Monday, February 6, 2012

Retrieving a Stolen iPhone in Under 72 Hours

Image representing iPhone as depicted in
Image via

Within 53 hours I was able to get a stolen iPhone safely into police custody. Here's a rough timeline of the steps I went took to get the phone back to the rightful owner:

Saturday, 2/4/2012 @ 8:45 AM -- iPhone was "lost" (i.e., stolen).
  • Called stolen iPhone and it rang four times before going to voicemail, suggesting that it was powered on and had reception. Used the "Find iPhone" app to locate the phone using the Apple ID credentials of the stolen iPhone, but it was unable locate the phone.
  • Using the "Find iPhone" app, sent lock code to stolen iPhone to ensure that it was locked and required an unlock code to access the phone.
  • Using the "Find iPhone" app, sent messages with sound to the stolen iPhone stating that the phone was lost and to call ###-###-#### (my Google Voice number). No response.
  • Shortly thereafter the iPhone was powered down by the "someone" who had possession of the phone.
  • I had the owner of the stolen iPhone change passwords to accounts accessed by the iPhone (e.g., Gmail, Dropbox, etc).
  • Setup the email account used as the Apple ID of the stolen iPhone to forward a copy of all mail from "" to an account I setup at Boxcar. The reason for doing this was to have push notifications sent to my phone moments after the stolen iPhone would be powered on and receive the commands that I sent from the "Find iPhone" app.
    • There's a Boxcar iOS app that I installed on the device that I was doing the tracking from.
  • Opted not to report the phone as stolen with AT&T yet since I wanted to be able to continue tracking the phone. 
  • Also opted not to remotely wipe the iPhone via the "Find iPhone" app for the same reason.
  • The "Erase all data on iPhone after 10 failed passcode attempts" option was turned off on the iPhone. This was a good thing since it prevented the stolen iPhone from being wiped by 10 failed passcode entries and becoming un-trackable. 

Sunday, 2/5/2012 @ 10:00 AM -- the iPhone was powered on by "someone" and the location of the phone was identified.
  • I received a push notification from Boxcar showing that an email from was received. That meant that the stolen iPhone was powered on and was now locatable.
  • Used both the "Find iPhone" and "Find Friends" iPhone apps by Apple to track the location of the phone.
    • Another option was logging into iCloud with the Apple ID and password associated with the stolen iPhone ... which I did.
  • Location of the phone tracked to a residential address.
  • Used Google maps and street view to look at the house.
  • Identified the owner of the house using PropertyShark.
  • Gathered information about the owner using Intelius.
  • Again, sent messages with sound to the stolen iPhone stating that the phone was lost and to call ###-###-#### (my Google Voice number). No response.
  • The phone was powered down by the "someone" who had possession of the phone roughly five minutes after it was powered on.
  • Checked AT&T for any unauthorized calls. There were no unauthorized calls.
  • A police report was submitted online to the police department where the phone was stolen. 
    • The police department where the phone was currently located (different city than where the phone was stolen) would not accept a report directly since the theft occurred in a different city.

Monday, 2/6/2012 @ 10:46 AM -- the iPhone was powered on and left on.
  • Using both the "Find iPhone" and "Find Friends" apps, the GPS location of the stolen iPhone was the same address as the address that was identified on Sunday.
  • A police report was submitted online to the police department. The location of theft was intentionally left vague, implying that the theft occurred in the city where the phone was currently being tracked to. The police department was willing to accept the incident report.

Monday, 2/6/2012 @ 1:04 PM -- Called the records and dispatch departments of the PD from the city where the stolen iPhone was currently located.
  • Gave the incident report tracking number to dispatch.
  • After a lengthy conversation, dispatch agreed to send an officer to the house and that the officer would call me back if I needed to cause the stolen iPhone to make a sound.

Monday, 2/6/2012 @ 1:36 PM -- Received a call from the responding officer.
  • The police officer stated that he went to the residential address.
  • The officer stated that the owners of the house were at the residence.
  • The police officer gained possession of the phone.
  • The police officer asked me for the unlock code and some contact data that was on the phone to verify ownership.
  • The officer relayed the convoluted story that the individual who had stolen the iPhone told him.
  • We agreed to check the phone into the police department's chain-of-custody and the stolen iPhone will be picked up by the rightful owner soon.
  • Called the police department from where the phone was stolen, stated that the iPhone was retrieved by another police department, and the case was closed.
... and that's a happy ending.

Apple has more information about locating a lost or stolen iPhone here.

Tuesday, January 17, 2012

Koobface Analysis

Today Facebook announced that it will share the data it has collected about the group of people behind the Koobface virus. Facebook didn't provide any details about the "Koobface gang". However, in a separate blog post independent researchers Jan Drömer and Dirk Kollberg of SophosLabs did provide details of their analysis. I found the SophosLabs article a very interesting read in that it details the painstakingly slow process investigators must endure to piece security incidents together and that given enough time and resources "cybercrimes" can be solved.

"Up until now, Drömer and Kollberg's research has been a closely-guarded secret, known only to a select few in the computer security community and shared with various law enforcement agencies around the globe" ... "At the police's request we have kept the information confidential, but last week news began to leak onto the internet about Anton 'Krotreal' Korotchenko - meaning the cat was well and truly out of the bag." -- Graham Cluley, Sophos analyst
Link to Analysis: