The story behind my stolen items.

On the 28th of Sept 2008, I had a minor car accident & sent my car to AMK Industrial Park 2 area for damage assessment, repair quote & repair claim advise. I shall not disclose the company name at the moment.

Then on 29th Sept 2008 around 10am+ I sent the car down to the workshop. I had parked the car beside the workshop which was corner. Not visible from the front. I informed the mechanic i spoke to a day earlier that my car is parked there.

Then I proceeded to their office to look for chief mechanic & boss which i had not seen yet.
After discussion & confirmation to let them do the job. We proceed down to view my car again. The accident was minor but damaged the rear boot door. I had not open it since for they need to take picture.

At this point, was when my mid sized haversack went missing. Inside contain valuable items & very important accident documents & pictures from my digital cam in the bag. The accident happened in JB the day before. 1 of the most important document was the police report made between me & the other party at JB polis station. Darn .. it'll be so darn troublesome to have to go back & beg for that report again. Also, the pictures taken showed both cars' accident details & brand/model/make & even the driver's face & I/C.

The bag contained :

1) Asus F9SG notebook ( 3mths old )
2) Sony P-100 digital cam ( 5yrs old )
3) Starhub Huawei E270 usb modem
4) MSI mobo + CPU + rams ( belong to a customer )
5) Deuter mid size bag ( brand new !! 3days old )
6) 40gb ext ide drive.
7) Some other paper documents

I know it was my mistake to have placed the bag under the rear set & still quite visible if one were to peek hard into the dark tinted glass windows. However, the car was remotely locked.

To date I still suspect inside job done but i do not have proof. Since then, I changed another workshop for the repair job.

So on 29th night I made a police report. I had also seek Starhub for assistance in any case someone try to use the Huawei E270 modem to go online. Sadly, it had been terminated immediately. But Starhub is still able to trace the IMEI no. of the modem if one try to use a new SIM card.

weeks gone by & I knew there's little chance of recovering this painful lost. Starhub responded to my Investigating Officer with no sign, no trace of usage. Sad ...

THEN,

I realize my MSN had been signed in a couple of times after the lost. Usually after office hour 5.30pm onwards or Sundays morning !! Since then, I record down the timing my MSN messenger account being signed in else where. I've been careful & i know I only save my password & account on my personal computer system. My office & my laptop. I've only 2 personal computers anyway.


So here I'm, I'd like to seek anyone here for advise & help. Rewards will be given when the theif is nabbed irregardless of items recovered.

I've created another MSN messenger account to monitor "myself" signed in. USually it is signed in Offline status. However, the trace is that the laptop seemed to be infected with some spyware/virus that once it is signed in, it'll send out links to users online via MSN messenger. I'm very determined the thief can be nabbed.

I understand that if there's incoming connection, the IP will be logged in our system. I've spoken to my investigation officer who is very willing to help solve the case with me. He just needed the IP & he'll carry out the next half of the job.

A small reward will be given to anyone who is able to provide & help me with this job. Rewards wil be given when the thief is nabbed & i'm very serious with this.


I've also contacted HOTMAIL for assistance. They seem willing to help as well & waiting for their response cos they require me to fax over all the supporting police documents before they take action & I know, time could be running out before the theif decide to sell the laptop, format or clear the MSN messenger log in username/pw. I purposely did not change my msn pw for this reason.

if he is IT savvy enough, he will not sign in with your MSN. so, i guess this thief is some noob in IT..
he is probably using the laptop to surf net ,at most..

yes surf net watch movies maybe. there's folder called movies on the desktop. at least about 100gb of stuffs. cos the laptop has 250gb hd. i feel he's not too tech too. or probably just want to see wat is good to steal in my hotmail's email.

good luck bro, hope u can find ur stuffs back.

So was it in JB or AMK? why so confusing?

i know there is some kind of small software able to track the ip address when online or appear offline. tink i need to search for it as my hdd crash 1 mth ago..

Like installing a backdoor for ur own access?
Can rely on DDNS client if its still there actually.

dont quite understand..

i need a 3rd party software to monitor ? If so, wat is the name.

since u got the time record when the person sign in yr msn, contact the police ask them to optain a IP log from MSN, u can try get it yourself but i dont think they will let u have it..
once the police got the ip log, they will send to see which serivce provider is it from.
jus dont suay suay that person tap into other ppl network la..

and remember everyday call the police to ask what they have done. if not they will take 1 - 6month jus to handle small case like yours. and mainly come out with nothing.

