Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

An advanced script/web solution to track stolen Macs UNIX
I worked in a school district for a few years where we had two break-ins that included thefts of Mac laptops. So I decided to create something that would help track laptops in the event they were stolen. This is of course free, one of its major advantages. It is also hosted by yourself, so it is easy to control. This has run on about 1,500 computers without causing any type of overload on machines or the network, and it does exactly what it is suppose to do. I now use it on all home and family computers because I trust it so well. I have used it for about a half a year and it works on Tiger and Leopard.

Note that this is software, so if the thief erases the hard drive on the computer, this will remove the phoning home capabilities. This does take some tinkering around, so it's fairly advanced. But the end result is very rewarding. This hint is broken up into the following sections -- be sure not to skip anything:
  • What this essentially will do
  • Little bits of info about the script
  • What this assumes
  • Four files you need
  • Creating /etc/.cuploader
  • Creating phone.sh
  • Creating com.engelby.phone.plist
  • Installing extra files
  • Server setup
  • What to do when stolen or you want to test
  • How to know the script is running
  • Other ideas
  • Conclusion
Read of for the details on each section...

What this essentially will do:
  • The Mac will report in to a server (to see if it is stolen) every six minutes.
  • It will run in the background without the user ever knowing. It is a LaunchDaemon -- which means it will work even if no user is logged into the computer (ie it's stuck at the login window).
  • If it is stolen, it will send information from the machine back to you through FTP (phase 1).
  • If wanted, it will take a picture using the built-in iSight camera (phase 2).
  • If wanted, it will move the Finder.app and Dock.app to a different location, which is easy to put back into place, and then change the background picture to an error message saying the Finder is corrupt and to return the computer to an Apple store for a free fix (phase 3).
Little bits of info about the script:

This script is called up by a launch daemon every six minutes. If the Mac is on the Internet, it will attempt to contact your webserver. If your server is up, it will look for a webpage that is named by your computer's MAC address.html. If this page exists, and has a secret word as the text on the page, it will start performing some actions. If the page does not exist, you will still be able to see on the webserver that every six minutes, a computer with a certain MAC address tried to make contact.

Because we hope computers are not stolen, and because this is made to work with one or thousands of computers, the error page has been completely cleared and is instead just the text "404." That's three bytes of information every time a computer connects and is not stolen. This is what makes it so scalable, even if you are talking about a huge environment. By looking in your /Library » Logs folder, you will be able to see a file that tells you if the computer reported itself as stolen or not. By looking at the date modified of that file, you can see the last time it ran.

What this assumes:
  • You have a server that can host Web and FTP.
  • You have downloaded and installed iSightCapture for phase 2.
  • You have downloaded this phase 3 picture.
Four files you need:
  • phone.sh -- installed in /etc/.cuploader (see next section on making .cuploader folder).
  • com.engelby.phone.plist -- installed in /Library/LaunchDaemons.
  • iSightCapture -- installed in /usr/bin/
  • AuroraFinderCoppurt_1.jpg -- installed in /etc/.cuploader/
Creating /etc/.cuploader:

Open Terminal, and type in sudo mkdir /etc/.cuploader/ and authenticate as root when asked for your password. This will create an invisible folder. To get to the folder to install files, while in the Finder, press Shift-Command-G, and type in /etc/.cuploader/ and press Return.

Creating phone.sh:

Use TextWrangler (or your other favorite text editor) and save the file into /etc/.cuploader. Do not change any part of the script except for below Set this setting!, where you'll change 255.255.255.255 to the IP address of your server.
#!/bin/sh
# Created by James Engelby
# If you like what you get out of this...
# Consider a Donation to James Engelby!
# Visit www.jamesengelby.com
# If you use this code, leave these comments in the script!

