Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Stolen Laptop Recovery via OSX Trap Partition

My Macbook Air has 2 partitions, one that is my normal everyday partition that is encrypted with FileVault2, and a 2nd partition that has Prey http://preyproject.com/ installed and ready to set my Mac as stolen as soon as it is connected to the Internet. It also has the Administrator account hidden and limits what the Standard account can do. If Safari is launched, it will also connect to Facebook, gMail, Yahoo, and Twitter to entice the user to log into these services. I have it setup like this so that I have a better chance of recovering it from theft. This post is going to walk you though setting up your own Mac laptop similar to mine.

This will work on all Intel Macs but works best with the newer models that don't allow you to reset the Open Firmware password by changing the amount of ram in the system or with a bootup disk, without knowing the original firmware. Any Mac that is a MacBook Air (Late 2010), MacBook Pro (Early 2011), and iMac (Mid 2011) and up will be work. Really any MacBook made during 2011 should also be this way but I can't find a source. Be sure to remember whatever password you set, as the only way to remove or change it on newer systems is by taking it to an Apple store.

You want to first start by dividing your disk into 2 partitions. You can use this with the "Disk Utility" program in OSX. Just click the hard drive listed in the left side panel, and then select partition. From there you can resize the current partition. Make sure to make the new one around 16GBs for now. We will resize it later to around 5gb.

Next, you'll need to create a Lion USB recovery stick. Download the Lion Recovery Disk Assistant over at http://support.apple.com/kb/DL1433. Once that is installed it will require a 4GB USB stick to turn into a bootable install stick. Once it is completed, shutdown the Mac, hold down the Option key and turn the system back on. Select the Lion USB stick and start the installation on the newly created partition.

Also be sure to set your Open Firmware password when you are at the Lion installation screen. At the Welcome screen choose "Firmware Password Utility" from the "Utilities" menu and proceed as directed. After that continue the installation as described.

After you have installed the trap OS, boot into that partition and login as the user that you created when you installed Lion. You should now create a new user named "Apple" or whatever you want to be a Standard user, this will be the account that the computer will automatically log into. The next account you want to create is your hidden Administrator. You will need to open up the Terminal application for this and then run the following commands.

sudo dscl . create /Groups/YOUR_NEW_USER_NAME
sudo dscl . create /Groups/YOUR_NEW_USER_NAME PrimaryGroupID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME PrimaryGroupID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME UniqueID 400
sudo dscl . create /Users/YOUR_NEW_USER_NAME UserShell /bin/bash
sudo dscl . append /Groups/YOUR_NEW_USER_NAME GroupMembership 400
sudo dscl . append /Groups/admin GroupMembership YOUR_NEW_USER_NAME
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array YOUR_NEW_USER_NAME sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE

Be sure to change YOUR_NEW_USER_NAME and YOUR_USER_PASSWORD with the username and password you want to use. The above commands are doing exactly what the Users & Groups preference in the System Preferences is doing, except we are not creating a Home Directory, and we are manually setting the Group and User ID to 400. Then we enable a setting in OS X that hides users that have an ID lower than 500. This will prevent the user from being listed in most GUI locations and will make it harder for your account username to be located.

Now with that account created you want to go into the Users & Group panel, and click Login Options. Turn on automatic login and select it to log into your trap user account,"Apple" in my example. Logout and login as your fake user. Go back to the Login Options and click the lock if it is in the lock position and then use your hidden account username and password to remove your original Administrator account. After that is completed, click the lock again to make sure it's in the locked position.

With the users taken care of you want to now go into the Startup Disk in System Preferences, make sure the trap partition is selected and that the lock is again in the locked position. This will prevent the machine from booting into your real partition on startup.

At this point it is time to install Prey. Go ahead and download it while running under your trap account, when it asks for permission to install it, put in your hidden Admin username and password and everything should install.

Now with Prey installed if your laptop does get stolen you'll still need to mark it as such. We are going to setup a LaunchDaemon and create a script so that it does this for us automatically.

Before getting the script ready, we want to get a few things from your OpenPrey account. Your API key found at http://panel.preyproject.com/profile and your DeviceID found after you click your device the URL should be something like "http://panel.preyproject.com/devices/SIBDSD", so in this case your DeviceID would be SIBDSD.

Open Terminal once again, and type "su YOUR_ADMIN_NAME". Once you're logged into your admin user, run "sudo su", this will now have you running as root. Now to create the script, open up your favorite text editor and create a file called "prey.sh" at "/usr/bin/".

Be sure to change the API and DEVICE ID with yours.

<--Copy after this for /usr/bin/prey.sh contents-->

API_KEY="DF2323"; //replace this with yours
DEVICE_ID="SIBDSD"; //replace this with yours
curl --user $API_KEY:x "http://control.preyproject.com/devices/$DEVICE_ID.xml" -X PUT -d "device[missing]=1";

<--Copy before this for /usr/bin/prey.sh contents-->

Make sure to make the script executable. Now the last thing to do is to create the LaunchDaemon and have that run automatically on startup.

Creating the LaunchDaemon, I named mine "com.jaku.prey.plist" but you could have "jaku" replaced with pretty much anything. So let's open up your text editor one more time and create the file "com.jaku.prey.plist" at "/Library/LaunchDaemons/" or whatever you called it, just be sure to replace jaku in the text below as well.

<--Copy after this for /Library/LaunchDaemons/com.jaku.prey.plist contents-->

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">

<--Copy before this for /Library/LaunchDaemons/com.jaku.prey.plist contents-->

Once you are all done with that you'll need to register the LaunchDaemon with this command "launchctl load /Library/LaunchDaemons/com.jaku.prey". From now on, when the system starts up the script will run every 5 minutes and try to make the laptop as stolen on OpenPrey. You could change the "StartInterval" amount in the LaunchDaemon to a higher or lower value if you want.

After this run the following command a few times, "history -c && exit" basically run it until you are logged out of your terminal. This will wipe all the commands from history that you just ran so that no one can figure out what you just did.

You are almost done now! Just a few last things and you're all set.

Now let's log into your original partition, you will need to hold down the "Option" key on startup to choose your original partition, and it will ask for the Open Firmware password you set earlier. Once you are in your original partition, go into System Preferences and click "Startup Disk", like before you may have to unlock it but make sure that the disk selected is the trap partition. After that we can now go back into the "Disk Utility" program and resize the trap partition to a smaller partition. Once it is resized you can now (re)enable FileVault2 on your original partition.

The only thing left to do after this is to test the machine, make sure that when it first boots up it always logs into the trap partition and that for you to get into the real one you need to hold down the Option key and type in your firmware password followed by your FileVault password.

That is about it for now. If you have any comments or questions be sure to let me know by commenting below. Thanks!