Countering tracking applications and securing digital evidence

|

The seizure of mobile phones and other digital devices by Law Enforcement Organisations is increasing.

Failing to isolate a wireless capable device increases the risk that critical evidence will be lost and introduces the potential for criminals to track the location of law enforcement officers, vehicles and sensitive sites.

The data contained in these seized digital devices is now one of the most important factors in capturing the critical evidence that ultimately secures a conviction.

Evidence handling procedures for seized digital devices advise that this is best carried out by a forensic specialist however in most cases investigators and police officers are required to secure phones and computers without this support.

This white paper will show that there is a compelling case for all investigators and police officers to have immediate access to faraday bags whilst on duty to ensure the security of digital evidence and prevent transmission of a device location.

Contents of the White Paper

  • Definitions used in this white paper
  • Potential pitfalls when securing a digital device
  • The benefits of using Faraday bags for digital device seizure.
  • Faraday bag design considerations for securing evidence in the field.
  • Detailed design characteristics
  • Testing/Certification
  • Special features and branding
  • Conclusion
  • Additional resources

Definitions used in this white paper

Digital device

Any device that is capable of wireless connectivity e.g. Mobile Phones, Tablets, GPS, Computers, Digital Cameras and e-Readers.

Faraday bag

Designed for law enforcement applications, an enclosure of conductive material that effectively shields a digital device from the radio frequencies used by Wi-Fi, Bluetooth, GPS, Mobile Phones and active RFID.

Attenuation

This is a reduction in radio signal strength, measured in dB. This is affected by the material it must pass through.

Volatile Memory

Is computer storage that only maintains its data while a device is powered on e.g. most RAM (Random Access Memory) is volatile.

Nonvolatile Memory:

Is memory or storage that is saved regardless of a device being powered on or off e.g. hard drives, flash memory and read-only memory.

Tracking Application

Overt or covert software that transmits the location of a digital device via a wireless network that can be monitored by third parties.

Evidence Handling Procedures

Documents published by Governments and Law Enforcement Organisations (usually in the public domain) which give guidance on the seizure, acquisition, extraction and presentation of digital evidence.

Potential pitfalls when securing digital devices

Evidence handling procedures for a seized digital device vary between countries and jurisdictions. This white paper assumes that a Law Enforcement Officer with appropriate authority has decided to seize a digital device as it is likely to hold evidence in relation to an offence that has been committed.

If a seizure is part of a planned operation, a forensic specialist may be on hand to secure the evidence in digital devices (especially computers) however it is more usual that Law Enforcement Officers are required to undertake the seizure of computers and mobile phones without this forensic support.

Evidence handling procedures will typically advise that the examination of original digital data must be carried out by a person who is competent to do so. Unless a law enforcement officer is trained in the handling a multitude of digital devices the process of accessing a phone, tablet or computer to switch it off, isolate wireless connectivity or extract evidence may be called into question later.

For this reason, some evidence handling procedures advise that a digital device is always best left untouched until appropriate team members, trained in the securing of digital forensic evidence, are available. This delay increases the risk that critical evidence may be remotely modified or wiped.

Physically securing a crime scene will NOT prevent remote access to wireless devices that are still powered up and applications such as ‘find my phone’ may enable the remote wiping of critical data. Many criminals are aware of this and will have furnished collaborators with account access details and passwords in case of arrest. Also, there is a risk that deletion of data on the web (e.g. incriminating data in emails and other online messaging services) may also be automatically deleted or overwritten in the seized device before it can be forensically examined.

Even if a device seems to be switched off this is not always the case. Screensavers and apps can give this impression, whereas in reality they are still powered up, connected to wireless networks and transmitting their location.

Some evidence handling procedures will advise officers to switch a device off, which will require them access to the device and will not preserve volatile memory, which may hold useful data that is lost when powered down.

It is generally considered that the best practice is for the first contact with a digital device is undertaken and documented by a forensic specialist. Generally, the forensic process for the examination and acquisition of digital evidence is well documented and regulated but the handling of these devices prior to this formal forensic examination is often undocumented and inconsistent.

The benefits of using a Faraday bag when seizing a digital device

Considering all the variables it is important for law enforcement organisations to have a simple evidence handling procedure for seized digital devices that ensures that no data is lost and ratifies the legitimacy of the evidence this potentially provides.

This procedure needs to be consistent, require the minimum training, have a very high probability of preserving critical evidence and isolate tracking applications.

The wider deployment of Faraday bags is an essential tool in achieving this goal.

    • Placing a device in a faraday bag will isolate wireless connectivity without the requirement to manipulate (use) buttons, touch screens and keyboards.
    • This process also maintains the device in a powered on state maintaining volatile memory*
    • In some seizures, it is acceptable to allow a battery to discharge over time (preserving the non-volatile memory) and the faraday bag will isolate the device from potential wireless connectivity until this is completed.
    • Prevents automatic updates to data subsequently modified on the web. It also prevents the device bringing in new data that may overwrite evidence.
    • Isolates tracking software that could identify a device location during transit and after delivery to a secure storage facility.
    • Ensures that the first physical contact with the device keys and buttons is always undertaken by a digital forensic specialist.
    • Allows the prosecution to show that the evidence produced is no more and no less now than when it was first taken e.g. Maintaining the image of the data on the device at the time of seizure.

*The process of isolating a device may increase the battery discharge rate and reduce standby time. To ensure the volatile memory has preserved the introduction of an additional power supply will mitigate the risk of a device powering down before it can be forensically examined.

Faraday bag design considerations for securing evidence in the field.

