Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Stolen Macbook Pro Located w/ iCloud (Pictures!)
- Thread starter Luke 007
- Start date
- Sort by reaction score
Sniffing traffic from the computer that the op legally owns, while not connecting to anyones elses access point, is violating many laws? Which laws in particular?
Pretty sure I'm allowed to sniff traffic from any machines that I own.. But if you can show me the laws that such activity would violate I'd be happy to admit my fault.
Didn't you know? Everyone here has a degree in law... it's a requirement when you register to the forum... That and you have to be the smartest person on the Earth.
Its not the computer that is the issue. Its the fact that is it someone else's wireless network.
You messed up. The laptop has gotten a private address from the router. Those numbers are reused by countless private networks. The public address probably only resides on the router, which you may recall might not be his, but if you narrowed the laptop and router to the same house, the you're set (I don't think you can skip this step. Get that street address.)
OK, if you join that same network and type "traceroute google.com" then you would be able to see the first non-private ip address as you route to the internet. (It will start at 10.0.1.x or 192.168.1.x or similar and the first number outside that range should belong to a company you can buy internet access from). Some people have a problem with joining open networks. It's up to you. You may be able to passively collect unencypted traffic to or from the laptop and discover the gateway address that way, but it's harder, and it's just as invasive, in my non-legal opinion.
Anyway, once you get the public ip address, you'll be able to contact the ISP and find out who it was assigned to during the time you were observing. The private address is truly useless. It has nothing to do with the IANA.
Use this site with the public ip address: http://whois.arin.net
I guess the evidence in the end will be:
1) The wireless signal indicates my stolen laptop is in house X.
2) The internet address that my laptop is connected to confirms that the house address is X.
The specific laws please?
As mentioned, you don't need to connect (aka associate your machine to an AP) to another person's network in order to sniff the traffic from a given MAC address. And frankly running a pcap would be no more invasive (to the theif!) than the OP has already been with kismet, or iCloud for that matter...
Fyi packet captures can easily be implemented on a wired Ethernet network as well as wireless. Wireshark is widely used for troubleshooting in the network industry and I honestly can't see this being an issue considering the machine in question is the OPs property which was stolen from him.
Please show me the specific laws this would violate if anyone actually knows, or maybe OP could run it over with the gumshoe and let us know what he says.
Umm If my ISP gave my info to some bloke off the street who had my ip address that would be a serious violation of my privacy on the ISP's behalf. Police need warrants to get that information from ISPs in Canada (maybe the patriot act negates the need for a warrant in the states, but the average joe off the street still can't get it from the ISP).
However if OP provides the IP to the detective, he (the detective) can choose to pursue legal avenues to obtain the information from the ISP.
I wouldn't join the network if you can avoid it.. Its unencrypted so you can passively collect all the info you need without joining . And what good is a trace route to google showing the ISPs default gateway? That's not going to show the public address of the machine... If anything I'd suggest whatismyip.com - that will yield the IP (and thus the ISP) of the machine to give the detective.
As others have said. You need the public ip address. If its 192.xxx.x.x or 10.xx.x.x it likely isn't what you need. I'm sure there is an easy way to get it. Hell, you could probably just log on the network, and use one of those "what is my ip" websites to find out.
Thank you for that distinction. Now that I look at it the I.P. address associated with my stolen MBP that Kismac recovered is definitely a private I.P. address, so that must be why my Detective is having a hard time with it. How do I get the public I.P. address? (I answer my own question below, thanks!)
----------
I have been researching how to do a packet capture of my computer for clues to the identity of the user. How exactly do you recommend I do this? And how can I do a packet sniff with just my MAC address? That would be awesome if I could just do it from home!
----------
Thanks for making this clear, I am driving back over there right now to get the public I.P. address so we can start working with the real thing. BTW in my Kismac data the signal strength of my computer is very high, in the 70s right with all the other devices connected to the network. Does that signal strength represent the signal between the router and the device? Or between my computer running Kismac and the device? (That seems unlikely to me). In the case that the Kismac signal strength represents the devices signal strength relative to the router that means the person using my computer could very well be in the residence with the open network and may not be piggybacking.
----------
I am ready to do this, how do I start? Is there a tutorial out there on how to get capture files? Thanks in advance!
