Then the meaty script
/bin/scriptbin meatyscript
ping -c 1 google.com
sleep 20
ping -c 1 google.com
The meaty script does everything else.
// Run ping from myscript and check output
// If cli ping shows no route to host
// mv /output/file /output/file.timestamp
// else
// find all files in /output/file.*
// Mail with cc to alt mail address and attach 3 most recent images in /output/ (I dont want to hose my own network or have the mail rejected)
Re:Good advice (Score:3, Informative)
I used to work at a Verizon call center. I didn't even realize there were other centers that wouldn't blow you off. We weren't able to access that kind of information; if you got me on the line when I worked there with that question, I almost certainly would have ended up bouncing you around.
Believe me, it's not that I'm not sympathetic to the issue, or that I get off on screwing someone, it's that Verizon's call centers (or at least, the one I was at) are so amazingly fucked up that, in that situation, I wouldn't have been able to help you if I tried.
Re:My laptop security (Score:2, Informative)
Re:Post the IP address (Score:1, Informative)
Port 6363 is open. Shows a nice admin/password box over HTTP.
It's most likely a Westell 6100 or 327W.
Re:First, cars do not be burgled, second (Score:2, Informative)
Re:google maps for: Lat 39.0972 -84.1225 (Score:3, Informative)
Don't assume that. I just put in my home IP address and it resolved a couple states away.
!!Ask first, before getting police involved!! (Score:5, Informative)
Their questions: "Are the police involved?" and "Are you a network administrator?"
Since I answered the questions right ("No" and "Yes"), they gave me all the information. Had the police been involved, their instructions were to only provide information with a warrant.
The moral of the story is to ask for the information first, prior to getting the police involved. Mod me up, so the guy sees this critical piece of information!
Re:Actually, that's NOT what insurance is good for (Score:2, Informative)
It pretty much would have gone into the toilet over 2008-2009.
IP address tracked to name,address,phone (Score:5, Informative)
Please contact Rick Wagner by email at wagner@fuse.net or hostmaster@fuse.net , or phone at +1-513-397-6598 or +1-800-387-3638.
I talked to Dick and he said he will be happy to assist you.