Quantcast

Pwned by the Owner 3: VNC, Browser Cookies and Keylogger to the Rescue

Zoz Brooks elaborates on the methods he used for figuring out accurate personal details of the burglar who ventured to steal his beloved computer.

Retrieving the Burglar’s Personal Details

But childish fun aside, I wanted that machine back, so let’s start taking a look to see what we can find out about the guy that has it. He hasn’t changed the names of my hard disks; there are some PDFs on the desktop – they look like forms for unemployment benefits in Nevada. It turns out they are unemployment forms in Nevada, but they’re not filled in electronically; they’ve just been downloaded and probably printed out, so that’s a dead end.

Burglar’s photo 1

Burglar’s photo 1

Burglar’s photo 2

Burglar’s photo 2

Burglar’s photo 3

Burglar’s photo 3

But we have some stuff that are .JPGs. Hmm, maybe they’re interesting pictures, let’s take a look (see photos above). So now, either whoever has this computer is really into saving photos from DiamondEarringWearingDouchebags.com or these are pretty hilarious self-portraits.

Browser cookie file

Browser cookie file

So, let’s find out a little bit more about what this guy’s into. Let’s take a look at his browser cookie file (see image). Here’s an excerpt, here are some sites: we have Blackphatbooty.com, Bigbuttbrazilianmoms.com, Freebigassporn.org, Elephantasses.com, alright.

What are some searches? Alright, we got: ‘sexy beautiful fat ass’, got several searches for free porn, not something I thought was that difficult to find. But we’re getting a psychological profile. I know some of you right there are thinking this is my machine and these are my cookies. Now, I swear to you that they’re not; you’re just gonna have to take my word for that.

We got some location information in these cookies – nothing we didn’t know, it’s all Las Vegas. But a little bit deeper here we find Gmail address. Thank you Google for keeping that stuff very easy to find!

Retrieved profile of the thief

Retrieved profile of the thief

So, what have we got? We got location in Las Vegas, we got a name, we got a face, we got a Gmail account, and we got a keylogger installed.

At this point I got sweaty pants, I’m like: “Oh, can’t wait for this machine to come back online”, because it goes offline typically 8 or 10 hours after it goes online – so, waiting to get that first key log back.

Captured key strokes

Captured key strokes

Here’s some of the initial key log stuff (see image to the left). So, right away we have a street name, but not a street number; could be his, might not be. We got one login and password, but we don’t really have a lot here. There are a lot of weird key presses, and I know that he’s using the Web a lot, because I’m watching also on VNC some of the time when I happen to be there when it’s happening.

Pwned!

Pwned!

But how is he logging into things without typing many passwords? Well, the browser he’s using is Camino, which is the browser I had installed, because he can’t install new software since he doesn’t have the admin password. And Camino is the Macintosh build of Mozilla. It’s integrated well with the Mac OS Keychain for storing passwords. Now, the Keychain is encrypted. But he’s storing his passwords in my Keychain and it’s encrypted with my password! So, I download the Keychain file and open it in Keychain manager – and he’s pwned.

Birthday greeting from Army.com

Birthday greeting from Army.com

At this point I just need to find out a little bit more; I need a full street address, I need to find out maybe some more info about this guy. So, what about his birthday? Well, Army.com is nice enough to send him a birthday greeting that tells us the day and the month (see image), but what about the year? It’s not in there. Well, maybe his logins and passwords can shed some light on the subject: Gmail: mrguzmanmel@gmail.com / guzman85; Facebook: timrican@yahoo.com / guzman85; Yahoo: timrican / guzman85; BlackPlanet.com: fricanpapi85 / guzman85; Mocospace.com: 1flyricanpapi / guzman85; eBay: mguzman1985. You think maybe he was born in 1985? Well, eBay tells us that he was.

Getting a lot closer to the point, but street number missing

Getting a lot closer to the point, but street number missing

But, you know, this guy is not using the same password for everything; like, I don’t want to completely denounce his password behavior. He does mix it up a bit: we’ve got some twiddling on the numeric keypad going on for some of these.

So, what we have at this point is the name, and an address, and a birthday, but still not the street number. I kind of need that to send the cops around. Oh wait, some recent PayPal receipts (see left-hand image below).

PayPal receipt says a lot

PayPal receipt says a lot

Credit card account login page

Credit card account login page

Credit card client info

Credit card client info

And, you know, I don’t want to send the police on a wild goose chase, I need some confirmation here. So I happen to be watching him logging in to his credit card account, over VNC one day. And isn’t it a good thing that his bank’s security is strong and he’s got this image identifier that’s protecting him from phishing attacks? (See middle image above) Doesn’t it make us all feel warm and fuzzy?

But there we are, logged in, there’s the address (right-hand image above). That goes off to the police. But while the police are doing their work, let’s take a closer look at this guy, let’s get to know him a bit. You know, he’s using my computer… Who is Melvin Guzman?

 
Read previous: Pwned by the Owner 2: Tracking Down the Thief’s Whereabouts
Read next: Pwned by the Owner 4: Lessons Learned

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: