Police found & returned my stolen laptop reformatted by thief. Can installation logs help locate the thief?

Three weeks ago my laptop was stolen from campus. I immediately reported it to police and on manufacturer's website. A couple of days ago a man called the manufacturer and said he bought a second-hand laptop on the web and wanted to check the warranty through the serial number. The manufacturer saw it was stolen, and the police contacted the poor buyer and took the laptop from him and returned it to me.

The police told me they would try and locate the thief from the buyer's description; however, they just returned the laptop to me without even looking it over!

I turned it on to see the thief reinstalled Windows (Windows 7 Professional) before selling it.
I'm positive there must be clues in the system as to who reinstalled, like perhaps an IP address where the installation took place etc', or perhaps licenses of reinstalled software that could give me clues as to the thief's identity.

Questions:

Where in the logs can I find details as to where the computer first connected to the web after installation?
Where do I find information as to the product keys\licenses of the installed windows and office?
Any other ideas as to how I could trace the SOB (who also probably stole another computer a week before)?

Eli

Posted 2012-01-12T15:15:40.010

Reputation: 81

5I'm no lawyer, but since the laptop is now in your possession, the chain of custody for the evidence has been broken. Anything you do find likely isn't admissible as evidence. However, it would still be interesting to see how much you can find out. – daxlerod – 2012-01-12T17:51:58.910

1@daxlerod Thanks for commenting. I'm not residing in the US, and don't know if the law regarding evidence is the same in my country. In any case, I was hoping to give the police a lead, not evidence. I could tell that they were happy enough to return the laptop and were not to keen on pursuing the matter. Perhaps if I give them a good lead, they will get back on this. – Eli – 2012-01-12T18:21:43.180

Answers

When Windows receives an IP via DHCP, as far as I know, it is not recorded anywhere. It has a somewhat low chance of helping you as most residental connections are behind NAT, in such case all you would find is a private IP address.

If the thief joined a wireless network, perhaps it is still in the Network and Sharing center.

The Windows installation process does not go online except when applying Windows updates. The "Network Location Awareness" feature of Windows causes the system to make a DNS query and HTTP connection to msftncsi.com each time the adapter is brought up or down, but the results of this aren't recorded.

If the laptop has all Windows updates, or was ever connected to the Internet, then Microsoft likely has the IP address logged somewhere, but they are unlikely to just hand the information over to you without being compelled by a law enforcement authority.

You may look in the system's Event viewer just in case, but I don't think you will find anything

LawrenceC

Posted 2012-01-12T15:15:40.010

Reputation: 63 487

Sorry to hear that your laptop got stolen

I'm not sure if that log exist
Download License Crawler to find out the Windows license key (which is probably a counterfeit one) http://www.klinzmann.name/files/licensecrawler.zip
The chance of getting that SOB is if you have IP address in question 1, or finger print on your laptop (hopefully he/she didn't wear a glove)

chmod

Posted 2012-01-12T15:15:40.010

Reputation: 2 082

Thanks for your answer. Correct me if I'm wrong, but the software you pointed out collects license keys from the web, but doesn't help me to find the key that is used on my computer. – Eli – 2012-01-12T18:24:38.293

Nop, it search your PC for all license key, including all other software that are installed. – chmod – 2012-01-12T18:49:54.313

You could look for clues as to how the computer was used that might tip you off to who used it. But if all they did was reinstall/reformat, there likely will be few clues to go off of. Clues would include Internet history, any names entered into software packages upon installation (such as the name and initials needed when running Microsoft Office products for the first time).

Dan

Posted 2012-01-12T15:15:40.010

Reputation: 803