#Set this setting!
serveripaddress="255.255.255.255"

#No need to do anything else here
macaddress=`(/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }')`
webaddress="http://"$serveripaddress"/"$macaddress".html"
site=`(curl -s $webaddress)`

if [ "$site" == "true" ]; then
touch /Library/Logs/YES
externalip=`(curl -s http://checkip.dyndns.org | awk '{print $6}' | awk ' BEGIN { FS = "<" } { print $1 } ')`
computername=`(/usr/sbin/system_profiler -detailLevel -3 | grep "Computer Name" | awk '{gsub ("      Computer Name: ", ""); print}')`
serialnumber=`(/usr/sbin/system_profiler -detailLevel -3 | grep "Serial Number" | awk '{print $3}')`
thedate=`(date)`
safedate=`(date | awk ' { gsub(":", "") gsub(" ","");print }')`
lastusers=`(last | tail -n 15)`
whoisit=`(whoami)`
echo "IP: $externalip Date: $thedate  ComputerName: $computername Serial: $serialnumber BuiltInEthernet: $macaddress WhoIsLoggedIn: $whoisit Users: $lastusers" >> "/Library/"$externalip$safedate".txt"
curl -s -T "/Library/"$externalip$safedate".txt" -u steal:this -o --url "ftp://"$serveripaddress"/"
/usr/sbin/screencapture -x -m "/Library/Preferences/screengrab"$safedate".png"
curl -s -T "/Library/Preferences/screengrab"$safedate".png" -u steal:this -o --url "ftp://"$serveripaddress"/"
rm "/Library/Preferences/screengrab"$safedate".png"
rm "/Library/"$externalip$safedate".txt"

# Starting Nested IF for Phase 2

webaddress2="http://"$serveripaddress"/"$macaddress"2.html"
site2=`(curl -s $webaddress2)`
if [ "$site2" == "true" ]; then
sudo /usr/bin/isightcapture "/Library/ColorSync/picture"$safedate".png"
touch /Library/Logs/YES2
curl -s -T "/Library/ColorSync/picture"$safedate".png" -u steal:this -o --url ftp://$serveripaddress/

else
touch /Library/Logs/No2
fi;

# Starting Nested IF for Phase 3
webaddress3="http://"$serveripaddress"/"$macaddress"3.html"
site3=`(curl -s $webaddress3)`
if [ "$site3" == "thisoneisdanger" ]; then
haveirebooted=`(cat /Library/Logs/rebootphone3)`
if [ "$haveirebooted" == "YESIHAVE" ]; then
exit 0
else
touch /\ \ \ \ This\ Computer\ Has\ Been\ Stolen
touch /\ \ \ Please\ Contact\ Police
touch /\ This\ Computer\ Has\ Been\ Stolen
sudo mv /System/Library/CoreServices/Finder.app /System/Library/
sudo mv /System/Library/CoreServices/Dock.app /System/Library/
touch /Library/Logs/rebootphone3 | echo YESIHAVE >> /Library/Logs/rebootphone3
sudo mv /etc/.cuploader/AuroraFinderCorrupt.jpg /Library/Desktop\ Pictures/Nature/Aurora.jpg
sudo reboot
fi;
else
touch /Library/Logs/No3
fi;
exit 0
else
touch /Library/Logs/NO
exit 0
fi;
exit 0
Creating com.engelby.phone.plist:

Use TextWrangler (or your favorite text editor) and save the file into /Library/LaunchDaemons. Do not change any part of the script.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.engelby.phone</string>
<key>OnDemand</key>
<true/>
<key>StartInterval</key>
<integer>360</integer>
<key>ProgramArguments</key>
<array>
<string>/private/etc/.cuploader/phone.sh</string>
</array>
</dict>
</plist>
Installing extra files:

Download iSightCapture and install it. Make sure it's installed in /usr/bin/isightcapture. Download the phase 3 background picture and save it to /etc/.cuploader.

Server setup:

Set up web sharing and FTP access on your server -- it is ok if you have a main website hosted alongside this script. Find your error web page (the setting for where it is located is in the Server Admin) and you will have to edit this page. Open the page in TextWrangler, delete all of the contents of the page, and then type 404 and save the page. Set up a local account on the computer with the username steal and the password this -- this is used for FTP access.

Congratulations, you're done with the setup!

