Past EED rants

Labels

Live leaderboard

Poker leaderboard

Voice of EED

Tuesday 2 May 2006

The Case of the Stolen Laptop [Beej]

Okay. A week ago at time of writing, my sister's laptop was stolen from her student flat in a leafy road in Leeds. She was really cut up because she'd not made any backups at all (sigh) and because she had no house insurance and of course, her privacy had been invaded.
Tonight, I noticed my sister login to Skype. Amber alert because she's at work in the pub and I didn't expect her to be online. I fire up a dos prompt to see what tcp/ip connections are open:
C:>netstat -a -b -v -o  TCP    ferrari:2475           host86-130-14-225.range86-130.btcentralplus.com:41476  ESTABLISHED     384  C:\WINDOWS\system32\mswsock.dll  C:\WINDOWS\system32\WS2_32.dll  C:\Program Files\Skype\Phone\Skype.exe  -- unknown component(s) --  [Skype.exe]

With only one person online in my Skype userlist -my sister's client - I have presumed that this is the connection to my sister's client connection in Skype.
Things aren't initially that hopeful: it's a BT Broadband IP, it's national with hundreds of thousands of subscribers, and it will be a real mare to get anywhere through BT Abuse. I call them anyway, and during a 20min phone call find out the procedure. Then, in between eating a Tikka Masala for dinner, the only Skype connection on my laptop changes to this:
  TCP    ferrari:3037           student-halls-leodis-pc012-213.leeds.ac.uk:35388  ESTABLISHED     384  C:\WINDOWS\system32\mswsock.dll  C:\WINDOWS\system32\WS2_32.dll  C:\Program Files\Skype\Phone\Skype.exe  -- unknown component(s) --  [Skype.exe]

Now, this seems too much like coincidence. A P2P connection in Skype, that also also goes to Leeds where my sister lives? Now for the detective work: it's obviously leeds.ac.uk, and a quick search for "leodis" brings up the Leodis accomodation in Leeds at LS6 2QF.
LS6 2QF fed to Google Earth gives a pretty picture of Leeds which as the crow flies is within half a mile of my sister's flat. Whoah.
Now the leeds.ac.uk IP gives more than enough to go on, and tomorrow my sis will be visiting Leeds ISS to talk about the geography of the IP address. Further to that, she's got the phone number for the Police Constable who came to her flat after the robbery a week ago.
But - and here's my but - Skype is a P2P product, and therefore in theory, ports open on my laptop could as I understand it be from any other Skype client. Being P2P, I'm just a conduit on the network.
Additionally, what if this student accomodation is wireless? If it is the laptop, it could be within a hundred metres or so, which makes things a little less cut and dried. It might explain the two IP addresses however? The laptop is bouncing between two access points?
Could it be that the leeds.ac.uk IP a red herring? Wouldn't you expect a stolen laptop to get wiped anyway? The location seems more than coincidence. I've phoned my sister at work and she loves the idea that it might turn up; tomorrow she's going into the Uni to find out what they say about the IP address.

6 comments:

  1. Uncle Am says get your sister to ask the local police to accompany her to the accomodation on the basis that she has an extremely good locale for the stolen goods. If she does it on her own she'll stand a dramatically reduced chance of success relative to if she takes the coppers with her.
    My bet is that a student has bought this 'off the back of a lorry' from local pondlife.

    ReplyDelete
  2. Okay, so 20 hrs later, what's the progress?
    Well it's good and it's so-so. First thing this morning, my sister phoned her local Police station, and at first they just took a message and said they wouldn't do anything until Friday, but I encouraged her to try a second time, and I don't know how she sold it but the bottom line was that they sent a Constable over to meet her.
    My sister explained the situation, and armed with the student-halls-leodis-pc012-213.leeds.ac.­uk IP, the Constable and my sister both went along to Leeds ISS. Having the Police present dealt with the DPA disclaimers and waivers, and Leeds ISS came up with a room for that IP, and so they head over to the accomodation at LS6 2QF, and with the Uni security gorilla, they enter the room. Inside the room, is a laptop.
    At this point, things are very rosy, you think? Now this is where it gets complicated. The laptop is not the stolen laptop. The owner - fresh out of the shower - did use Skype - but the Constable searched the room, and no other laptops found. He also says that he didn't think the guy suspicious, and he answered all questions like a good student. There was also no wireless.
    I spoke to the Constable on the phone just now. He asked me to explain how I came by the IP - and I did, and he was happy. We both agreed that the close proximity, and the way I came to find the address via Skype, seems more than coincidental. He shares the feeling that the laptop is possibly in the building, although the room was not right.
    He noted that Leeds ISS had queried my use of the term "IP address" ; they said it was a machine name. Now I would argue, if I must, that's its both. It looks like a machine name (pc012-213) that is also in an outward-facing IP - fair enough? Leeds ISS also asked if I had the MAC address for the NIC in the laptop (obviously - no). The Constable has suggested that he didn't get a clear cut answer on whether that IP (machine name?) is static to that room only. Now we can't answer that yet - it has been suggested that it depends on how leeds.ac.uk run their network operations.
    At this stage: no dice; but there's a possibility if the Police don't run out of steam that when they talk to leeds.ac.uk tomorrow maybe there's something that could be done.
    I'm concerned about the P2P nature of Skype. Could it just be coincidence that I had a connection from that IP at that time? But my sister was also logged into Skype at that time... surely not coincidence at all.
    If anyone has any advice on perhaps what traffic Leeds ISS could snoop for (?) (I don't see how I can obtain the MAC address of a stolen laptop, quite honestly) then please post.

    ReplyDelete
  3. Long shot, perhaps, but do you have the serial number of the lappie kicking around anywhere? Might try phoning the manufacturer with that and seeing if they have the MAC address of the laptop's NIC on file?

    ReplyDelete
  4. Any routers at home which may still have details of her lappies mac address? But I'd expect if you have the s/n of the lappy the manufacturer may have the other details.

    ReplyDelete
  5. (2200hrs) KV and I did some testing. We opened Skype chat windows to each other and looked at netstat at both ends. Neither of us had each other's IP addresses as open connections.
    Therefore, I think the leeds.ac.uk is a red herring - it is only a client on the P2P network, perhaps between myself and the stolen laptop, but is not "the crim".
    I've posted on the Skype forums with this assumption to see if anyone can confirm/deny/make suggestions.
    Gah! One day of Police time wasted by misunderstanding Skype P2P? ;(

    ReplyDelete
  6. Sometimes when cross-examining, it is a question of how you phrase things, particularly putting people on the spot direct. You want to avoid debate and get into yes / no and btw do you realise this is a criminal investigation. So my question would be, given your testing and the astronomically impossible odds of a coincidental physical log only 1/2 a mile from your sisters flat compared to a whole country on Skype;
    "Given the information seen on Beej's computer, can you identify a room and or user in the accomodation - yes or no"
    if they faff the answer, get it back to yes or no. It's amazing what results you can get just by rephrasing the question

    ReplyDelete