Computer Theft and Recovery

What is important to you ?

What are you trying to protect or prevent ?

  1. Prevent your device from being stolen.

    Solution: physical security (locks, cables, lock-box, etc).

  2. Prevent your device from being damaged.

    Most likely threats:
    • Device gets dropped.
    • Spill water or soda on device.
    • Spike or surge through power line.
    • Snag a cable plugged into the device and damage connector.
    • Overheating.

  3. Prevent a thief from reading your data: encryption. (protecting "data at rest")

    Data Encryption solutions:

    • Full-disk encryption (FDE). Either via hardware (built into the hard drive) or software (e.g. BitLocker, VeraCrypt).

    • Encrypted partition that gives a filesystem (e.g. BitLocker, VeraCrypt).

    • Encrypted container / virtual disk (e.g. VeraCrypt).

    • Encrypted directory / folder (e.g. fscrypt).

    • Encrypted archive (e.g. ZIP or RAR).

    • Encrypted file of any type (e.g. encrypted with PGP, AxCrypt).

    • Encrypted app-specific file (e.g. NotepadCrypt, password manager database, encrypted PDF, encrypted MS Office document).

    Full-disk encryption (FDE):

    Either via hardware (built into the hard drive) or software, such as:
    zuluCrypt (Linux-only, but handles BitLocker, VeraCrypt, other volume types)

    Wikipedia's "Comparison of disk encryption software"
    Martin Brinkmann's "List of TrueCrypt encryption alternatives"
    Lifehacker's "How to Encrypt and Hide Your Entire Operating System from Prying Eyes"
    Micah Lee's "Encrypting Your Laptop Like You Mean It"
    Chris Hoffman's "Why a Windows Password Doesn't Protect Your Data"

    EFF's "What Should I Know About Encryption?"

    But from /u/jm9fw on reddit:
    Veracrypt: A note for those doing full disk encryption:

    I've said it here before many times but people just don't get it. I read the forums daily and constantly see people who either can't login to their OS anymore or they just lost everything. After seeing this guy yesterday who said his life was on an encrypted disk and now he can't open it, I decided to post again here. DON'T DO DISK ENCRYPTION. USE A CONTAINER. This poor guy explains what happened and it looks like Windows decided to initialize the drive because it had no standard signature. This isn't a Veracrypt issue, it's a Windows issue and Microsoft has been denying it for more than 10 years. It happened to me twice. There is no way to recover this by restoring a header or anything. There are people here who will say "blah blah you don't know what you are talking about, I don't have a problem." Sure, so go ahead and learn the hard way and ignore the pages of similar complaints in the Veracrypt forum. Of course the people who lost everything didn't have a backup either. It's a terrible thing to lose everything you have and I hate having to see it almost daily. Use containers.
    And from /u/CharredOldOakCask on reddit:
    VeraCrypt system encryption is flawed, and simply not user-friendly enough.

    When windows upgrades, or the computer unexpectedly shuts down (out of power), my [Veracrypt] boot-loader stops working, and I have to use the recovery USB. This is happening a few times a year now, across multiple computers, and every time I have no clue what the correct menu choice I should use when recovering. And the documentation I was asked to save does not reference the same menu choices which are in the recovery USB. They say similar things, but it is ambiguous which to choose. Googling to find clarity doesn't work either because the instructions there are too generic too. More like what you can do, vs how to do it. It doesn't directly reference the recovery USB menu, even when I specify version number. I'm quite tech-literate, data scientist and programmer by profession, but I'm not a security specialist, nor do I know much about how hardware and how a computer really boots. The recovery USB is full of jargon, with very similar menu options, and even how to get it to run is unclear. On top of this, booting after hibernation literally takes 20 minutes.

    This simply isn't user-friendly enough. I'm going to upgrade windows from Home to Professional and use Bitlocker. Ultimately the threat vector I'm concerned about is losing my laptop, and some crook reading data off it. If some dedicated attacker (like the government or whatever) is after me, I'm screwed regardless. I'm stilling going to use the file-based VeraCrypt encryption for extra sensitive data, but whole-disk system encryption doesn't work for me.

