Failing to isolate a wireless capable device increases the risk that critical evidence will be lost and introduces the potential for criminals to track the location of law enforcement officers, vehicles and sensitive sites.
The data contained in these seized digital devices is now one of the most important factors in capturing the critical evidence that ultimately secures a conviction.
Evidence handling procedures for seized digital devices advise that this is best carried out by a forensic specialist however in most cases investigators and police officers are required to secure phones and computers without this support.
This white paper will show that there is a compelling case for all investigators and police officers to have immediate access to faraday bags whilst on duty to ensure the security of digital evidence and prevent transmission of a device location.
Contents of the White Paper
Any device that is capable of wireless connectivity e.g. Mobile Phones, Tablets, GPS, Computers, Digital Cameras and e-Readers.
Designed for law enforcement applications, an enclosure of conductive material that effectively shields a digital device from the radio frequencies used by Wi-Fi, Bluetooth, GPS, Mobile Phones and active RFID.
This is a reduction in radio signal strength, measured in dB. This is affected by the material it must pass through.
Is computer storage that only maintains its data while a device is powered on e.g. most RAM (Random Access Memory) is volatile.
Is memory or storage that is saved regardless of a device being powered on or off e.g. hard drives, flash memory and read-only memory.
Overt or covert software that transmits the location of a digital device via a wireless network that can be monitored by third parties.
Evidence Handling Procedures
Documents published by Governments and Law Enforcement Organisations (usually in the public domain) which give guidance on the seizure, acquisition, extraction and presentation of digital evidence.
Evidence handling procedures for a seized digital device vary between countries and jurisdictions. This white paper assumes that a Law Enforcement Officer with appropriate authority has decided to seize a digital device as it is likely to hold evidence in relation to an offence that has been committed.
If a seizure is part of a planned operation, a forensic specialist may be on hand to secure the evidence in digital devices (especially computers) however it is more usual that Law Enforcement Officers are required to undertake the seizure of computers and mobile phones without this forensic support.
Evidence handling procedures will typically advise that the examination of original digital data must be carried out by a person who is competent to do so. Unless a law enforcement officer is trained in the handling a multitude of digital devices the process of accessing a phone, tablet or computer to switch it off, isolate wireless connectivity or extract evidence may be called into question later.
For this reason, some evidence handling procedures advise that a digital device is always best left untouched until appropriate team members, trained in the securing of digital forensic evidence, are available. This delay increases the risk that critical evidence may be remotely modified or wiped.
Physically securing a crime scene will NOT prevent remote access to wireless devices that are still powered up and applications such as ‘find my phone’ may enable the remote wiping of critical data. Many criminals are aware of this and will have furnished collaborators with account access details and passwords in case of arrest. Also, there is a risk that deletion of data on the web (e.g. incriminating data in emails and other online messaging services) may also be automatically deleted or overwritten in the seized device before it can be forensically examined.
Even if a device seems to be switched off this is not always the case. Screensavers and apps can give this impression, whereas in reality they are still powered up, connected to wireless networks and transmitting their location.
Some evidence handling procedures will advise officers to switch a device off, which will require them access to the device and will not preserve volatile memory, which may hold useful data that is lost when powered down.
It is generally considered that the best practice is for the first contact with a digital device is undertaken and documented by a forensic specialist. Generally, the forensic process for the examination and acquisition of digital evidence is well documented and regulated but the handling of these devices prior to this formal forensic examination is often undocumented and inconsistent.
Considering all the variables it is important for law enforcement organisations to have a simple evidence handling procedure for seized digital devices that ensures that no data is lost and ratifies the legitimacy of the evidence this potentially provides.
This procedure needs to be consistent, require the minimum training, have a very high probability of preserving critical evidence and isolate tracking applications.
The wider deployment of Faraday bags is an essential tool in achieving this goal.
*The process of isolating a device may increase the battery discharge rate and reduce standby time. To ensure the volatile memory has preserved the introduction of an additional power supply will mitigate the risk of a device powering down before it can be forensically examined.