There are many ‘off the shelf’ and ad hoc products that offer faraday environment characteristics. These include specialist forensic examination boxes, anti-static bags and consumer products. Ad hoc faraday environment suggestions can range from a microwave oven, biscuit tin or aluminium foil. All these solutions have disadvantages as they are not designed for this specific application and will not be ‘fit for purpose’.

Essential Requirement.

    • The faraday bag must provide RF shielding for all the relevant Wi-Fi, GPS, Bluetooth, Active RFID and Mobile phone frequencies e.g. 400MHz to 6000MHz with attenuation >50dB across all of the range.
    • Be of robust construction, use a woven exterior material to protect the multiple layer internal metallised lining.
    • Be of small form factor when not in use for easy storage and/or inclusion in the equipment carried on the person or in a vehicle
    • Be reusable and have a simple, repeatable and reliable sealing method
    • Independently tested to confirm the required attenuation standard is met
    • Instructions for use printed on the exterior of the bag. ( Non branded option for covert operations)
    • Available in a range of sizes to accommodate a wide variety of digital devices
    • Training material available in the use of Faraday bags and the handling of seized digital devices.
    • Cost effective (To ensure maximum deployment of faraday bags in the organisation they need to be affordable).

Detailed design characteristics

Closure Method    

Traditionally faraday bags have used a rolled-up top to fold over the metalized surfaces to ensure effective shielding, however, this is unsightly and inconvenient. A bag that closes with a single flap design, (Fig 1) like an envelope, is certainly more convenient as long as the design meets the shielding requirement.

Fig 1 Single flap design closure.

Material Layers

Faraday bags made with a single layer of faraday fabric are unlikely to shield all wireless signals in all situations (specifically 4G and Wi-Fi). It’s important to achieve a high level of shielding with multiple layers of fabric on each side.  Flat bags will typically have four layers in total.

Faraday Fabric Material

Not only is it important to have dual stitched seams, but the types of materials are also imperative to the effectiveness of any faraday bag. The best-metallised fabric is made of highly conductive metals such as silver and copper (Fig 2)

Some materials use alternative metals such as tin or nickel to reduce cost, however, these are less conductive. Fewer conductivity results in less effective signal attenuation (Reduced shielding).

It should also be noted that inserts or liners that use anti-static bags (or metal-coated plastic bags) will not offer high shielding and are not robust enough for this application.

Fig 2 Metalized fabric enables the manufacture of lightweight faraday shielding.

Typical product configurations

Once it has been confirmed that the manufacturing materials will deliver the right levels of attenuation and shielding designs can then be configured at different sizes to support the most popular wireless products e.g. phones, tablets and laptops.

Laptop bag

These come in a variety of sizes and configurations. Typically, the main shielded enclosure is designed to fit laptops commonly used and include handles, carry straps and additional pockets for power supplies (Fig 3).

Fig 3. Standard design configured for the Dell Latitude 5280 or Microsoft Surface Pro (Version 2, 3 and 4)

Laptop sleeve

Alternatively, the Faraday Shield can be configured as a sleeve (Fig 4).

Fig 4 Storage sleeve designed to accommodate the the Microsoft Surface Pro (Version 2,3 and 4)

Storage sleeves can be designed to protect all phones, tablets and laptops. Additional features such as carry straps, battery packs and webbing attachment points can be added (Fig 5).

Fig 5 Different sizes sleeves are available depending on the device being shielded

Testing/Certification

What criteria should be used to ensure an effective level of shielding? Assessment by independent authorities has established that attenuation of 50dBm across all wireless frequencies will give the necessary protection with a margin of safety and anything less may offer some level of protection but doesn’t counter the risk of close proximity to a cell site or a modified wireless system with boosted power designed solely to defeat shielding solutions. The power output and receive sensitivity of standard wireless systems is mandated by international regulation, however, developing radios that work outside of these parameters is well within the capability of the hacker with limited understanding of RF device design.

The faraday bag must cover all the current generation of wireless frequencies. Testing to confirm the signal attenuation across this range of frequencies and supporting this with an independent design verification is an essential requirement that should be included in any procurement specification.

It is a common misconception that a Faraday cage will block all radio signals however it will, in reality, have a varied attenuation depending on the waveform. It is important to check that the bag will shield a device from all wireless frequencies.

Other manufacturing standards such as ISO 9001  and ISO17025 should be required of the supplier to ensure consistent quality and shielding verification should be carried out on every bag prior to delivery. Cheaper products may use random sample testing. This should not be accepted.

Maintenance and Support

If a high quality metalized lining material is used this will ensure reliable long-term resistance to general wear and tear. If the lining material has an obvious rip or tears in the metalized fabric it should be repaired as soon as possible. Using a double layer of metalized material mitigates the risk that the shielding will be less effective if damaged.

It is also recommended that the Faraday shield is periodically checked to confirm shielding performance. Reverifying the performance is a relatively simple procedure. For phones and other 3G or 4G devices simply connect to a network, place the device in the shield leave for 20 to 30 seconds and then try to connect to it. (Call it). The phone should have no service.

The same procedure can be applied to tablets and computers on Wi-Fi or Bluetooth networks. Connect the device to a trusted network, then place the device in the shield for 30 seconds and then remove. A review of the connectivity logs will confirm the device was isolated when placed in the bag.

Special features and branding

There may be a requirement to add special features and Disklabs will be able to advise on the design feasibility. Customers may also require the organisation name, serial numbers and barcodes to be added to meet their specific requirements.

Conclusion

Faraday Bags ensure the security of digital evidence and safeguard officers from there location being tracked by criminals.

For these reasons, there is a compelling argument for law enforcement organisation to make faraday bags standard equipment for all investigators and officers who may be required to secure digital devices.