Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Tracking a laptop thief via MAC address (network forensics)
New Posts  All Forums:Forum Nav:

Tracking a laptop thief via MAC address (network forensics)

post #1 of 8
Thread Starter 
Let's say for example someone were to steal my laptop and connect it to a wifi hotspot to hack or commit other crimes. Now, my laptop's network card has a MAC address. I have heard that the network card's mac address is tied to the modem and that's how the ISP verifies you in some cases.

Now I thought that the MAC address is stripped once when it reaches the modem before it leaves for the internet. I have heard conflicting stories.

But back to my hypothetical scenario. Assuming the laptop doesn't have any type of LoJack installed on it, if the thief were to connect to the wifi hotspot, could the ISP find this out by seeing the MAC address of the laptops network card connected to a different IP?

The router of the wifi hotspot would keep a log of all the MAC addresses that connected to it right? If the logs of the router were analyzed and the MAC address was revealed, could the police summon all the ISP's to find out what other places that laptop was connected to, in order to track the thief down at their home address?

I have always wondered if this was a way to find out the home address of a laptop thief because theft is such a big problem. Is this how LoJack works?
Edited by aweir - 8/30/11 at 9:24pm
post #2 of 8
Once a packet leaves the broadcast domain, the original MAC is stripped.

You would not be able to tell unless you were on the same network.
post #3 of 8
Thread Starter 
I heard that websites can block you based on your MAc address so that if for example someone was to get banned from OCN and take the laptop to a wifi or someone elses house they would still be banned based on the MAC address of the NIC. but apparently this is misinformation. Not to say you are wrong, but can you explain how a MAC address of a network card can be tied to the modem, so that if someone were to connect a new computer to the modem, the internet connection would be blocked. I am not talking about MAC address filtering at the router, but at the ISP level.

If that wasn't the case, why is there MAC spoofing and MAC cloning? Would the ISP be able to tell what the MAC address of your network card is, remotely, for security reasons?

I found this from a tutorial online:

If the Ethernet card that was used during ISP installation is not available, you may need to register the new Ethernet card's MAC address with your ISP for the following to work.
MAC address stands for Media Access Control address (not "Macintosh computer"!), a unique number built into modems, routers and other network hardware. It ensures that one piece of equipment is not mistaken for another one. Some ISPs validate your connection by checking the MAC address of the Ethernet adapter in computer that was registered during ISP installation. If you add a router or change computer or Ethernet adapter, these ISPs will drop your Internet connection, because they find the MAC address of the newly added router or adapter, instead of the one they expect.
Edited by aweir - 8/30/11 at 8:15pm
post #4 of 8
Quote:
Originally Posted by aweir;14768077 
I heard that websites can block you based on your MAc address so that if for example someone was to get banned from OCN and take the laptop to a wifi or someone elses house they would still be banned based on the MAC address of the NIC.
Misinformation, consider your source.
Quote:
Not to say you are wrong, but can you explain how a MAC address of a network card can be tied to the modem, so that if someone were to connect a new computer to the modem, the internet connection would be blocked. I am not talking about MAC address filtering at the router, but at the ISP level.
It's not, really. Your modem has it's own MAC address that becomes explicitly allowed on the ISP end when you are activating your service. You can change the MAC of your external interface on a PC or router directly behind it, and receive a new DHCP address as a result (although you may have to wait for DHCP timeout as they only give you one address at a time).

The majority of forum bans are based on an IP address and/or cookie.
Quote:
If that wasn't the case, why is there MAC spoofing and MAC cloning? Would the ISP be able to tell what the MAC address of your network card is, remotely, for security reasons?
MAC cloning is useful for replacing an existing device which has a DHCP lease to more-quickly-renew your IP association (say if you upgraded your router). MAC spoofing exists to circumvent MAC based access lists (wifi access list, port security, etc).

The ISP would be able to tell your WAN facing device's MAC (or at least the one it presents to your ISP). This would be through the assigned DHCP association when you receive an external IP address. They would not be able to see a MAC address of a specific computer behind your router, though.

If you had to replace your modem itself, you would need to call the ISP to have the MAC address of the device allowed onto the network. This is separate and independent from your router or PC's MAC
post #5 of 8
Thread Starter 
OK, I think I understand. If someone were to steal a laptop and connect it to their home internet, the ISP would not be able to trace that laptop to a different IP address and find out where they were, unless it connected to a service, like logging into my email (if I had autologin), where the authorities could find out where the thief lives if my email provider was involved (say if the theif used my email to send threatening or hate mail). If he logged into my email, they would have a record of someone logging into 2 different places. But assuming the thief formats the drive and doesn't connect in any way which would be traceable, no one would ever be able to know that the laptop was in use at another location.