----------
Yup on my way to get the public wifi, thanks man!
The FBI and ICE cyber teams would have recognized the IP as a private network and would know how to find the real IP quickly, get a warrant, determine whether this was the thief, and if not, locate the thief accessing the open Wi-Fi.
Your effort should have been directed at calling the FBI, ICE, and the Justice Department in San Diego and getting the local detective to copy those three phone calls.
Your effort should have been directed at calling the FBI, ICE, and the Justice Department in San Diego and getting the local detective to copy those three phone calls.
Thanks for all the great tips, I am sending the names I got from that whitepages link to campus security (where my macbook was stolen) so they can potentially match a current student or employee (a janitor most likely).
----------
Think they are open on Sunday? I am trying to make it as easy as possible for the authorities (getting the public I.P.) once I do make a full scale effort to get them involved. BTW I appreciate your thoughts in this thread, I would have never thought to get those companies involved but it seems like a great route to go if I mean make it work. How would you pitch my situation to get them to help? I don't really care about rejection, and I will keep calling until I get someone that wil work with me, but I want to be strategic, how can I make them want to help me? When I called the FBI the first time the lady I connected to was so rude to me because she saw a personal computer as being completely below her, how do I make them care?
Thanks for the great tips. How do I lookup the gateway address?
----------
How exactly do I log into their router and how would I find the signal strength? Sounds like that could be a good tactic.
I fixed it. I would highly recommend not pursuing with this method. Let the authorities handle it. I'm not sure how committing a felony sounds like a good idea.
Unfortunately, that is typical of those who work for the FBI. Very narcissistic people.
1) - Tomorrow, first call is to the boss of the FBI in San Diego, the Justice Department (USJD) in San Diego. Tell who you speak with at USJD who you are, your laptop was stolen and you went on a popular Apple forum called Macrumors and have been directed how to pinpoint the thief. You believe you have done so and you were also told that the thief is breaking a federal law known as "accessing a protected computer". You've also been told that to further track the thief through the Wi-Fi connection YOU may be breaking a federal law (you would) and you do not want to do so.
You were told to contact the FBI and did so. The response from the FBI was very rude. "Can you help me?"
2) - If the USJD person you speak with is also a narcissistic prick and won't help then call I.C.E. and leaving out the FBI and USJD use the same story above -who you are, stolen laptop, Macrumors, breaking federal laws etc.- and try to get help from I.C.E.
3) - If the I.C.E. agent you speak with turns out to be a narcissistic prick as well go back to your detective and explain that the FBI has already solved exactly this type of crime in Florida and tracked someone accessing the net through an open Wi-Fi router that also had five other people accessing it and arrested the perp who is now in Federal prison. A local cop can succeed in contacting the FEDS where you fail (shouldn't happen, but these are the actual people who carry the guns and use our federal tax dollars, not a pretty sight).
Good luck and maintain your persistence in that direction. Once you and the local detective become physically involved at that location there is an extremely high probability that the thief will be spooked before being caught. The FEDS know how to do the whole thing so that doesn't happen.
Some of us are still waiting for you to provide the laws related to your "this is a felony" statements.
I'd personally take my chances.
Thanks. Unfortunately, when I drove over there I was unable to log onto the open lyncsys network that my stolen computer logs into so I was unable to recover the public I.P. address. What was interesting is that among other things, a message popped up telling me I could not log on because a computer on that network was already using my I.P. Address...? I also got connection timeout errors..etc. I'm guessing their internet was just down at the moment.
Does anyone know how to get the public I.P. address with data from Kismac, such as the router MAC address?
----------
Awesome, thanks for the tips. BTW what case in Florida are you referring to exactly? Can you please post a link?
I would also mention that this is a $2000 laptop not a $200 laptop the value of the item will def make a difference.
The router's MAC address is useless. you really want the router's public IP address. Internally it probably has an IP address of 192.168.1.100 but its' external IP is the one the police need.
If you have a dump of traffic from that network, you might be able to find the public IP from it. In wireshark, you'll be able to see the source and destination of each packet. Hopefully you'll be able to find a converation between a public site and your laptop. If you know the public site's IP, the other IP should be the local network.
Tread carefully though: This might be considered criminal (especially if the network is password-protected) and even if you're vindicated in court you'll have spent buckets of money on defense if the police bring charges against you. If you get the IP address, is there any way you can tell the police without telling them how you got it?
You might be better off getting the police to call apple or even subpoena them for the IP address. They have it. They just don't want to go through the hassle of getting it for you. They can blow you off but they must reply to a subpoena. Or, try a different strategy with them. Call them and treat it like an iCloud problem. Tell them it's not working and you can't see your machine's location and slip in something like "well, if you see it, what's the IP address?". You may need to get to level 2 support or so. keep trying.
Here's a quick wireshark introduction, you would have to be in the vicinity of the laptop and start a capture filtering for traffic coming from or going to your stolen laptops MAC address. With enough captured traffic you'll surely find something with the public ip or maybe some personal info / usernames or passwords of the theif.
http://www.youtube.com/watch?v=tvtH1OfgChU&feature=youtube_gdata_player
http://www.youtube.com/watch?v=tvtH1OfgChU&feature=youtube_gdata_player
First things first, I emphasize you again to go thru this a police or federal officer first to prevent legal complications you may have later. You will definitely get your MBP back with their help and with what information you have. They have tools, resources, and authorization to do it, you don't.
I agree with another post that ICE is likely to be more active than FBI, especially in SD area, so if FBI won't help you, don't give up and try ICE next.
Next, to answer your question:
There are many tools that let you find out the 'public' ip address as well as its details (ISP, geolocation, tentative type of connection). One way is, when you are connected to that router, go to a web site: http://www.systemdetails.com/connection.php. The result might not be 100%, because some ISP enforce a proxy on its subscribers or sub-ISP may use larger ISP network. Anyhow, I don't think that is the case for ISPs in SD residential area.
You will also need to record the exact date and time you get that public IP address, so it can be crossed check with the ISP database.
Next, even without access to router admin page, various wifi probing software, like Kismet, usually provide some info on SNR, RSSI, ul/dl speed of the devices near your area. RSSI may be shown in relative value (0-100), or dB/dBm or mW (milliwatt).
We can safely assume that the stronger the SNR ratio, or higher RSSI, the closer of that device, especially if that connection is a demanding one, particularly 5GHz Wireless-N, or even 2.4GHz Wireless-N. For example, strong RSSI signal in an indoor environment, like -40dB to -70dB means he is very near, like 10-40ft from the device, -70dB to -80dB means he is closed by, like 40-90ft, -80dB or less means he is likely farther, like next door or next few doors. If possible, check out the ul/dl speed of your stolen MBP to router too.
What's that area like? Apartment complexes or annex buildings or single houses?
Good luck and be careful.
I agree with another post that ICE is likely to be more active than FBI, especially in SD area, so if FBI won't help you, don't give up and try ICE next.
Next, to answer your question:
There are many tools that let you find out the 'public' ip address as well as its details (ISP, geolocation, tentative type of connection). One way is, when you are connected to that router, go to a web site: http://www.systemdetails.com/connection.php. The result might not be 100%, because some ISP enforce a proxy on its subscribers or sub-ISP may use larger ISP network. Anyhow, I don't think that is the case for ISPs in SD residential area.
You will also need to record the exact date and time you get that public IP address, so it can be crossed check with the ISP database.
Next, even without access to router admin page, various wifi probing software, like Kismet, usually provide some info on SNR, RSSI, ul/dl speed of the devices near your area. RSSI may be shown in relative value (0-100), or dB/dBm or mW (milliwatt).
We can safely assume that the stronger the SNR ratio, or higher RSSI, the closer of that device, especially if that connection is a demanding one, particularly 5GHz Wireless-N, or even 2.4GHz Wireless-N. For example, strong RSSI signal in an indoor environment, like -40dB to -70dB means he is very near, like 10-40ft from the device, -70dB to -80dB means he is closed by, like 40-90ft, -80dB or less means he is likely farther, like next door or next few doors. If possible, check out the ul/dl speed of your stolen MBP to router too.
What's that area like? Apartment complexes or annex buildings or single houses?
Good luck and be careful.
Probably good news, if he made contact with the feds they would immediately tell him to stop posting on this forum.