The client in question is one of my Support Bank for Business customers and, as such, has my monitoring software installed on all of their laptops. This software, provided by GFI Max RemoteManagement, is designed to monitor the health of the computer it's installed on (disk space, antivirus protection, software updates, etc.) but it also provides two levels of remote access: remote screen sharing and remote background management via the command line. The screen sharing aspect, known as Take Control, is perfect for remote controlling a customer's machine and fixing problems that are more easily resolved using the Windows desktop, often in concert with the customer themselves as they can see exactly what you are doing on the screen (which makes it very useful for training as well). Remote Background Management, however, is hugely powerful if you know your way around the command line, and enables you to do all sorts of background maintenance without interrupting the customer. All you need is for that machine to be on the Internet...
The first thing I did was to make sure that a script I had written and deployed to the laptop via the dashboard, which removed all of my customer's data, had run successfully. Fortunately, for the most part, it had (certainly the Documents, Pictures, Desktop and Music folders were all empty). However there were still traces in other folders that hadn't been dealt with by the script, so I manually removed those folders, dredging up my very rusty knowledge of command line commands from the depths of my brain (and with assistance from /?). I also managed to retrieve a list of Wi-Fi connections that the laptop could see and the external IP address it was currently using, in an attempt to try and determine a physical location. It was at that point that the connection dropped, so my covert activities were curtailed. However, I had collected useful information that could be passed to the police, and I was also happy that the laptop no longer contained any of my customer's information.
I wasn't satisfied though. I was convinced there must be more that could be done to try and locate the laptop, and I was convinced that, if the laptop had been connected to the Internet once then it would be again. It was at that point that I remembered an application called Prey. I had first looked at the Prey Project about 18 months ago, when I stumbled across it during a Google odyssey (it was a quiet day at the ranch - we all have them!). Prey is a software agent (similar in concept to the monitoring agent I use) that is installed on to a laptop or smart phone and connects to an online service for reporting and control purposes. For most of the time it sits there doing very little. However, when you mark one of the covered devices as "missing", Prey springs into action. Depending on the configurable actions you have set on the Prey dashboard, it can determine the laptop's location by utilising the location information from surrounding Wi-Fi networks, take screenshots and even take photos using the inbuilt webcam, if available. You can also instruct the device to display a message on the screen ("Stop! Thief!"?), sound an alarm, lock itself (using a password you define) or even perform a remote wipe. All very clever, and precisely what I was looking for. What's more, the "Personal" plan is free (although restricted to 3 devices and only 10 reports). However, the standard way of installing Prey is to download the software from the website and then install it. Clearly I didn't want to remote control the desktop to do this, as not only would the current user be alerted to my ability to gain remote access but would also be able to interfere with the installation. I needed to be more cunning.
Whilst the laptop was offline I used the time to do some more Googling. Eventually I came across this blog post by Alan Hardisty from February 2013. It would appear that the Prey site had a Windows batch file that could install the software from the command line and associate it with your own dashboard. What's more, the blog post contained a very cunning way of downloading the software using the BITSAdmin tool that Windows uses to download Windows Updates. I read it with increasing excitement and then set about trying it out on one of my test machines in my office. However, try as I might, I couldn't get it to work. The laptop was remaining stubbornly offline and I was beginning to think that was the end of the line. That night I started thinking about what I might have done wrong when testing out the method and what else I could try (I know, I need to get out more).
The following morning when I checked the dashboard I noticed that the laptop was online. No time to test things - it was time to get to work! I brought up the Remote Background Management tool and connected to the laptop. I knew the script I had been using to deploy Prey remotely, which I had copied from the blog post, hadn't worked but I determined that the main reason it hadn't worked was that the BITSAdmin tool couldn't download the necessary installation files, presumably because the website I had used to host the files wasn't configured to allow BITS to download them. I reasoned that both the batch file and the installation file must be hosted on servers that BITS could connect to, so I set about looking for the appropriate URLs. I found them and then manually downloaded each file individually, using the following commands:
bitsadmin /transfer myDownloadJob /download /priority high http://preyproject.com/releases/prey-win-batch-install.bat c:\temp\preyinstall.bat
bitsadmin /transfer myDownloadJob /download /priority high http://preyproject.com/releases/0.6.2/prey-0.6.2-win.exe c:\temp\prey-0.6.2-win.exe
preyinstall.bat [API Key] <--- replace [API Key] with your API key, available from your Prey dashboard
To my amazement, and ludicrous excitement, it worked. Within a couple of minutes, the laptop appeared on my Prey dashboard and I was able to mark it as Missing, thus activating all the tools. I sat there, intensely watching the screen, waiting for a report. I called my wife in to the office to tell her, and we both watched it. And watched it. Nothing happened. I then discovered that it can take up to an hour before the first report gets logged. After 50 minutes, still nothing had happened. And then the laptop went offline.
The following day I was out at another client site when I got an email message. A report had been posted on the Prey dashboard from the laptop. The game was afoot! I logged on to the dashboard and found a fantastically clear photo of the current user, as well as a Google map of the approximate location of the laptop and all sorts of other useful information. I created a PDF of the online report and immediately sent it to my customer, who passed it on to the police. Incredibly, the Google map indicated that the laptop was about 500 yards from my customer's office in the West End of London, so they went for a walk and, using the detail from the photo, managed to locate the shop where the photo was taken. Unfortunately the police didn't manage to get there in time and the gentleman in the photo was nowhere to be found. However, the system had worked! I knew that the free version of Prey only allowed 10 reports before the oldest report was overwritten, so I quickly upgraded my account to the paid-for Personal plan. This is only $5 a month and allows for up to 100 reports to be logged, which I considered to be well worth it.
The following day, the laptop came back online and another report was logged. It appeared that the laptop had moved, but not too far. The photo still showed the same gentleman using the laptop but the background was less distinct. However, using the Wi-Fi networks list from the report and a trawl through Google Street View I identified a shop which had potential to be the location. Again I passed this information to the police, via my customer. All the time Prey was continuing to log reports, with new screenshots and photos but thankfully the same location. This time the laptop user was staying put. The final report I received from Prey included a photo which showed another gentleman as well as the previously identified user. Little did I realise at the time that the laptop had captured the very moment that the user was apprehended and the laptop recovered - the second gentleman turned out to be a Detective Constable! Needless to say, my customer was delighted with this result and I may have had a glass or two that night to celebrate!
The laptop is now back in the hands of my customer and we are currently discussing deploying Prey (proactively this time!) across their entire laptop estate. I will also be recommending it to other customers as a useful insurance policy, particularly for expensive laptops and smart phones. Prey is a fantastic service and, coupled with the power of the monitoring software, makes a very compelling and inexpensive tool to add to your armoury.
If you are interested in finding out more , or would like to sign up for a Support Bank contract, please get in touch and I'd be happy to discuss things further.