Do you have the series number for all the things you have lost?

its very hard to install a 3rd party software from your side which u got no idea of the ip that person are connecting. unless u already have a BD on that laptop, job will be much more easy...

No 3rd party software can help you. Only chance is if you have applications running on your PC that auto connect to outside hosts, and request those host admin to provide you the IP. With the IP, then get the ISP to reveal the subscriber.

As for the E270 modem, only the telco can track the IMEI.

and anything got to do with ip address, ISP wont allow outsider to have it one, its a protection for the customer, unless u are legal to, which this kind of job only can be done by police/CID/IO

Even your laptop got GPS system, dont think anyone is willing to stick their neck out to activate GPS satellite to help you track it.

If person taken it is tech savvy enough, system password cannot hold them out for long.

i only know that dell bios startup lock password can lockout everytime...
once lock remove batt every parts oso no use.. need to call dell for unlock code.

Only a total noob and idiot would use a stolen laptop and sign in on MSN with the original account being used. :D

Either that, or the lappy had already been sold to an unsuspecting party which does not know the source..

I have a suggestion but not too sure if it will work, send a message thru msn to yourself using another account. Message content can be something like " hey abcdefg, the $2000 I owe you how? Which account number you want me to transfer to?"

You might be able to get his account number and trace him.

u got ur self taken prawn video like edison in ur laptop or not? :s13::s13::s13::s13::s13::s13::s13::s13:

I have a suggestion but not too sure if it will work, send a message thru msn to yourself using another account. Message content can be something like " hey abcdefg, the $2000 I owe you how? Which account number you want me to transfer to?"

You might be able to get his account number and trace him.
this huan is good idea...

but might also alert him to the fact that the msn is active

Seems nobody really reply on TS yet.

There is a way to find out the IP address of whom you chat to. I don't know if you can do it using manual windows tool, but I'm able to do this by using Kaspersky's Network Monitor (a feature of Kaspersky Internet Security) Try to do this:
1. Open Network Monitor by Right click KIS icon > network monitor
2. Look at MSNMSGR.EXE (the execution file of Windows Live Messenger / MSN Messenger) and print screen all the connection made (make sure no chat engage to your old MSN account)
3. Engage your MSN account NOW by chatting / sending file
4. Look at Network Monitor again and print screen.
5. Compare the images. The one pop-up is the IP of your old msn account.


I have try this with my friend by:
1. Chat with him.
2. Look at my Network Monitor
3. Ask him to check his IP in http://whatismyipaddress.com/
4. Confirm that his IP showed up in my Network Monitor.

Just a note: that IP does not mean absolutely HIS IP. If the thief is behind public router (such as University or Office network), it will be tough to find out. But at least it will help you narrow down the area.

I'm sure there is third-party application that doing the same as Kaspersky Network Monitor, but unfortunately I don't know. If you wish, you can install Kaspersky and use its feature.

didnt wan pour him cold water mah

sending an attachment will alert the person on other side, then again, the laptop may have been sold to somewhere who is novice

I have a suggestion but not too sure if it will work, send a message thru msn to yourself using another account. Message content can be something like " hey abcdefg, the $2000 I owe you how? Which account number you want me to transfer to?"

You might be able to get his account number and trace him.

man, this make sense seriously. :s13:

i'll try that with my other account but that will mean i cannot log on to this one for the time being. :(

btw, thank u all for the suggestion & feedback. the local police i contacted has agreed to re-open the case again & probe further into the matter once the ip is obtained.

man, this make sense seriously. :s13:

i'll try that with my other account but that will mean i cannot log on to this one for the time being. :(

btw, thank u all for the suggestion & feedback. the local police i contacted has agreed to re-open the case again & probe further into the matter once the ip is obtained.
If possible, while you have engaged your old account in chatting, I hope you can do as I suggested, since you'll be able to get his IP as well from it. Doing both at the same time is possible, so no loss in doing so :D

u got ur self taken prawn video like edison in ur laptop or not? :s13::s13::s13::s13::s13::s13::s13::s13:

bo la !!

project logs only a lot. pictures of my work, accounting info, civilzation 5 played half way, nb.


some prons maybe ..

i'll keep u guys posted here on the outcome...

currently i've 4 records of the timing & day when my messenger got logged out.

Seems nobody really reply on TS yet.

