Here’s my real-life story of how data retention can save your property and help put a criminal behind bars. I’ll include some tips on how you can protect your home and your possessions via good data practices, like I did. Here’s how the story unfolded.
To provide my large family more living space, I had converted our garage into a TV room. At around 5:15 am Wednesday morning, February 22nd, I awoke to the sound of a light rustling in that room. Often times, my older boys stay up way too late and I figured it was probably them just putting things away before turning in. However, it seemed to be going on longer than necessary, so I decided to investigate.
As I approached the main garage entrance, I was able to see a figure rapidly disconnecting cables in the area of our TV console. The exterior side door to the garage was wide open, as was the side gate. The intruder did not see me approach as I stealthily came up from behind. At this moment, I knew exactly what was happening. As quickly and as quietly as I could, I went back for my Glock.
Years of outdoor experience has taught me that any beast, wild or domesticated, will fall back into a “fight-or-flight” response when cornered. The home intruder had an open path to escape, so I was betting he’d opt for “flight”, but I wanted to be sure I was prepared for a fight. (After all, that’s my long-cherished Scout Motto: be prepared.)
Upon grabbing my pistol, I crept back into the middle of the hallway near the light switch and verified that no one was in the kitchen. I pulled the slide on my Glock, letting it snap back as loudly as possible, and then hit the light switch while yelling out “OK, YOU BETTER VACATE!”
At this point, I imagine that the burglar probably sh*t himself. Since I was only slightly out of view, he knew the general direction of my voice and had to know it was the opposite side of his obvious exit. Exit he did, with my Xbox in hand, shutting the door behind him.
I proceeded forward, cleared the garage and then cautiously went out the door to clear the backyard. Finally, I cleared the path out to the street. That’s when I suddenly realized that I was standing on the corner of my property wearing only my underwear. I yelled out, “I’m going to find you!”, and proceeded back into the house to throw on some clothes.
By this time, my wife had already called 911, and the police were on their way.
When the officer arrived and proceeded to fill out the report, another unfortunate problem came up–I hadn’t kept the serial number for the Xbox. So, I figured it was gone.
That afternoon, I called Microsoft and they agreed to monitor my son’s Xbox Live account for any activity from an unknown IP address. I have static IPs, so this seemed promising. If the suspect fired it up with the existing hard drive intact, it would log in automatically to the last-used Live account. Microsoft gave me a telephone number to their legal department and a confirmation number, which I subsequently gave to the investigating officer.
Since I was now presuming the Xbox a total loss, I purchased a new one the next day, as I wanted the impact to be minimal on my youngest son. Life moved on, until 12:30 am on Feb 27th, when I received a call from the investigating officer informing me that they had detained a suspect and that there was an Xbox that might be mine. As I stated previously, I didn’t have a serial number. So, it seemed as though there would be no way to prove that the Xbox in question was indeed mine.
This is where years of running my own Linux server paid off. My server runs a DHCP daemon that serves up IP addresses for all the devices in my house. The officer brought the Xbox to my house, where we plugged it into my network and anxiously awaited for it to request an IP. In addition to that, my son John checked the controllers to see if one of them would pair automatically–it did.
This was great and we were now waiting to put the last nail in the coffin. Then, we got it…
Feb 21 10:25:39 rosebud dhcpd: DHCPREQUEST for 192.168.1.193 (192.168.1.1) from 00:25:ae:16:56:5c via eth1
Feb 27 00:58:41 rosebud dhcpd: DHCPREQUEST for 192.168.1.193 (192.168.1.1) from 00:25:ae:16:56:5c via eth1
The MAC address (Media Access Control address) that appeared in the DHCP request was the same as the ones in the old log files from my router. I now had proof that this was, indeed, my Xbox!
I informed the officer that the MAC address is a globally unique identifier for network interfaces, a portion of which is controlled by the IEEE Registration Authority and assigned to individual organizations, and while it can be spoofed in the Xbox console, this one is flashed directly onto the Ethernet card itself. Additionally, I was more than willing to testify as an expert witness, but any network-savvy individual would know this is the case.
I was very impressed with the SJPD as they kept on top of this case to the end and were very open to any new means of solving the case. I’m not sure how they found this person and what led them to believe the Xbox was mine. When they are done with the investigation I’m sure all the facts will be known. But I am extremely happy with how they proceeded and that they didn’t hesitate to call me even though it was so late.
In the end, there are many morals to this story, chief among them being the importance of data retention. This is a principle I’ve upheld for many years, though I failed miserably when it came to logging my serial numbers. Fortunately, my sense of “best practices” still kicked in on log retention. Over the years, this commitment to data retention has really paid off. I’ve even been called to pull up logs from previous companies in order to defend patented work, years after the work had been completed.
Fortunately, this kind of data retention is not a very costly investment. Even if you don’t have an expensive dedicated router right now, there are low cost routers that you can purchase that support logging to a file or even to a syslog daemon via UDP. So, whether you have a large or small budget, proper logging is within everyone’s reach.
Over the weekend, I installed additional motion sensing lights and, using my BlackBerry, took pictures of all the serial numbers on devices around the house. That is the easiest method to capture them for tracking. Grab them with your camera phone and email them to yourself.
Finally, I reminded my family to be sure to lock the door after letting the dog out. 
Chalk one up for the good guys!
As a method for identifying networked devices at home, it might be useful to go one step further and push logs to the cloud in case someone steals your router and server. I’ll have to look into that.
I wonder if Microsoft or the police used IP Geolocation to find the criminal. The criminal would have to have logged in to the account and Microsoft would have had to track it by Mac address or another identifier.
Previously I worked for Quova (now Neustar) who routinely provided such data to authorities in the US and UK, for example, http://www.quova.com/downloads/cs-d-and-c-1109.pdf
Off site data retention is always a good idea, as well as pictures or video of all expensive equipment and serial no.’s that can be given to police and/or insurance companies. There is, however, a bigger lesson here. . . Training. If you are not prepared to deal with a home invasion robbery should it get ugly, then all you can do is call the police and pray that the illegal incursion does not go deeper into the house before the authorities arrive. Being trained to handle the situation himself is what sets this writer apart from many, many others in our society. Be prepared. A good lesson.
Thankfully, this event was captured by a passer-by and we have photographic evidence: http://i.imgur.com/3AGKv.jpg
Sometimes street view can be a real PITA :\
Especially for the guys driving the street view van.
Ha ha ha ha ha ha ha!!!