There are many ‘off the shelf’ and ad hoc products that offer faraday environment characteristics. These include specialist forensic examination boxes, anti-static bags and consumer products. Ad hoc faraday environment suggestions can range from a microwave oven, biscuit tin or aluminium foil. All these solutions have disadvantages as they are not designed for this specific application and will not be ‘fit for purpose’.
Traditionally faraday bags have used a rolled-up top to fold over the metalized surfaces to ensure effective shielding, however, this is unsightly and inconvenient. A bag that closes with a single flap design, (Fig 1) like an envelope, is certainly more convenient as long as the design meets the shielding requirement.
Faraday bags made with a single layer of faraday fabric are unlikely to shield all wireless signals in all situations (specifically 4G and Wi-Fi). It’s important to achieve a high level of shielding with multiple layers of fabric on each side. Flat bags will typically have four layers in total.
Not only is it important to have dual stitched seams, but the types of materials are also imperative to the effectiveness of any faraday bag. The best-metallised fabric is made of highly conductive metals such as silver and copper (Fig 2)
Some materials use alternative metals such as tin or nickel to reduce cost, however, these are less conductive. Fewer conductivity results in less effective signal attenuation (Reduced shielding).
It should also be noted that inserts or liners that use anti-static bags (or metal-coated plastic bags) will not offer high shielding and are not robust enough for this application.
Once it has been confirmed that the manufacturing materials will deliver the right levels of attenuation and shielding designs can then be configured at different sizes to support the most popular wireless products e.g. phones, tablets and laptops.
These come in a variety of sizes and configurations. Typically, the main shielded enclosure is designed to fit laptops commonly used and include handles, carry straps and additional pockets for power supplies (Fig 3).
Alternatively, the Faraday Shield can be configured as a sleeve (Fig 4).
Storage sleeves can be designed to protect all phones, tablets and laptops. Additional features such as carry straps, battery packs and webbing attachment points can be added (Fig 5).
What criteria should be used to ensure an effective level of shielding? Assessment by independent authorities has established that attenuation of 50dBm across all wireless frequencies will give the necessary protection with a margin of safety and anything less may offer some level of protection but doesn’t counter the risk of close proximity to a cell site or a modified wireless system with boosted power designed solely to defeat shielding solutions. The power output and receive sensitivity of standard wireless systems is mandated by international regulation, however, developing radios that work outside of these parameters is well within the capability of the hacker with limited understanding of RF device design.
The faraday bag must cover all the current generation of wireless frequencies. Testing to confirm the signal attenuation across this range of frequencies and supporting this with an independent design verification is an essential requirement that should be included in any procurement specification.
It is a common misconception that a Faraday cage will block all radio signals however it will, in reality, have a varied attenuation depending on the waveform. It is important to check that the bag will shield a device from all wireless frequencies.
Other manufacturing standards such as ISO 9001 and ISO17025 should be required of the supplier to ensure consistent quality and shielding verification should be carried out on every bag prior to delivery. Cheaper products may use random sample testing. This should not be accepted.
If a high quality metalized lining material is used this will ensure reliable long-term resistance to general wear and tear. If the lining material has an obvious rip or tears in the metalized fabric it should be repaired as soon as possible. Using a double layer of metalized material mitigates the risk that the shielding will be less effective if damaged.
It is also recommended that the Faraday shield is periodically checked to confirm shielding performance. Reverifying the performance is a relatively simple procedure. For phones and other 3G or 4G devices simply connect to a network, place the device in the shield leave for 20 to 30 seconds and then try to connect to it. (Call it). The phone should have no service.
The same procedure can be applied to tablets and computers on Wi-Fi or Bluetooth networks. Connect the device to a trusted network, then place the device in the shield for 30 seconds and then remove. A review of the connectivity logs will confirm the device was isolated when placed in the bag.
There may be a requirement to add special features and Disklabs will be able to advise on the design feasibility. Customers may also require the organisation name, serial numbers and barcodes to be added to meet their specific requirements.
Faraday Bags ensure the security of digital evidence and safeguard officers from there location being tracked by criminals.
For these reasons, there is a compelling argument for law enforcement organisation to make faraday bags standard equipment for all investigators and officers who may be required to secure digital devices.