There is a way to find out the IP address of whom you chat to. I don't know if you can do it using manual windows tool, but I'm able to do this by using Kaspersky's Network Monitor (a feature of Kaspersky Internet Security) Try to do this:
1. Open Network Monitor by Right click KIS icon > network monitor
2. Look at MSNMSGR.EXE (the execution file of Windows Live Messenger / MSN Messenger) and print screen all the connection made (make sure no chat engage to your old MSN account)
3. Engage your MSN account NOW by chatting / sending file
4. Look at Network Monitor again and print screen.
5. Compare the images. The one pop-up is the IP of your old msn account.


I have try this with my friend by:
1. Chat with him.
2. Look at my Network Monitor
3. Ask him to check his IP in http://whatismyipaddress.com/
4. Confirm that his IP showed up in my Network Monitor.

Just a note: that IP does not mean absolutely HIS IP. If the thief is behind public router (such as University or Office network), it will be tough to find out. But at least it will help you narrow down the area.

I'm sure there is third-party application that doing the same as Kaspersky Network Monitor, but unfortunately I don't know. If you wish, you can install Kaspersky and use its feature.

thank u very much, i'm gonig to buy the software tmr. since can use on 3pcs. :) thanks .. never his kars b4 so never knew the features.

thank u very much. give me a bit of hope. will note u to be the 1st to provide me the info. should it succeed. i'll thank u further

if it is not too late and if TS is interested, I can setup an IP stealer on my server and what you need to do is to send him my domain URL with another sproof MSN account preferably a ladylike nick.


Once clicked, its GG for him as his IP address and ISP hostname will be transmitted to TS's email which will be setup by me.


PM me for a demo if you need to.

thank u very much, i'm gonig to buy the software tmr. since can use on 3pcs. :) thanks .. never his kars b4 so never knew the features.

thank u very much. give me a bit of hope. will note u to be the 1st to provide me the info. should it succeed. i'll thank u further

you dont need to buy. the free trial would be enough.

if it is not too late and if TS is interested, I can setup an IP stealer on my server and what you need to do is to send him my domain URL with another sproof MSN account preferely a ladylike nick.

Once clicked, its GG for him as his IP address and ISP hostname will be transmitted to TS's email which will be setup by me.

PM me if you need to.
Well, if any can make him click on own server's URL, his IP will be log directly for sure. Since Singapore's ISPs use proxy for port 80, make sure the stealer is not set for using port 80.

Also, it needs his interaction. While in msn chat method I mentioned, as long as a message is sent to that account (no need reply), the IP will be got by that time

TS can do a combo on the techniques discuss here, that is to follow raijinshou's method and the message that is to be sent will be my generic domain URL link. If he did not click onto the link, TS will hope that the 1st method can trace him.

If he received the message that is my domain URL and clicked on it, he is very much guarantee on the hook.

a sample of the email recorded look like this:

Moment : 07/12/2008 09:08:15
Ip : 218.186.12.2xx
Host : cm2xx.omega12.maxonline.com.sg

yes, we knew that its a proxy but you gave this info to the ISP including the domain URL the bugger clicked on and visited I am sure he can be traced.


edit: you may need a bit of social engineering skill here that is to use a ladylike MSN nick as not to make it look hostile or go "T-loan" any ladies friend account already in your add list on your stolen lappy.




Well, if any can make him click on own server's URL, his IP will be log directly for sure. Since Singapore's ISPs use proxy for port 80, make sure the stealer is not set for using port 80.

Also, it needs his interaction. While in msn chat method I mentioned, as long as a message is sent to that account (no need reply), the IP will be got by that time

Why take just the proxy IP when u can capture its x-forwarded-for header?

Besides, if the police is bothered, they can just request for the information without TS.
Dun even nid alert the other person

you never read, the stealer records the IP and hostname of the person visited the domain URL and send the info to TS's email so whatever in the x-forwarded-for header will belong to the server not the surfer. There is no email interaction between the TS and the person using the lappy, the "stealer" refers to an IP stealer script which is whipped up within 30 secs for this case.


This is not a high profile case unlike the one which happened in HK, as you already said "if the police is bothered". If TS wants to nab the culprit and get his things back, he will have to be proactive and help himself so things goes faster.



Why take just the proxy IP when u can capture its x-forwarded-for header?

Besides, if the police is bothered, they can just request for the information without TS.
Dun even nid alert the other person

Besides, if the police is bothered, they can just request for the information without TS.
Dun even nid alert the other person

As TS has said:
I've spoken to my investigation officer who is very willing to help solve the case with me. He just needed the IP & he'll carry out the next half of the job.

