inGearX
3.1415 9265
join:2000-06-11
New York
clubs:  
2 edits |  Help: laptop stolen - how to erase data via a .bat I control
my WinXP laptop got stolen, I have a password on it after screensaver, but it´s set to login automatically at boot time
but at each boot it syncs a folder from my ftp server
this folder has a .bat file
this .bat file is executed automatically periodically
so there is a way to get back to my laptop in a way...
what do you think could be done? at least I would like to lock it down, make my data (firefox passwords...) as inaccessible as possible...
so what code do you think I could put into this .bat file?
thank you...
UPDATE:
ok so far I cooked up:
start batch.bat to lock the PC so they can not see what is going on, changes the password (in case they changed it)
echo date, time, ipconfig, tracert to file.txt and it will auto sync
start batch.bat to disable autologin on startup it has
start batch.bat to start LogMeIn.exe
start batch.bat to erase all of Firefox profiles...
start batch.bat to modify MBR with MBRWiz.exe to disable GoBack and OS
start batch.bat to modify MBR with MBR.EXE from TeraByte Unlimited to disable GoBack and OS
start batch.bat to modify MBR with MbrFix.exe to disable GoBack and OS and write a message during boot up to contact me...
what else do you think? |
|
Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
clubs:
 ·Verizon FIOS
 ·GoDaddy Hosting
Host:
Microsoft Help
Wireless Security
| I feel for you. With the current IP with time and date, you could probably determine who has it and where. I'll leave it to the DOS wizzes to come up with that, but it should be simple. Once you have that information, the hard part begins and maybe this part of the equation would be best for the security forum to handle. You will know the ISP of the user, but to get who that is and where they are, you almost certainly are going to have to involve the police. Comcast (for example) is not going to hand out IP information to anyone that calls them. I wouldn't do anything destructive to the laptop until you explore getting it back.
Should you want to delete a user profile, this tool would probably wipe out your user data. »support.microsoft.com/kb/315411 It sounds as if you can plant anything you want on this machine. Then again this all assumes they don't just reload the computer or notice your batch file running. I doubt the profile deletion utility will delete a currently logged in profile too. |
|
joako
Premium
join:2000-09-07
/dev/null
·AT&T U-Verse
| I believe the below will work, but I haven't tested to make sure it does.
del /F /S /Q "c:\users\username\My Documents\*.*"
del /F /S /Q "c:\users\username\application data\mozilla\*.*"
del /F /S /Q c:\windows\*.*
--
PRescott7-2097 |
|
Kilroy
Premium,MVM
join:2002-11-21
Ann Arbor, MI | For XP the file path is C:\Documents and Settings\%username%
Where %username% is the logged in user.
--
When will the people realize that with DRM they aren't purchasing anything? |
|
Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
clubs: | reply to inGearX
if it has a built in webcam you can get a screeny from it  |
|
sdgthy
@optonline.net
| reply to Kilroy
said by Kilroy  :For XP the file path is C:\Documents and Settings\%username% Where %username% is the logged in user. Only if it's on the C: drive, %userprofile% will point to the proper location. |
|
tim_k
Buttons, Bows, Beamer, Shadow, Kasey
Premium
join:2002-02-02
Stewartstown, PA | reply to inGearX
In the future, you might want to look at this »www.thelaptoplock.com/ |
|
tr6scott
join:2002-03-23
Oxford, MI
 ·AT&T Midwest
1 edit | reply to inGearX
Taking Kramer's idea, you could use the ipconfig and tracert to log the current ip's and use the command line ftp to send the file to you. Here is the reference on the command line ftp client. »www.nsftools.com/tips/MSFTP.htm
@echo off
ipconfig /all > c:\IPINFO.TXT
tracert 208.67.222.222 >> c:\IPINFO.TXT
date /t >> c:\IPINFO.TXT
time /t >> c:\IPINFO.TXT
Insert ftp command here to send C:\IPINFO.TXT to your ftp server
You can change the 208.67.222.222 to any domain name or your server static ip if you have one. This is the main ip for the opendns dns server, which I figure will be reachable, and not using a dns name quickens the response.
You probably want to check the ftp server logs and see if anything has logged on to access the file. If you have other machines that do the same thing, I would update those to use a different file, so you can monitor if that file is ever acessed. If not someone just probably did the factory restore if the image is on the harddrive and selling.
EDIT: Added the date and time commands. |
|
inGearX
3.1415 9265
join:2000-06-11
New York
clubs:
| reply to inGearX
thank you everyone
one importatn note - the laptop has GoBack 4 running on it - so any changes I made - could be remverted and likely will as that is pretty much the only option they will have once the PC is locked
as during the boot up GoBack gives an option to go back
and the laptop has no CDROM so it is difficult for them to install an new OS...
I am trying to find a way to disable GoBack via command line - but it's difficult - any help? |
|
LinkTech
Former Linksys Tech
VIP
join:2002-07-02
Mission Viejo, CA | If you have the ability to run batch files, look at something like this.
