Tracking and recovering a stolen laptop

Introduction

On December 20th 2009, my house was broken into and I was burgled. One of the items taken was my laptop, which was later recovered by the police after I was able to track it online and discover its whereabouts. This page details how I managed to track it, using the XMarks (formerly FoxMarks) plugin for the Firefox web browser, the Cambridge (UK) Freecycle mailing list, and a little bit of good luck.

XMarks

Between my day job as an embedded software engineer, and my personal life, where I tinker with computers probably more often than is healthy, I can think of five different computers that I use on a regular basis. One of the more frustrating things about using so many different computers is that when you bookmark a page in a web browser on one machine, it's not available on any of the others. I use the Firefox web browser, and, a long time ago, I installed the XMarks plugin to take care of this problem - it automatically keeps all of your bookmarks synchronized across all of your computers. It works by uploading your bookmarks to a central web server whenever you add or delete one, and then regularly checking with the server to see if you've made changes from a different machine, and downloading the new set of bookmarks if you have.

As an added bonus, you also get the choice of uploading your bookmarks either to one of the servers provided by the people who wrote XMarks, or to your own server. I opted to synchronize to my own server, which had the incredibly useful side-effect that I could see the logs showing me exactly when my computers synchronized their bookmarks with each other.

XMarks had worked so well for so long that I'd pretty much forgotten I was using it. It wasn't until a few days after the burglary that I remembered I had it installed, and realised that I might be able to use it to track my laptop. The Windows login on my laptop was not password protected, which meant that there was a strong possibility that whoever had my laptop would just turn it on and open the web broswer, which would cause it to synchronize the bookmarks automatically without them even realising it was doing so. I looked through my server's log files, and started trying to figure out which entries corresponded to the various different times that I'd used my computers. Each log entry indicates, amongst other things, the time of the synchronization - and I quickly spotted two entries from just after midnight on December 21st, which was, coincidentally, about the time I was returning home to discover the burglary. I'm absolutely certain I wasn't browsing the web on any of my computers at that particular point in time. The entries in the log file were as follows (with my username replaced with X's):

   81.103.22.71 - - [21/Dec/2009:00:05:06 +0000] "GET /~XXXXXXXX/foxmarks/synced.json HTTP/1.1" 401 484 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729) Xmarks-Fx/3.4.3"
   81.103.22.71 - XXXXXXXX [21/Dec/2009:00:10:12 +0000] "GET /~XXXXXXXX/foxmarks/synced.json HTTP/1.1" 200 161732 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729) Xmarks-Fx/3.4.3"

If you want a full technical explanation of the syntax of these log entries, see here. But, in summary, the two lines show that a computer tried to download the set of bookmarks, but was told it couldn't do so with authenticating first. It then tried again, this time with a username and password, and was successful. One thing I can't explain is why there's a five minute gap between the two stages of this process - they normally happen immediately one after the other.

Further, the log files show that the synchronization occurred from a computer with an IP address of 81.103.22.71. This is not one that any of my computers had ever synchronized their bookmarks from before.

I thought that this was pretty conclusive evidence that the log entries came from my stolen laptop, but I wondered what to do next. Obviously, in theory, I could have passed this information to the police, who could have got in touch with the ISP to reveal which customer had been given that particular IP address at that particular time. However, I had doubts as to whether this course of action would actually be successful for what was probably a pretty insignificant burglary in the grand scheme of things.

Freecycle

I decided to search through my entire system to see if the IP address appeared anywhere else, in case my laptop was talking to my server for some other reason that I hadn't thought of. I wasn't expecting to find anything here, but figured I had nothing to lose. I was therefore incredibly shocked when the search returned three identical lines that looked like they were from e-mail headers, suggesting that I had received three e-mails from the person who now had my laptop. The header line is question was:

   X-Yahoo-Post-IP: 81.103.22.71

Initially, this really confused me. If somebody was e-mailing me, surely that meant that I knew them? And why would someone I know break into my house and burgle me? However, I soon stopped wondering about such things, and went back to actually looking at the rest of the e-mails in question in order to get the answers. It turned out that the e-mails were not sent directly to me, but were in fact posts to the Cambridge Freecycle mailing list, as evidenced by the "To:" lines of the e-mails:

   To: cambridgefreecycle@yahoogroups.com

For those of you who don't know, Freecycle is an attempt to increase recycling by allowing people to advertise possessions they no longer want and would otherwise throw away, in case there is somebody else out there who wants it. Groups are organised on a regional basis, so that people can collect quickly and in person, avoiding the hassle of postage. If you join the Cambridge list, you can see an archive of all postings since 2005 here to get an idea of the kind of items advertised via Freecycle.