What to do when stolen or you want to test:

For Phase 1, which is to upload a text file containing the MAC address, serial number, who is logged into the computer, who has logged into the computer, IP address and more:
  1. Open the root of your webserver (On your server, it is most likely /Library/WebServer/Documents).
  2. Create a new text document in TextWrangler with only the text true, and then save it as the MAC address of your computer with the file extension of .html. Example: aabbccddeeff.html
  3. Save the document in the root of your webserver.
For Phase 2, which includes all of phase 1 but also takes a picture through the built-in isight camera:
  1. Completed steps for Phase 1.
  2. Duplicate the MACADDRESS.html file created from phase 1.
  3. Rename the file to include the number 2 at the end of the MAC address. So an example is aabbccddeeff2.html
For Phase 3, which moves the Finder.app and the Dock.app and replaces the background picture:
  1. Complete steps from phase 1.
  2. Complete steps from phase 2 if you want a picture to be uploaded -- this isn't required!
  3. Duplicate the file from phase 1.
  4. Rename the file to be the MAC address with a 3 at the end of the name, so an example is aabbccddeeff3.html
  5. Open the document in TextWrangler.
  6. Erase the text in the document and type in thisoneisdanger and save the file.
How to know the script is running:

Open the folder /Library/Logs/. Check for a file that is named either YES or NO (YES being that a machine is stolen, and NO saying that a machine is not stolen).

Other things that may need to be done before this works:
  1. Open terminal and enter command su root and type in the root password.
  2. In terminal, type chmod 755 /etc/.cuploader/phone.sh.
  3. In Terminal, type chmod +x /etc/.cuploader/phone.sh.
  4. Restart your computer, or in Terminal, type launchctl load /Library/LaunchDaemons/com.engelby.phone.plist
Other ideas:

I created a package to contain the four files. I would suggest creating a package of the files once you have it running, and if you want, have it run the post install script with this command: launchctl load /Library/LaunchDaemons/com.engelby.phone.plist so they don't even need to reboot before it starts working. You can then give the package out to your family so you can track their Macs if they ever need it. Another thought is to have the MACADDRESS.html files already created on your webserver (with the text of true and thisoneisdanger) but without the proper file naming scheme. Have the file be named mac.html and then change it to your IP address once it is stolen.

Conclusion:

Let me know if you have problems or questions. It took a while to make this, but I am proud of it and it works great. Even if you don't mark things as stolen right away, your webserver will always get the page hit from the external IP of whoever did steal it and will have it in the webserver log file. It's another way for you to see that it is working on a computer because you will see a bunch of errors from computers looking for their MAC address.html pages.

[robg adds: I haven't tested this one...]
    •    
  • Currently 2.13 / 5
  You rated: 5 / 5 (8 votes cast)
 
[35,224 views]  

An advanced script/web solution to track stolen Macs | 42 comments | Create New Account
Click here to return to the 'An advanced script/web solution to track stolen Macs' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
An advanced script/web solution to track stolen Macs
Authored by: bloodycelt on Aug 28, '08 08:23:02AM

So.. what happens if the thief is smart and just nukes whatever is on the computer to factory settings and then sells it?



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: stukdog on Aug 28, '08 08:29:10AM

This is always the first thing said when a post like this is written.

The majority of people don't know how or why to do that. Setting up something like this at least will put the odds in your favor.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: rspress on Aug 28, '08 11:40:53AM

Most thieves are not smart enough to figure out what to do. If they were they would probably not be thieves. If they were smart any thief worth their salt would check out the hard-drive for personal information they could use. The last thing they would think of....even more so if they are windoze users are unix scripts running in the background. Also if they are windows users they should be use to seeing error messages on a computer. Also is they are Windoze users I don't think they would have the system discs to nuke the current OS.

Besides doing nothing pretty much means you are never going to get your computer back.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: tyip on Aug 28, '08 01:21:39PM

You can also use your most colorful permanent markers and draw all over the outside of the laptop. Then anyone who even glances at it knows that that colorful computer belongs to you, and a thief will have a hard time selling a laptop that draws so much attention.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: drudus on Aug 28, '08 03:34:58PM

Great idea, draw on 1500 macs! Why not stick them shut with super glue, then no one would want to steal them right?

The only real way to stop theft is for Apple to build GPS trackers that can't be circumvented, but how will they be powered when the battery is dead?

This is otherwise an interesting solution.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: LostInSpace2011 on Aug 28, '08 08:35:05AM

Its a very nice idea. There is lot of opportunities to make improvements such as using SSH instead of FTP and maybe a database on the web server to keep track of the clients. A registration, allowed the clients to register themselves would be a nice idea as well.