    Another downside of FDE using VeraCrypt:
    Every time you attach the disk to Windows, File Explorer will say something like "unrecognized, want me to format this for you ?". If you ever say "yes", it's toast. If you use a container, the outside can be exFAT or NTFS, which Windows will recognize, and it never will suggest formatting it.

    The software approach offers several alternatives and gets a bit confusing; hardware encryption may be faster and OS-independent.

    But hardware encryption is not open-source, you can't verify how good/bad it is, and:
    Dan Goodin's "Western Digital self-encrypting hard drives riddled with security flaws"
    Joseph Cox's "Some Popular 'Self Encrypting' Hard Drives Have Really Bad Encryption"
    Bill Buchanan's "Doh! What, My Encrypted Drive Can Be Unlocked By Anyone?"
    Brendan Hesse's "How to Switch to Software Encryption on Your Vulnerable Solid-State Drive"

    Hardware-encrypted flash drives are available, but again you can't verify the encryption, and probably not cheap:
    FabatHome's "The 8 Best Encrypted Drives of 2018"

    Encrypted container / virtual disk:
    Keep your most critical data in an encrypted container / virtual disk (an encrypted file that looks like a disk drive to the OS), perhaps by using VeraCrypt or something similar.

    Some advantages: you can have multiple containers, of varying sizes, of various filesystem types, portable to other OS's or not, with same or different passwords, back them up on different schedules and/or to different places.

    Encrypted file:
    A more limited solution: keep your most critical data in an encrypted text file (perhaps by using NotepadCrypt or something similar). But it doesn't have to be a text file; you could have an Excel file or Word file or database file.

    Bitlocker, 7-Zip, AxCrypt can encrypt individual files or sets of files.

    The strategy I use: full-disk encryption (FDE) using the OS's native encryption, plus encrypted containers for specific data. Have each container open (decrypted, mounted) only when you are actually using that data.


    How-To Geek's "How to Encrypt Your Android Phone and Why You Might Want To"
    Eric Ravenscraft's "The Essential Android Security Features You Should Enable Right Now"

    I encrypted my Android 5 phone via Settings->Security, everything works fine, but it made me change from a 4-numeric PIN to a 6-8-alphanumeric passcode.

    On iPhone, just set a passcode and everything gets encrypted automatically ?

    Apparently, some smartphones must be jail-broken if you want to encrypt just specific folders, not encrypt or password-protect the whole phone.

    Password-lock your device, unless you're using a theft-recovery product that prevents this.

    Most of the theft-recovery products listed on this web page give you a "delete" or "shred" capability: when the thief connects to the internet, a command comes from the central site and all data on the hard disk is deleted. This prevents the thief from reading your data. But it works only if the thief connects to internet before trying to read your data, and if they haven't disabled the theft-recovery software somehow.

    Whitson Gordon's "How to Break Into a Windows PC (and Prevent It from Happening to You)"

  4. Avoid losing your data: backups.

    Clippy want to format hard disk
    General, minimal principles:

    • Organize your data and give it good names. If important data is scattered all over your disk and thumb drives etc, and every file is named something like "Document 745", and every folder is named something like "New Folder 271", you are lost.

    • Know what data is important to you and where it is (what device, what folder, on paper, etc).

    • Copy to at least two places, at least one of them off-site. Maybe to an external hard disk and to a cloud service. If you have the space, don't overwrite old backups, just add new copies under a directory with a date-stamp in it.

    • Those backups should be encrypted, so someone can't steal/copy all your data. Or at least encrypt your sensitive files.

    • Keep those backup locations offline (not mounted as disks) during normal use of the computer, so malware can't take out your files on main disk and backup locations at the same time.

    • Keep main data and backups in multiple locations, so a single disaster (fire, flood, theft) can't take out your files on main disk and backup locations at the same time.

    • Do the backups at a frequency that makes sense to you. If you rarely change important files on disk, maybe back up once every month or two. If you're making important changes to only a few files, maybe back up those few files every couple of days. If you're working on some enormous project such as writing a thesis or a book, maybe make special daily backups to multiple locations, and keep multiple versions.

    • Test the backups every now and then. Copy all or a sample of the files to a temp directory on your main disk, and try to open a sample of the files, see if they're okay.
      Schrodinger's backup

    • Cloud backups are fragile in that the service could go out of business, disable your account, silently stop accepting files when you hit a limit or forget to pay, etc.