Ok la. IMHO, my thinking is tis, if they're half hearted from the start, it might mean they dun even wan bother abt it in the first case. It may just be an excuse to make TS gone and hope he does not know his stuff.

Esp when we talk about truly asia?

And then theres another problem, how to ensure the IP is really correct from their pov. When I refer to x-forwarded-for. This is the IP field that the proxy gives out on behalf of originating PC request. I assume Hafi's done a good job on catching both fields?

hehe... frankly I am not that programming savvy and the most the IP stealer can track is simply just his IP address (whether it came from a proxy or not) as well as its ISP hostname. It is just a simple few line 30 sec php script so nothing complicated and fanciful. The hostname identified the ISP so TS do not have to waste time contacting all 3 ISPs or find out the IP belongs to which ISP.

if TS got on hand the IP, hostname, together with the timestamp of the activity as well as the URL visited, I am sure the ISP side will have no problem tracing that connection.


edit: the script uses REMOTE_ADDR, I could not get HTTP_X_FORWARDED_FOR to work on Starhub connection.
note: HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client so it can be faked.



And then theres another problem, how to ensure the IP is really correct from their pov. When I refer to x-forwarded-for. This is the IP field that the proxy gives out on behalf of originating PC request. I assume Hafi's done a good job on catching both fields?

just a suggestion...

lets hope the thief is a MALE :=

get a female (prebably Very pretty), get on MSN and message him and entice him with sex..

you probably got to cook up a nice conversation, like she had a 'nice time' the last round, where he sent another guy down for a quick 'wild one'.

the problem is, where to get a good looking girl to start.. :s13:

wokring on social engineering always remember a person's weakness will always be greed. Do not state a very huge amount where he might be frighten off. Something like I mention $2k not too big but definetly attractive I believe. If you not too gd with social engineering then i suggest u use my method + one of the bro's as in using kaspersky to monitor the IP.

better is if u can use pressure methods like "hey abcdefg, so how I logging off soon le leh wife nagging :D. Or why not I return you the money after I come back from my out station after chinese new year?"

hi all thanks again for all the response. i made a mistake by leaving this message in my hotmail :(

this would probably set the thief cautious... sux.

I'll need the help from the bro on setting a link trap. my other email is

garytan@uvnium.com thanks ..

___________________________________________________________________________________________

Hi Tan,



Thank you for contacting Windows Live Messenger Abuse Support. My name is Fred and I'll be glad to assist you with your concern.



I understand that you want to know how do you attention the fax documents to and if you could send us a copy of the information you have right now. I know this is important to you so I will do my best to help you in this matter.



The legal documents are to be faxed to Microsoft Corporation because our department do not handle this kind of concerns.



Please follow the guides below:



Please address the appropriate legal document to the Microsoft Corporation and include all pertinent information for Microsoft to identify the particular MSN or Windows Live account(s) you seek to locate. The legal document may be faxed to 425-727-3490 for MSN and Windows Live Properties or 650-693-7061 for Hotmail and Passport.



Law Enforcement Officials should refer to the Microsoft Online Services Legal Request Hotline:



In the United States: 425-722-1299

Outside the U.S.: (011) 425-722-1299



I hope your issue will be resolved soon



Should you have any other questions or if you need further assistance regarding this issue, please do not hesitate to contact us again by replying directly to this e-mail.



Thank you for contacting Windows Live Messenger Abuse Support. Have a great day.



Sincerely,



Fred

Windows Live Messenger Abuse Support







--------------------------------------------------------------------------------



--- Original Message ---
From : "Gary Tan"
Sent : Saturday, December 06, 2008 3:35:28 AM UTC
To : "dskcs.mclt.00.00.en.nco.que.au.t01.spt.00.em@css.one.microsoft.com"
Subject : RE: SRX1086824492ID - Windows Live Messenger Abuse:Other

Hi Leah,

Thank you very much for this reply. I see hope in getting the thief !
How do i attention the fax documents to ?

I will contact my Investigation Officer from the local police force for stronger paper backup as well. Meantime, I have my police report & a letter of ongoing investigation from them.

Can I send u a scan copy here via email ?


Gary Tan






--------------------------------------------------------------------------------

From: DSKCS.MCLT.00.00.EN.NCO.QUE.AU.T01.SPT.00.EM@css.one.microsoft.com
To: garytan999@hotmail.com
CC:
Subject: RE: SRX1086824492ID - Windows Live Messenger Abuse:Other
Date: Fri, 5 Dec 2008 13:31:32 -0800



Hi Tan,



Thank you for contacting Windows Live Messenger Abuse Support. This is Leah and I will be helping you out today.



