LAUSD Uses Secret Weapon in Laptop Theft Recovery
- By Dian Schaffhauser
Laptop theft in schools is rampant. The Racine Unified School District in Wisconsin reported dozens of computers stolen from its schools this fall. In Northern California, three custodians were arrested in connection with a series of thefts at the Oakland Unified School District, involving computers and other electronics. A library aid for the Del Olmo Elementary School in Los Angeles was arrested in September for the theft of five computers at her school.
So when staff at a middle school in the Los Angeles Unified School District (LAUSD) discovered the disappearance of 32 notebook computers in early October, it didn't generate much attention. That wasn't because the school doesn't care about the loss. It was simply because the district has an efficient process in place to follow for reporting the missing equipment, including the use of a secret weapon to help in its recovery.
A Secret Weapon in Laptop Recovery
According to Joe Oliver, director of instructional technology for LAUSD, when a computer is stolen in the district, the school files a report with instructional support services, as well as with the district's own police department. That department acts as a liaison with the city police department to file a report; plus, it puts into action its secret weapon: Absolute Software's Computrace.
When a school or district purchases a license for Computrace, it actives a hibernating agent already embedded into the computer's BIOS. According to David Hawks, business development manager for the education industry division of Absolute, about 70 million notebook computers have the agent in the BIOS, including laptops from Dell, HP, Lenovo, Toshiba, and several other manufacturers.
The agent contacts the Absolute data center to say it's activated, and it creates a small application on the machine's hard drive, explained Hawks. From that point forward, every 24.5 hours, the application sends a small update to the data center, to maintain a current profile of hardware, software, and licensing for the computer, including the IP address that's being used to send the update from. When a theft of a particular computer is reported, he said, a flag goes up in the system that the computer has been stolen. The next time contact is made with the data center through the Internet, the computer is told, "instead of every 24.5 hours, we want you to report back every 15 minutes."
The data center uses a set of forensic tools to begin recording historical data, including IP address information and keystroke logging. Unless the user is sophisticated enough to use an IP address anonymizer, that IP address can be used to track the computer to a specific Internet service provider. Absolute's recovery services team, made up of retired and former police officers, works with local law enforcement agents to accumulate the facts necessary to obtain a subpoena. That, in turn, can be used to find out from an ISP what customer is using a particular IP address and where that Internet access is originating from.
In the case of the October theft at LAUSD, the investigation led to the residence of a woman who was found in possession of one of the stolen computers. She confessed to police that her boyfriend had given it to her. That resulted in a sting operation, in which the Los Angeles Police Department recovered an additional 12 laptops. Upon making bail, the boyfriend led police to an additional 11 computers, as well as a school projector, microscope, and entomology kit. Three suspects were arrested, and the investigation continues.
When a computer theft is solved, frequently, so are other cases. As Hawks pointed out, "Usually, the bad guy is doing a lot of other crimes besides just stealing a laptop."
By virtue of the technology being embedded in the BIOS of the computer, local persistence remains, explained Hawks. A thief can "reimage the machine; they can rip out the hard drive. But the agent can heal itself on any hard drive that's put in there." If the hard drive from the stolen computer is placed into a different notebook, "then we have two computers calling into the center," he said.
Eventually, Hawks predicted, computers will include some form of GPS technology that will aide in equipment recovery. Absolute's software already encompasses the capability of working with computers that provide GPS capabilities, such as those that include the Qualcomm Gobi chipset. "With these 3G chips being embedded on the motherboard, it allows us to wake up the PC and track that machine using GPS triangulation," he said. But first, he added, "It has to become pervasive, like WiFi is now."
Embedded into the BIOS, Embedded into the Deal
LAUSD has been using Computrace since 2002. Just a year earlier the district had received a sizable federal grant to put laptops into a large number of classrooms. "At that point we were dealing with 88 classrooms, 20 laptops per classroom, about 1,600 to 1,700 laptops," said Oliver. "We knew that laptops were--for better or worse--going to be targeted by a number of people who didn't necessarily have the best of intentions. We also knew there were a few pieces of technology that would help us to track and make better use of our technology dollars in getting some type of asset tracking."
The district wrote the use of tracking technology into the request for proposal that vendors had to include as part of their package to win the bid. The Absolute solution was suggested by the vendors. "There was nothing tricky about deploying [Computrace]," said Oliver. "The laptops arrived with the software embedded."
Now, he said, when a school or other entity purchases a computer, it comes with the software loaded.
The same agent can be used not only for theft recovery, but also for asset tracking and remote deletion. Absolute's Hawks said that some districts have misplaced computers and used the technology to track them down. If a computer can't be recovered quickly, the remote deletion function allows for all selected data on the machine to be deleted the next time contact is made with the data center. IT administrators can access those profiles from a browser to view assets and generate reports.
The Absolute approach isn't failsafe. "In some cases we've been very successful and been able to get all of [the computers]," said LAUSD's Oliver. "In some cases we haven't been able to."
But he has noticed a pattern. "It's kind of like stroke victims. The quicker they get to the hospital, the better the chances of their survival." Thus, he advised, "In terms of being to recover computers, the shorter the period between the police being able to get the report and the system being activated, the better."