There is of course the obvious flaw in that simply re-installing the OS will circumvent this ? I wonder what can be done about this. Maybe one could disable (password protect) booting from the DVD / CD / FIREWIRE / USB ? Any idea if this can be achieved on Macs ?



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: leono on Aug 28, '08 09:15:18AM
Sort of. You can use Apple's Firmware Password Utility, which will prevent booting from anything other than the startup disk, will disable Target Disk Mode, etc.

Unfortunately, it's trivial to disable the firmware password. If you add or remove RAM from the system, the firmware password will become unset. I still use the firmware password, in the hope that it would foil non-Mac-savvy thieves from wiping the hard drive and give my anti-theft solution a chance to kick in.

BTW, I use Orbicule's Undercover to protect my Macs. It's a commercial app, but it's relatively inexpensive and easy to set up.

[ Reply to This | # ]

An advanced script/web solution to track stolen Macs
Authored by: ctierney on Aug 28, '08 11:18:51AM
There is lot of opportunities to make improvements such as using SSH instead of FTP and maybe a database on the web server to keep track of the clients.
Another idea would be to post data via http using curl.

[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: drmacnut on Aug 28, '08 09:17:26AM

Thanks Mr Engelby for taking the time to share this with all of us. It is very interesting, and quite simple to implement, thus its beauty!

One comment to other commenters about a thief re-installing the OS: I imagine that most thieves will at least try to turn on a computer to "see what's inside" as soon as they can. And since many many people use auto-login for their accounts (much to our chagrin as IT folks, I know), thieves will often have a fun time looking around to see what pictures, movies, and so on a user has. Then, after the fun wears off, they might re-install the OS or whatever. I suspect many of them wouldn't know how to do even that, frankly. They'd have it up for sale after a quick trashing and deleting of user files. I'd be willing to bet that most computer theives are not terribly Mac-savvy.

Finally, a question for James: Since you say you wrote this after the two school break-ins, has your script been used sucessfully since with any stolen Macs? Just wondering if you have any good stories.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: patpro on Aug 28, '08 10:27:56AM

In order to maximise the chance of recovery, you'll have to ensure the thief will actually use the Mac.
If you don't use autologin (for obvious security reason), you might want to enable the guest account on Leopard. So that the thief can use the Mac even without autologin.

---
http://www.patpro.net/



[ Reply to This | # ]
Adeona is an open source alternative
Authored by: ars on Aug 28, '08 09:56:31AM
For people who do not have access to a server, but have access to more than one computer, there is
http://adeona.cs.washington.edu/
It is cross platform and on the Mac it is also capable of using Isight.

[ Reply to This | # ]
My review and impressions of Adeona on Mac OS X
Authored by: lteo on Aug 28, '08 04:27:17PM
If anyone's interested, I've written a review of Adeona on the Mac.

[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: delight1 on Aug 28, '08 09:59:39AM

The only real thing that I don't think is good about this, is that it uses the MAC address... that means you need one for ethernet, and one for wifi. And the mac addresses can be spoofed/messed with, if they have enough time, or an external usb wifi card.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: patpro on Aug 28, '08 10:36:15AM

The point in using the Mac Adress is only to share a string between you (the server) and the Mac.
You know the Mac Adress of the ethernet card (en0).
The script knows it too.
The script ask for the $macaddress html page on the server.
If the page exists (you put it there), then the Mac is stollen, and the script continues.
have you read the script?

---
http://www.patpro.net/



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: engelby on Aug 28, '08 03:48:24PM

Thank you pat for clearing that up!

The reason I chose MAC address is because it is unique and it is hardware. And this uses system profiler to pull the MAC address of your built-in Ethernet. So even if the computer is on wireless (which I was assuming for most of the time) it will always check to see if the webpage exists using the built-in MAC address.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: patpro on Aug 28, '08 09:52:21PM

by the way, you could have used the serial number.

---
http://www.patpro.net/



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: bcarter5876 on Aug 29, '08 08:56:51AM

Some service procedures leave the electronically readable serial number blank on some models.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: engelby on Aug 29, '08 04:09:35PM

Which is actually why I didn't do serial. I changed out the logic board on too many iBooks without doing that serial number reset utility. Don't tell Apple....



