thats pretty much the idea. there are a lot of online services that keep access logs of all your comings and goings well enough to be used as a starting point to tracking the source of the logins. gmail for example keeps ip logs of your logins like this:
Access Type [ ? ]
(Browser, mobile, POP3, etc.) Location (IP address) [ ? ] Date/Time
(Displayed in your time zone)
Browser * United States (MO) (188.8.131.52) 12:32 am (0 minutes ago)
Browser * United States (MO) (184.108.40.206) 8:46 pm (3.5 hours ago)
Browser * United States (MO) (220.127.116.11) 2:32 pm (10 hours ago)
Browser * United States (MO) (18.104.22.168) 12:06 pm (13.5 hours ago)
Ive seen it used twice successfully.
once by getting ID location information from a chat client app that started/minimized to system tray when the system started. it automatically logged into the chat service and the techie contacted the chat provider (who helped him trace back to the isp) and then the isp (who gave up the location of the connection)
for number 2 the owner had a gmail account, was set to stay logged into gmail, homepage was http://www.google.com
, which meant unless the thief data purged, if he connected to the net on that laptop google would update the activity log (which stamps to a file (among other things) the internet ip address of the connection. with all of that info plus the windows username and password for the machine he was able to remote access the computer a couple days later and got the thiefs identity because he had logged into his facebook account so he was able to read all of the guys vital information right off of his profile page.