Coming back to the story, I managed to get some other information from the e-mail headers, including an e-mail address, and a Yahoo! user-id, which were the same for all three e-mails, and between them gave away the name of the person who had sent the e-mails (which I'm not going to include here). I was also able to get the times that the three e-mails had been sent:

   Date: Sat, 12 Dec 2009 00:38:14 -0000
   Date: Sat, 12 Dec 2009 07:29:39 -0000
   Date: Tue, 15 Dec 2009 05:27:51 -0000

There was a three day gap between the first and last message. This showed that the person who sent these e-mails had a connection to the internet from an ISP that had given them the same IP address over a three day period from December 12th to December 15th. There was therefore a reasonable chance that the XMarks entries in my web server logs (from December 21st) did in fact come from the same person who had sent the e-mails, and that their ISP had not re-allocated the IP address to a different customer.

I thought that I now had some pretty useful information - as well as an IP address, I had a name and e-mail address. I was starting to think that might be enough to let the police track my laptop, but, before getting in touch with them, I decided to look at the actual content of the e-mails that this person had posted. The first two were fairly innocuous messages, but the content of third message was pretty unbelievable. With certain parts replaced by X's, here it is in full:

   Hello everyone,
   I giving away a pc monitor mod. ViewSonic UltraBrite E92f, 19 inches. Is the
   big old type, not the recent flat kind, but it's working fine.
   Call me on this number 07727 XXXXXX before coming to pick up at XX Birdwood
   Road CB1 XXX, in case I'm out.
   Cheers!

What happened next?

After I'd recovered from the shock of getting this person's full address, I phoned the police, gave them all the information, and the next day they phoned me back to tell me that they'd recovered the laptop and arrested the person who had it. Of course, I hadn't recorded the serial number of the laptop, but I did know its MAC address, which led to an amusing phone conversation as I tried to explain how to run the "ipconfig /all" command in order to verify that it was my laptop :-) (Do you have a record of all the serial numbers of all your expensive gadgets? I'd suggest you go and write them all down somewhere after you've finished reading this story!)

It turned out the person who had my laptop was not the thief, but claimed that they had bought the laptop from someone else. The police decided that there was sufficient data on my laptop to reasonably show that it couldn't have belonged to that someone else, and, as a result, the person who had my laptop was given a caution. After following their story up, the police found some other stolen items of mine, and also further stolen property belonging to other burglary victims. Two more people were arrested and charged with handling stolen goods in relation to this, and they were given a community-based sentence after pleading guilty. The person who actually burgled my house has not been caught, and the majority of the items they took from my house are still missing.

Update (April 2010)

Subsequently, one of the people who pleaded guilty to handling stolen goods was jailed for a string of burglaries, as reported in the local press here. Although the burglaries they admitted to were in the area that I live, and at around the same time that I was burgled, they have not admitted to the burglary at my house.

Thanks

Thanks for reading this far - I hope you enjoyed the story. If you've got any questions about it, e-mail me at abooker@gmx.net, and I'll do my best to answer them. Thanks are also due to the people who wrote Firefox, the people who wrote XMarks, the people who initiated and run Freecycle, and everyone involved in my case at Cambridgeshire Police.

PS: On the miniscule off-chance that somebody reading this story bought a second-hand PlayStation 3 in Cambridge around Christmas 2009/New Year 2010, and it has a MAC address of 00:1F:A7:D8:08:F4 (to find the MAC address, go to Settings, then System Settings, then System Information), please let me know, because it's mine!