    • What can fail, and how would you restore from backups ? Consider scenarios: entire system stolen, system hard disk fails, you delete a bunch of OS files and system won't boot any more, you delete a bunch of your important personal files.

      Lesson I learned when my laptop's charger died:

      Backup disks from my Linux system turned out not to be readable on Win10 systems.

      They are external disks formatted as NTFS, then with a VeraCrypt container file with an ext4 filesystem inside. I was able to decrypt the container with VeraCrypt on Win10 to make local disk N: appear. But then neither Linux Reader nor Ext2Fsd nor Ext2explore on Win10 would recognize the decrypted (ext4) volume presented by VeraCrypt. Filed a bug report with Linux Reader, and within two days they had fixed the issue with their application !

      Looks like I should use exFAT inside (and maybe outside too). Linux kernel 5.4 is first version to officially support exFAT, with additional support coming in 5.6 or 5.7. I'm using 5.4. "sudo apt install exfat-fuse exfat-utils"

      [Attempt 1:]

      To change my backup drive to exFAT , I had to attach it to my Linux system, copy the data to elsewhere (took an hour or more), unmount the drive in file-explorer, use GParted to make one big unformatted partition on the drive, then use Ubuntu "Disks" (AKA gnome-disks) to format the partition to exFAT (edit partition type to set to "NTFS/exFAT/HPFS (0x07)" and Format Partition to Type "Other" and then exFAT). That went quickly. As usual the drive shows up as 1 TB raw and 931 GiB usable (which is 976 GB). (article)

      Copied some files (VeraCrypt apps for Win10 and Linux) to the partition. Then I used VeraCrypt to make an encrypted container filling the rest of the partition's space, formatted as exFAT (specified no files bigger than 4 GB, portable to multiple OS's). That took over 12 hours !

      [Attempt 2:]

      Decided I was making things needlessly complex; started over. Used GParted to leave the drive with no partitions at all. Used VeraCrypt to make an encrypted volume (on the drive /dev/sdb, not a partition /dev/sdb1), formatted as exFAT (specified no files bigger than 4 GB, portable to multiple OS's). Able to select "Quick Format", which means it was created in a matter of seconds. Mounted it through VeraCrypt. Copied my backup data onto the drive, finding that some of my node.js development libraries have symlinks in them, had to "skip all" those. Also ext4 allows chars ':"?*' in filenames but exFAT doesn't, had to fix those. (article) And ext4 supports symlinks, exFAT doesn't. Someone says exFAT doesn't support Linux file permissions, but I don't see how that could be.

      ("sudo blkid" is the best way to see what type a filesystem is. In output of blkid, exFAT displays as 'SEC_TYPE="msdos" TYPE="vfat"'; NTFS displays as 'TYPE="ntfs" PTTYPE="dos"'.)

      Also, in VeraCrypt click the "Volume Tools ..." button and select "Backup Volume Header ..." and save the backup to somewhere else, with a decent name.

      Don't save recovery codes or backup copies of encryption keys only in the cloud account associated with the device (e.g. saving BitLocker key in Microsoft account). If something goes wrong (account disabled, or device damaged), you may get into a situation where you can't recover.

    Data you could back up:

    • Important files you've created on disk.

    • Application internal files on disk (email data file, browser profile, password manager database, etc).

    • Standard installer for your operating system, on a bootable device.

    • Image of entire disk, including operating system and applications.

    • Data on cloud services (in an email service, in Facebook, in WhatsApp, etc).
      Probably the most critical data to backup is your Contacts/Friends list, so you have it in case you have to create a whole new account. To back up your Facebook Friends list, maybe go to your Friends page and then use a browser add-on such as Link Gopher to capture all the links.

    • Non-digital data: paper records, ID cards, passports, access cards, financial cards, memories, procedures only you know. Digitize it.

    Places to back up to:

    • External encrypted hard disk or flash drive attached through USB.

      Some choices:

      • WD Passport with hardware encryption.
      • WD Passport with software encryption (VeraCrypt).

    • Cloud drive (AKA Cloud Storage; really intended for sharing files among devices).

      Some choices:

    • Cloud backup service.