Based on the information that you sent, I understand that want to have the IP address of a person who has been accessing your garytan999@hotmail.com in order for you to trace the thief. I also gather that you already reported this issue to local authorities and you have all the necessary police documents. I can see the importance of this issue, so allow me to help you with your concern.



Tan, MSN cannot take action against members in cases of harassment we cannot verify what may have occurred during a Messenger session or determine the appropriate action to take based on a report that is made after the event. However, since you reported it to law enforcement, we can release the information provided that Microsoft receives first a valid subpoena, a court order, or a search warrant from law enforcement personnel or from a civil attorney. Please address the appropriate legal document to Microsoft Corporation and include all pertinent information for Microsoft to identify the particular MSN or Windows Live accounts that you want to locate. The legal document can be faxed to (425) 727-3490 for MSN and Windows Live properties or to (650) 693-7061 for Hotmail and Windows Live ID.



Law enforcement officials can also contact the Microsoft Online Services Legal Request Hotline:

. In the United States: (425) 722-1299

. Outside the United States: +1 (425)722-1299



I hope I was able to help you. If this information does not resolve the issue, please reply to this email and include any additional information so we can help you further.



Thank you again for contacting Windows Live Messenger Abuse Support.



Have a nice day.



Sincerely,



Leah

Windows Live Messenger Abuse Support



With Windows Live Messenger, you can now talk to your Yahoo Messenger friends. To learn more, paste this link in your browse: http://get.live.com/messenger/addyahoo





Find out how easy all-in-one PC care can be with the 90-day free trial of Windows Live One Care. To get started, paste this link in your browser: http://www.windowsonecare.com/purchase/trial.aspx?sc_cid=SPT_msgr



--------------------------------------------------------------------------------



--- Original Message ---
From : garytan999@hotmail.com
Sent : Friday, December 05, 2008 7:54:28 AM UTC
To : MSSGR.WNLV.AS.SG.EN.MSF.SEA.AU.T01.RTG.00.EM
Subject : Windows Live Messenger Abuse:Other

Service :
Windows Live Messenger Abuse

What type of problem do you have?
Other [Other]

Full name:
Tan Hau Hong

The e-mail address for us to send a response:
garytan999@hotmail.com

Primary e-mail address/member ID associated with the account you are inquiring about:
garytan999@hotmail.com

Please enter the Instant Messaging address of the user you are reporting.


Please provide as much detail as possible regarding the abuse or offensive behavior you are reporting to help us investigate the issue quickly
Dear Hotmail Admin,

I'd like to seek your help.
On the 29th of September 2008, my laptop containing some valuable work & personal informatino has been stolen. My car had been broken into & the laptop along with some other items were stolen.

I've already made a police report in my country, Singapore. And the local police had tried to assist in the investigation but to no avail. Therefore, i'm writing to you here to seek for professional help.

My MSN account is usually set to Non-Auto log in. However,there had been a couple of times when my MSN account got logged in from my stolen laptop. The last time it happened was on 4th November 2008, between 5.30pm to 5.45pm ( GMT +8 ).

I hope you are able to help me in any way possible. Like detecting the IP address that log on. The IP address is all we need to trace the thief. I've all the supporting police report document to provide if necessary.

I do not have intention to change the password to my MSN messenger account yet.

Please, i really hope to get the thief.
Thank u very much.

Gary Tan.

elo~ gary tan hau hong :o

everything is setup for and instructions has been emailed to you. You may use it asap or anytime when the culprit log on.




hi all thanks again for all the response. i made a mistake by leaving this message in my hotmail :(

this would probably set the thief cautious... sux.

I'll need the help from the bro on setting a link trap. my other email is

garytan@uvnium.com thanks ..

if he format and dun use the huawei modem.
then hard to trace liao.

i've implemented the trap.

but nothing. dont tell me the thief doesnt know wat is MSN or he knows wat he's doing.

Whenever he logs in I'd quickly log in using another account & send him the link. ANd he's also not clickning on the link provided in the email :( Sad..


Saddest part is our spf guy is taking his time to respond. Infact no response at all. It comes only when i called & leave a message " call me back". lol ..


Come Thursday, i'm going to take this matter to my neighbourhood MP's meet the resident session. I've never gone anything like that, but i just want to see how our leaders work things out especially miser problems like this in their eyes.

sux thumb for now ..

** hope it wont get the I.O into trouble .. lol **