We have been able to find the general location of wireless devices by using the search features of both our wired and wireless networks. I have also used an Etherscope (fluke) to locate a device. When locating stolen property, we try to use these tools, but what has worked has been the Nathan Hay approach of checking logs. Most of the time when something is stolen it disappears from our network immediately and never returns. We always try the best we can to locate the stolen devices, but we know that the chances are slim of recovering anything.
One time a real genius stole a bunch of property from students, and then contacted one of his victims to see if he could collect a ransom for the files on her laptop. The outcome was Jailarious! He (not a student) was arrested from his house a few blocks from campus. Greg Briggs Network Manager Pacific Lutheran University On Thu, Mar 14, 2013 at 5:22 AM, Alexandra Frincu <[email protected]>wrote: > Hello, **** > > ** ** > > In a wireless campus network, it happens that stolen devices reappear. *** > * > > This subject has been already addressed on Educause in 2008:**** > > ** ** > > > http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0812&L=WIRELESS-LAN&T=0&F=&S=&P=37407 > **** > > ** ** > > and in 2010:**** > > ** ** > > http://seclists.org/educause/2010/q3/176**** > > ** ** > > I am wondering if progress was made on this topic in the last years.**** > > ** ** > > In particular, I wonder how to precisely locate a stolen device, after you > get the alert that its MAC address is detected on the network (the laptop > appears associated to a specific AP in a specific building).**** > > How can you pinpoint that device?**** > > ** ** > > One option, is to walk around with a laptop and an AirPcap card, sniffing > the traffic, filtering on that certain MAC address and when the RSSI gets > higher it means you are closer to that stolen laptop. **** > > However, this is not that discreet and there’s always the risk that > before being able to pinpoint the laptop, the fake owner will leave.**** > > ** ** > > Another option is to use tcpdump on a laptop, and filter the raw packets > from that MAC address and constantly monitoring its signal level until the > best value is found. Airodump, which shows the traffic on all channels is > also an alternative.**** > > ** ** > > Is there a complex and more user friendly tool that is being used in your > campus? ideally, a tool simple enough so it could be used by the security > staff (the persons entitled to catch the thief) on a tablet or smartphone? > **** > > ** ** > > Any experience/thought/recommendation on this subject would be highly > appreciated.**** > > ** ** > > Best regards, **** > > ** ** > > Alex**** > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