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: jyu on Aug 28, '08 10:08:40AM

I tried phase1 and 2. It worked except:

1. The FTP root folder needs to allow write privilege for "steal" user account. This is missing in the instruction.
2. The screengrab sent to the server only contains black image.

So, engelby, can you fix your script?



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: patpro on Aug 28, '08 10:25:26AM

jyu: send us your login and password for the FTP account, and we will fix the script.

Otherwise, you can change the script accordingly by yourself :)

---
http://www.patpro.net/



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: cybermill on Aug 29, '08 05:13:55PM

what was the fix for the black screen, mine is black as well.



[ Reply to This | # ]
su root
Authored by: elliotbay on Aug 28, '08 10:18:42AM

You might note that for those who don't have a root password setup on their machine, sudo works just as well for those root-level commands, or sudo -s if you really feel the need for a root shell.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: ctierney on Aug 28, '08 11:42:01AM
Good hint. I've been thinking about writing up something like this for the company I work for. We're always sending laptops to trade shows for exhibits and training labs.

My thought was to maintain an optional list of trusted gateways and to only "phone home" when on an untrusted network. To get the currently active gateway (which also suggests internet access):
#!/bin/sh

netstat -nrfinet | \
awk 'BEGIN {
    while ($1 != "default") getline;
    gate_ip = $2;
}
(gate_ip == $1) {
    print $2;
    exit;
}'


[ Reply to This | # ]
phone.sh suggestion
Authored by: ctierney on Aug 28, '08 11:58:52AM
I discovered that system_profiler on 10.3 has no detailLevel -3, but you can specify only the datatypes you're interested in which might also be quicker:
computername=`/usr/sbin/system_profiler SPSoftwareDataType | sed -ne '/Computer/ s/.* //p'`
serialnumber=`/usr/sbin/system_profiler SPHardwareDataType | sed -ne '/Serial/ s/.* //p'`
Panther users could then run this via cron.

[ Reply to This | # ]
phone.sh suggestion
Authored by: lugal on Aug 28, '08 04:18:38PM

We've used a similar sort of home-grown tracker for a few years now. I haven't had the chance yet to compare the author's solution to ours, but I can report that our method for finding the serial number is faster than either the original code, or your improved version:

serialnumber=`ioreg -c "IOPlatformExpertDevice" | awk 'BEGIN{FS="\""}; /IOPlatformSerialNumber/ {print $4}'`



[ Reply to This | # ]
phone.sh suggestion
Authored by: patpro on Aug 28, '08 09:55:37PM

Nice one!

In fact there is so much room for improvement in that script :)


---
http://www.patpro.net/



[ Reply to This | # ]
phone.sh suggestion
Authored by: engelby on Aug 29, '08 06:55:03PM

Indeed there is. This is actually a version 2 of my script. The first was much smaller than this, so this is a huge improvement over it. I know there is a lot more that could be done to it.



[ Reply to This | # ]
phone.sh suggestion
Authored by: ctierney on Aug 29, '08 06:59:46AM
That is a lot quicker! You can make it even faster by quitting awk when you find the serial number. On my mac ioreg -c 'IOPlatformExpertDevice' prints 407 lines of text, and the serial number is at the top in line 11 (profiling with time utility):
time ioreg -c 'IOPlatformExpertDevice' | awk -F\" '/IOPlatformSerialNumber/ {print $4; exit}'


[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: MtnBiker on Aug 28, '08 01:17:30PM

I'm an amateur at this, but it appears to only work on an Apple Server. If this isn't true, then where do I put the file on a hosted server?

Thanks

---
Hermosa Beach, CA USA



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: engelby on Aug 28, '08 03:52:02PM

It can be hosted on any computer actually. The MACADDRESS.html goes in the root of your web directory. I am not sure where it is on your system, but any server OS that can host webpages will be able to hold these files.

Actually, all of this can be done from a Mac OS X client computer too if you want. You would just have to modify parts of the script.