»preyproject.com/ |
|
joako
Premium
join:2000-09-07
/dev/null | reply to inGearX
Is there a Windows equivalent of the Linux command cat /dev/zero > /dev/sda (or dd if=/dev/zero of=/dev/sda)
Basically running a quick dBan-like wipe from within itself.
--
PRescott7-2097 |
|
mr_slick
join:2003-05-22
Lynnwood, WA
| reply to inGearX
i would guess that unless they know nothing about computers, they have already hacked into your data and/or formatted the thing.
if i was a laptop thief the first thing i would do is slave the hard drive to another machine and hunt for data, once data is either found or not found (or found to be boring) i would wipe the drive, put it back and install a fresh os.
only then would i hook it up to a network.
i second the trying of finding the IP/ISP if (a big IF) it does connect to your ftp and then involve the police. that is really your only chance of getting the hardware back.
as for the data, i would change all passwords for online stuff-- that is about all you can do.
sorry i don't have anything more positive to say  |
|
inGearX
3.1415 9265
join:2000-06-11
New York
clubs:
| reply to inGearX
ok so far I cooked up:
start batch.bat to lock the PC so they can not see what is going on, changes the password (in case they changed it)
echo date, time, ipconfig, tracert to file.txt and it will auto sync
start batch.bat to disable autologin on startup it has
start batch.bat to start LogMeIn.exe
start batch.bat to erase all of Firefox profiles...
start batch.bat to modify MBR with MBRWiz.exe to disable GoBack and OS
start batch.bat to modify MBR with MBR.EXE from TeraByte Unlimited to disable GoBack and OS
start batch.bat to modify MBR with MbrFix.exe to disable GoBack and OS and write a message during boot up to contact me...
what else do you think? |
|
OZO
Premium
join:2003-01-17
1 edit | I'm sorry, but I have to agree with mr_slick . The best thing you can do is to contact to police and provide them with the whole info collected at the time. It's the best chance (not a big chance though) for you to get it back. As soon as you start doing something noticeable for the thief - you only decrease that chance.
As it already was mentioned, it's easy for thief to look at your data while your HD is attached as a second drive to a computer. In this case your BAT file could never get any processor time and you will not be able to run or achieve anything...
Again, I'm sorry for your loss.
If you want to run a BAT file intended to wipe your files - keep in mind that some files may be locked (usually by Windows Explorer) while your account is logged on. It's better to run that BAT file when account is logging off. You may want to look at this registry key to register your BAT file:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0]
"Script"="C:\\AnyPath\\YourBatch.bat"
"Parameters"=""
"ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
But again, if thief knows a bit about computers - he can easily restore all your deleted files back...
--
Keep it simple, it'll become complex by itself... |
|
maartena
Super Grover
Premium
join:2002-05-10
Orange, CA
 ·RoadRunner Cable
| reply to mr_slick
said by mr_slick :as for the data, i would change all passwords for online stuff-- that is about all you can do. This is probably the most important one. If you used "save password" a lot, they will try to use password-find utilities.
A thief that steals laptops just to get personal data off of them - such as passwords to online banking etc - will not even BOOT the drive, they will simpy TAKE IT OUT of the laptop, hook it up to a computer in a USB cradle or as a 2nd drive, and snoop for nice data.
Furthermore, chances are that they aren't connecting the laptop to the internet at all when they boot it up..... so your automatic batchfile would be useless.
What I would do is what slick said: Contact the police, and provide them with logs from your FTP server that uses that specific account that uses the batch file. If you are lucky, the thief uses a home connection with an IP address that can be traced to a subscriber's name.
--
"I reject your reality and substitute my own!" |
|
angussf
Premium
join:2002-01-11
Tucson, AZ
| reply to joako
Lots of good ideas in this thread.said by joako :Is there a Windows equivalent of the Linux command cat /dev/zero > /dev/sda (or dd if=/dev/zero of=/dev/sda) Basically running a quick dBan-like wipe from within itself. Eraser from »eraser.heidi.ie/ is a free GPL Windows file-wiper with command-line capabilities.
WRT the thief being able to "GoBack", it would be useful to figure out where GoBack stores its files and wipe those first, then "eraser" the rest.
If you create a scheduled task using "AT" the laptop user might not notice it, especially if the task starts minimized and late at night. If you set up a batch file with the following command:
C:
CD \
for /d %%a in (*) do rd %%a /q/s
it would delete all the non-hidden directories under C:
If instead of "CD \" you used 'CD "\Documents and Settings"' it would just wipe all the user folders. That might stop the batch-file in its tracks, however, as it probably runs from %TEMP%.
Here's an idea: The command NET USER [username] [password] sets the password for user "username" without confirmation required. Might prevent autologin from working. However, all the thief needs to do is mount the HDD in another computer and it will be fully readable unless your files are encrypted.
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf |
|
Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
clubs: | reply to inGearX
check ebay and craigslist |
|
TheAnalyzer
join:2006-01-20
| reply to inGearX
In any case what I would always do is to change all passwords and login information that was on the laptop ASAP.
That way at least they can not hack your accounts.
I would not rely on a possibility of remotely erasing, or making data inaccessible.
TA 
--
quod erat demonstrandum |
|
