One trick I used to use is to watch the traffic from that IP address to see
if the user gives away their identity by logging into a campus system
(email, web filtering, grades, etc). Then you can go directly to the
person using the stolen laptop.
Hope that helps,
Nathan Hay
Network Engineer | NOC
WinWholesale Inc.
From: Alexandra Frincu <alexandra.fri...@unil.ch>
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU,
Date: 03/14/2013 08:31 AM
Subject: [WIRELESS-LAN] locating stolen laptop - wireless campus network
Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Hello,
In a wireless campus network, it happens that stolen devices reappear.
This subject has been already addressed on Educause in 2008:
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0812&L=WIRELESS-LAN&T=0&F=&S=&P=37407
and in 2010:
http://seclists.org/educause/2010/q3/176
I am wondering if progress was made on this topic in the last years.
In particular, I wonder how to precisely locate a stolen device, after you
get the alert that its MAC address is detected on the network (the laptop
appears associated to a specific AP in a specific building).
How can you pinpoint that device?
One option, is to walk around with a laptop and an AirPcap card, sniffing
the traffic, filtering on that certain MAC address and when the RSSI gets
higher it means you are closer to that stolen laptop.
However, this is not that discreet and there’s always the risk that before
being able to pinpoint the laptop, the fake owner will leave.
Another option is to use tcpdump on a laptop, and filter the raw packets
from that MAC address and constantly monitoring its signal level until the
best value is found. Airodump, which shows the traffic on all channels is
also an alternative.
Is there a complex and more user friendly tool that is being used in your
campus? ideally, a tool simple enough so it could be used by the security
staff (the persons entitled to catch the thief) on a tablet or smartphone?
Any experience/thought/recommendation on this subject would be highly
appreciated.
Best regards,
Alex
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
*********************************************************************************************
This email message and any attachments is for use only by the named
addressee(s) and may contain confidential, privileged and/or proprietary
information. If you have received this message in error, please immediately
notify the sender and delete and destroy the message and all copies. All
unauthorized direct or indirect use or disclosure of this message is strictly
prohibited. No right to confidentiality or privilege is waived or lost by any
error in transmission.
*********************************************************************************************