[ Reply to This | # ]
Leave a guest account open
Authored by: ctwise on Aug 29, '08 05:02:34AM
If you implement a solution like this a good approach is to:
  • Set a firmware password. Without breaking open the laptop the thief can't bypass the OS.
  • Set a login password. Don't auto-login.
  • Create a guest account with no password. A way in for use by the thief.
With this in place your data is relatively secure - use FileVault if you want added peace of mind - and the thief will have something to play with while the tracking software snaps photos of him/her and sends back information.

[ Reply to This | # ]
Can I use this with my MobileMe account
Authored by: anika123 on Aug 29, '08 06:25:19AM

Does anyone know if or how I can use MobileMe as the server that the script reports to? I am just one person and have no access to a server. Would I be able to see all the logs? How would the script log in to mobileme?



[ Reply to This | # ]
sending info through port 80, using a domain name, isight flashes?
Authored by: jedmtnman on Aug 29, '08 06:31:26AM

lostInSpace commented on using another protocol. One thing I thought of, is that if the person is using from a port restricted wifi connection (like a lot of coffee shops, airports, etc) it may not work to ssh or ftp the image file or ip address back to the server. I think a thread to lostInSpace's comment noted using curl instead. Either way I think this is a great hint and really an excellent way to monitor this activity. With an obscure name to the daemon, it would nearly be impossible for even a fairly advanced mac user to know what is going on before its too late. They would have to systematically look in the activity monitor utility and find any daemons non-standard to the os install. I don't know if I could do it.

Also, how robust would this script be for using a url as opposed to an IP address? I would think it wouldn't matter. I have an account at no-ip.com to monitor and switch my dynamic ip at home. using the domain name would ensure that the ip information always made it back to the log, even if Time Warner decides to reset my non-static IP.

Finally, a comment on the isight; some isight cameras, i dont know which ones, have a flash on them (iMacs, perhaps). It would be a good idea to disable the flash or the thief might figure out what is going on, a little faster.



[ Reply to This | # ]
sending info through port 80, using a domain name, isight flashes?
Authored by: engelby on Aug 29, '08 04:05:58PM

This will work with IPs or a DNS name. In my environment and for at home, I use an IP so thats why it's based around that. A normal web address will work fine too though, just make sure it fits in the script.

As far as isight goes, this does not flash the screen when it takes a picture, however...the green light does flash on for a second. I could never find a way around the green flash. That's why I wouldn't start phase 2 until you need to and only run it until you get the picture you want.



[ Reply to This | # ]
Confusing documentation
Authored by: RobLewis on Aug 29, '08 03:56:50PM

I'm a pretty experienced user and I found this confusing. Nowhere is it stated explicitly that you have to create the tracking files after you notice that the computer has been stolen. Also, we're told to create a "steal" account "on the computer," when "on the server" would have saved me some futzing around. Another commenter noted the permissions issues with ftp uploading. A clear, concise overview of how the whole scheme works would have been greatly appreciated; as it was, I had to painstakingly work my way through the "phone" script to figure out what was happening.
I still haven't actually seen it work, but maybe with the permissions (hopefully) fixed, it will now.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: phoenixdownunder on Aug 30, '08 02:30:55AM

OK, this is good stuff. There are several issues several people have mentioned and I hope to add my 2 cents worth. First of all I had difficulty getting the script started until I noticed that the LaunchDaemon script had /private/etc/.cuploader/... in it. Change this to /etc/.cuploader/...
Now someone else said that that the screencapture section gave black screens and indeed this is true. To solve do the following.
Add in the line just above the macaddress line.

userpid=`(ps ax | grep loginwindow | head -1 | tail -1 | awk '{ print $1 }')`
(Yes I know it has some redundant commands in it...)

Then change the screencapture line to...

sudo launchctl bsexec $userpid /usr/sbin/screencapture -x -m "/Library/ColorSync/s"$safedate".png"

Note that I have shortened the screengrab name to just s because the final dated name that was produced was too long. Likewise change the names below to just s. Similarly I changed the isightcapture picture name to just p for the same reason. Be careful and change ALL references to screengrab and picture.

Finally I personally feel that we don't need the touch commands as they leave a trace that can be seen. Also the screengrabs and picture can be hidden in say /tmp rather than /Library/ColorSync or /Library/Preferences. But the script will have to be rewritten. I will try if version 3 doesn't come out soon!!