      Some choices:

      • MEGA
        password discussion
        Apparently you get 50 GB free when you create an account, but then it reverts to 15 GB after a month. If you have uploaded more than 15 GB in that first month, you will get warnings/pleas to upgrade, but the files won't be deleted. You won't be able to update/upload any files until you either upgrade or get back under the 15 GB limit.
        Apparently if you don't log in for 3 months, you will get account-deletion warnings in email. So make sure you keep a valid email address on the account.
        MEGAsync client app has an "Export Recovery Key" feature; what you get looks like a password.

      • Sync

    Ways to manage the backup process:

    • Copy files across manually, using Windows Explorer or similar.

    • Use general-purpose backup software.

    • Use backup software specific to a particular cloud backup service.

    Note that a "sync" feature is not a backup. If something is deleted or corrupted on one end of it, that thing will be deleted or corrupted on the other end too. Usually.
    David Murphy's "Why Did iCloud Delete All of My Photos?"

    /r/techsupport's "backuptools wiki"

    Think about how you would restore to a complete new computer if necessary:

    • Will you have all the login information and encryption keys and digital certificates and license keys you'll need ?

    • You might need a special recovery disk to re-install a complete disk image.

    • You might need to re-install any special drivers.

    • Do you have a list of all the applications you'd need to re-install ?

    • Do you have notes about how to do any tricky things, such as tweak network settings or app settings ?

    How-To Geek's "What's the Best Way to Back Up My Computer?"
    Eric Griffith's "The Beginner's Guide to PC Backup"
    /r/techsupport's "backuptools wiki"

    Maybe clean out temp files or cache files or crash dumps before doing a backup.
    See "Clean up space on disk" section of my Using Linux page.

  5. Avoid post-theft losses.

    If your device contains account and password info, identity info, info about your family and friends, then after a theft you'd have to take steps to avoid further damage. You'd have to change passwords, put out monitoring or alerts to prevent identity theft, contact other people at risk, etc. What else is on the stolen device ? Apps with registration codes or passwords stored in them, email in-box with account and password data, bookmarks ditto, cookies, any data files you use to record accounts and passwords, any BAT or CMD files with account/password in them.

    Perhaps now, before any theft, you should evaluate your device. Does it contain sensitive data that really doesn't need to be on there ? Or should that data be encrypted ? Does the browser contain cookies that will give instant access to your email and Facebook accounts ?

    [Same with your wallet or purse. Does it contain sensitive data or cards that really don't need to be in there ?]

    After a phone or smart-phone is stolen, if you don't want to try theft-recovery, immediately report the theft to your carrier, to avoid huge call charges. Do it immediately; you are liable for calls made until the time you report the theft, and some gangs will make thousands of dollars of calls as quickly as they can after stealing the phone. Double-check with your carrier to make sure they received and recorded the report of the theft; probably a good idea to call them again and confirm it (article). Maybe report it online, and then call to confirm ? Ask them to send an email confirmation to you. A handset PIN doesn't protect you if the thief moves the SIM to another device.

  6. Get your device back.

    Solutions: etch your contact info onto the case of the device, inside and outside. Use the theft-recovery software listed on this web page. Keep a record of make, model, color, and serial numbers. Probably a good idea to have digital pictures of the device, front and back, to give to police.

    Display your contact info on the lock screen or login screen or physical label, so if a Good Samaritan finds your device, they can return it to you.

    After a theft, report the theft to police, and report the theft to the manufacturer or carrier (they'll probably require a copy of the police report). Maybe report it to online databases, such as Put up fliers in the area where it was stolen, offering a reward for return ? Look for it on Craigslist or EBay, maybe in the section for your local area.

Also: the "devices" you need to protect include your computers, tablets, phones and any backup media (external disks, tapes, flash drives, hard copies).

Mobile phone security

[Do I have this right ?]

Three things to protect: your data, your device, and access to the service (ability of thief to make calls and run up bills on your account).
  1. Data:

  2. Device:

    Having a passcode/PIN set prevents thief from using your phone, even with another SIM inserted.

    [But is there a hardware reset that wipes everything and sets back to defaults ?]

    Reporting your phone as stolen can prevent a thief or purchaser from ever enabling service on that phone again; the service provider may look up the IMEI to see if the phone is listed as stolen.