Let's turn the tables around. Let's say someone hacks into my router and steals my internet and commits a crime online. The police kick my door in, seize my computer and router, and sees that someone connected to to it (because a MAC address in the logs doesn't correlate to the NIC MAC of my PC). The police go to the ISPs and say "hand over your logs" showing which IP adresses were assigned to that particular NIC MAC address. The ISP shows them another IP address associated with it, and gives them the names/address of the person of the other IP adresses.

Are you saying this is not possible?
post #6 of 8
The ISP won't have a log of the laptop because your router is doing PAT or Dynamic NAT.. whichever one you want to call it. Your ISP will only have logs of your routers mac address provided they even keep logs for an extended period of time.

To answer your earlier question. Yes a mac address of a laptop can be traced back to you from your ISP. It would take more work than they are willing to do, and they would have to catch them on line to do it.

I am curious as to why you are asking this? This really boarders on a grey area, and these hypothetical situations make me wonder. Most people would explain in the first post why they are asking these types of questions.
1090T
(13 items)
 
  
CPUMotherboardGraphicsRAM
1090T GA-890FXA-UD5 HIS 4670 G.SKILL ECO Series 4GB (1600) 
Hard DriveOSPowerCase
WD Black (Raid 0) Win 7 Home Premium x64 CORSAIR 850W COOLER MASTER Storm Sniper 
  hide details  
Reply
1090T
(13 items)
 
  
CPUMotherboardGraphicsRAM
1090T GA-890FXA-UD5 HIS 4670 G.SKILL ECO Series 4GB (1600) 
Hard DriveOSPowerCase
WD Black (Raid 0) Win 7 Home Premium x64 CORSAIR 850W COOLER MASTER Storm Sniper 
  hide details  
Reply
post #7 of 8
unless the ISP can somehow view the MAC address of the onboard NIC in your laptop.
Patawic's Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
Thuban 1055T Gigabyte 880GMA-UD2H GIGABYTE GeForce GTX 460 1GB OC Corsair 4gb 1333mhz DDR3 
Hard DriveOptical DriveCoolingOS
Samsung F4 LG CH10LS20 Bluray CoolerMaster Hyper Z600 Windows 7 
MonitorKeyboardPowerCase
Dell P4211H x 2 Logitech G110 OCZ 750W Fatal1ty HAF 912 
  hide details  
Reply
Patawic's Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
Thuban 1055T Gigabyte 880GMA-UD2H GIGABYTE GeForce GTX 460 1GB OC Corsair 4gb 1333mhz DDR3 
Hard DriveOptical DriveCoolingOS
Samsung F4 LG CH10LS20 Bluray CoolerMaster Hyper Z600 Windows 7 
MonitorKeyboardPowerCase
Dell P4211H x 2 Logitech G110 OCZ 750W Fatal1ty HAF 912 
  hide details  
Reply
post #8 of 8
Quote:
Originally Posted by aweir;14768750 
OK, I think I understand. If someone were to steal a laptop and connect it to their home internet, the ISP would not be able to trace that laptop to a different IP address and find out where they were, unless it connected to a service, like logging into my email (if I had autologin), where the authorities could find out where the thief lives if my email provider was involved (say if the theif used my email to send threatening or hate mail). If he logged into my email, they would have a record of someone logging into 2 different places. But assuming the thief formats the drive and doesn't connect in any way which would be traceable, no one would ever be able to know that the laptop was in use at another location.
Pretty much.
Quote:
Let's turn the tables around. Let's say someone hacks into my router and steals my internet and commits a crime online. The police kick my door in, seize my computer and router, and sees that someone connected to to it (because a MAC address in the logs doesn't correlate to the NIC MAC of my PC). The police go to the ISPs and say "hand over your logs" showing which IP adresses were assigned to that particular NIC MAC address. The ISP shows them another IP address associated with it, and gives them the names/address of the person of the other IP adresses.

Are you saying this is not possible?
ISP would be irrelevant, your house would only have a single IP facilitated by your WAN facing device (router and modem MAC). Each LAN client does not get a unique external IP from the ISP.

How exactly do you expect your network to be 'hacked'?

If someone were still actively connected in range of wifi, it would be possible to capture their wireless NIC MAC simply by sniffing wifi traffic. The possibility of this is extremely low, however, as there would be a significant timeframe from theoretical hacker x committing theoretical crime y to theoretical authority z kicking down your door. You would also have to consider the possibility of MAC spoofing. In a heavily saturated wifi area, unless they examine every laptop in the direct area, generally not going to happen unless someone is shortsighted enough to hang out around the outside of your house looking suspicious with a laptop.

If theoretical hack q was done remotely over the internet, you may be able to obtain records of which IP accessed a specific port on your IP at a certain time. This would not include specific PC MAC information unless the computer was directly connected to an ISP (no router).
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Tracking a laptop thief via MAC address (network forensics)