Finally, you need suitable server and not everyone has access to such resources. If there is a demand, I don't mind setting up a server and the necessary Mac Address files for interested users to use as long as the process is not abused. The ftp services can also be provided. If anyone has their machine stolen, a quick email can get their MAC.html files changed. Of course you will need your MACX address.

I also changed the echo IP command to
echo "IP: $externalip\nDate: $thedate\nComputerName: $computername\nSerial: $serialnumber\nBuiltInEthernet: $macaddress\nWhoIsLoggedIn: $whoisit\nUsers: $lastusers" >> "/Library/"$externalip
Note the backslash n \n to push everything to newlines... more readable.

All in all this is good stuff and is a very powerful concept.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: asmeurer on Aug 30, '08 11:16:32AM
I like the background picture idea, but the English is a little shaky. I would have it say:

The file system is corrupt.
Please take this computer to the nearest Apple Store to repair this for free.

This seems more like typical dialogs on the Mac (except for the content, of course). Also, I remove the button from the dialog, since it won't pulse anyway and can't be clicked. Maybe it would even be possible to use AppleScript to make it a real, dragable dialog.

If you're really sneaky, you maybe could even type in a phone number for them to call, which would somehow alert the authorities or you.

[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: S on Aug 31, '08 03:31:01AM

I'd like it to simulate a kernel panic. After several reboots the thief will figure that something is seriously wrong with the computer.



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: S on Aug 31, '08 03:35:04AM
display alert "The file system is corrupt." message "Please take this computer to an Apple Authorised Service Provider for a free repair." as warning

[ Reply to This | # ]
New picture
Authored by: hughcanbefound on Oct 03, '08 06:20:15AM
Here is where another, and IMO a better, image for phase 3 is. It uses the real OS X font *and* is in better English. Great tip though. Much appreciated. Enjoy.

[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: engelby on Jun 19, '09 02:26:42PM

I am just throwing this on here since someone took time to find my email address back and let me know that he had success with this.

---------------------------------------------------------------
James,
How have you been, I would like to thank you once again on this
excellent set of scripts. I don't see your website online anymore. I
hope all is well. But I am emailing you because I have a success
story.

I had a laptop iBook G4 on a media cart with a Projector and Califone
speaker. My principal called me over and asked if I had the
laptop.... I told him "NO"... We asked around to make sure a teacher
did not borrow it or something. So once we decided that it is missing
we both got bummed out that someone would do this. I told my
principal that there might be a way to see if it is stolen or not. I
went to the web server and checked the logs and saw a different IP
that was not ours. I told him that I think we might be able to
recover this. So I looked at the logs to see how long its been gone,
and saw that it has been 4 months gone. I told him that the machine
is being used frequently and that I would initiate phase 1 to collect
data. A few days passed and saw the perp online and connected to the
laptop and started my investigation of who had it ( this is after I
contacted our school police and started the process of a police
report) to see if maybe he had documents that would give a name to the
perp while we waited for a subpoena from the ISP. I got lucky and
found some of his homework that he had done on the laptop. So the
next day I talked to detective and said that I have a name and a
possible address because I had several docs with his name. He was
very amazed on being able to do this. So the next business day the
detective moved forward to obtain a search warrant and then went to
the home and found the laptop. So after the laptop was noticed
missing. Recovery took about 4 days!!!

I hope you are doing well. Also I would wonder if there is something
similar for our windows machines. The detective told me that in our
district computers are being stolen almost on a daily basis with low
recovery possibilities and having this really helped the
investigation.

I am also going to add this to get wifi info on the machine and what is around.

/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport --scan

Thanks buddy for this little gem.
-----------------------------------------------



[ Reply to This | # ]
An advanced script/web solution to track stolen Macs
Authored by: drudus on Sep 26, '09 12:17:41PM

This is a neat solution but I have concerns about the use of the ftp user & password in the script. It's possible that the thief could use these to remove uploaded files & data. Depending on your hosting setup they could potentially meddle with your website, or use the access to try other attacks.

I think a simple php script on the server that accepts post data could reduce the risk a little, by at least removing the ability for the thief to gain access to the server if they are smart enough.



[ Reply to This | # ]