  3. Service:

Adopt some practices from the business world


Products to track and maybe disable a stolen device.

All of these products work by your computer sending "here I am" messages over the internet to a central site. But if the thief breaks up your computer to sell for parts, or uses it but never connects to the internet, the product won't work.

One note: if someone (a hacker or ex-spouse) finds out your theft-recovery password, they might be able to tell the software to delete all of your data, even though your device hasn't been stolen !

Password / login issues

All of these theft-recovery products work by your computer sending "here I am" messages over the internet to a central site. But a computer running Windows 7 Home can't access the internet until the user has logged in to Windows. So the thief has to be able to get past the BIOS/firmware password prompt and the Windows password prompt.

There are three ways this could happen:
1- you always use your laptop with no passwords set, or
2- you have passwords set, but the thief resets the BIOS password and OS password (it can be done), and then logs in, or
3- you have passwords set, but the thief resets the BIOS password (it can be done), reformats the hard disk, installs a new OS, and then logs in.

In case (1) or (2), obviously a thief or casual snoop can log in right away, and read all of your files. Unacceptable.

Under Windows 7 Home Premium, there is no way to have a Guest account that can log in but then be unable to read files.

In case (3), a few of these theft-recovery products can survive the reformat/re-install and be capable of reporting their location when the thief eventually logs in and connects to the internet.

Case (2) or (3) represents a sophisticated thief; they could just pull out the hard disk and attach it to another PC, so they could read your files that way. Unless you're using some special full-disk-encryption product.

And case (2) or (3), the sophisticated thief, probably would be aware of the existence of theft-recovery products.

So it seems to me that this is a Catch-22 situation: these theft-recovery products work best in case (1), but that's the case where you've left your data most vulnerable to a naive thief or casual snoop. And in case (2) or (3), nothing protects you very much from a sophisticated thief.

I believe Linux and Mac systems are slightly better than Windows in that: once the OS password prompt is displayed, the machine can connect to the internet, even though the thief hasn't logged in to the OS. The thief would still have to get past the BIOS password to get to this point. So for Linux and Mac, if you set no BIOS password but do have an OS password, the laptop might report its location while the thief is sitting there trying to guess your OS password.

Recovery issues

What "location" information do you get once the thief has logged in and connected to the internet ?

You'd get the IP address. Maybe also the Wi-Fi or Ethernet network name ? If your stolen device had a GPS in it, you could get latitude/longitude. If your stolen device connects via cellular data-modem, you could get approximate latitude/longitude. Software could use the list of visible Wi-Fi networks to calculate approximate latitude/longitude.

From the IP address, you could find the ISP's info, and contact them.

If the IP address is specific to a person or house, the identity of the thief is fairly clear.

But if the IP address maps to a public Wi-Fi spot (such as provided by a school or library or McDonald's or Starbucks), or a private house that's running an open Wi-Fi signal, the identity of the thief is unclear.

Most products can use the laptop's webcam to take a picture of the thief, which helps.

The companies selling the commercial theft-recovery products may assist in the tracking and recovery process, helping you follow the IP address, contact law-enforcement, etc.

Some users who had devices stolen report great cooperation from law-enforcement in recovering their property; others report that police were uninterested in helping them. Probably varies from town to town and country to country, and also depends on how much info you can give to the police.

Whitson Gordon's "Can I Track My Laptop or Smartphone After It's Been Stolen?"
Lincoln Spector's "Protect your Android phone from loss or theft"


Fabian Nunez's "How to avoid buying a stolen laptop"
Stolen Phone Checker
Max Eddy's "What To Do When Your iPhone is Stolen"

Neil J. Rubenking's "What to Do When You've Been Hacked"
Lincoln Spector's "You've fallen for a scam! Now what?"
Patrick Allan's "What to Do When Someone Gets Unauthorized Access to Your Computer"
NCCIC's "So You Think You've Been Compromised ..." (PDF)

Nicholas Tufnell's "Naked selfies extracted from 'factory reset' phones"

Melanie Pinola's "What Should I Do If My Credit Card Gets Hacked?"
Alan Henry's "What To Do If Your Social Security Number Has Been Stolen in a Hack"
FTC's "" (what to do in case of identity theft)

My "Computer Security and Privacy" page

Search my site