I am looking into the possibility of using a faraday box in which to conduct an examination of a mobile telephone. Does anyone have any experience using these or can point me towards an informative website?
I've had my eye on some of this phone mesh for a while
But I have also heard of train companies coating their train windows in a film to stop people in the silent cabins using their mobile phones. Its quite good by the sounds of it but only has a small MHZ range so maybe not perfect to cover a custom box
Hope this helps D
with enough of that material it may be possible to cover an entire lab?
Thanks for your response.
/edit bk forensics email address bounces my email back. "sorry it didnt work out twisted ".
We bought the Paraben Stronghold Box last year and I have to say that I'm quite disappointed with the product.
First, within a few months of use, the shielded gloves used to manipulate the phone in the box pierced.
Also, the handles to lock the box's door aren't stiff enough and with time, the door has become loose enough to allow some signal to pass.
Finally, the box is not very practical when you need to capture photos or videos of the phone's interface because the window is almost opaque.
We've looked into other possibilities like using a small cell phone jammer inside our lab or using special paint on the wall to block the signal. We finally decided to invest and buy a 12' x 10' "Faraday Lab". If you'd like, I could post the website of the company that manufacture those things.
the thing with these faraday boxes/bags what is the facililty for data extraction? what provision is made for data-cable connection & download?
For the Paraben box, there is a shielded USB and Serial DB-9 port. So, inside the box, you can plug your cell phone data transfer cable and from the box to your computer, you can use a standard USB or DB-9 cable.
F-c-b-f you know you really do not have to use any radio dampening barriers or clone test SIM cards at all.
There is nothing in UK law that enables a police officer or public authority investigator to stop the delivery of a communication to an intended recipient. Equally it can be technically impossible for a communication service provider to stop the transmission of a communication or recover messages that are awaiting delivery to a device that has either been disconnected from a network or been switched off by the investigator or examiner.
Does anyone out there have experience with Faraday tents/cages? whats the verdict?
Thanks for your response Trewmte, I am primarily concerned with the overwriting of stored data by incoming transmissions, calls, deleted text messages, etc. Certain tools on the market are now able to recover deleted data in much more detail than previously available, this necessitates the prevention of incoming transmissions, thereby preserving this deleted information. I am aware that as soon as the handset is powered on certain information is updated and therefore changed, but steps have to be taken to ensure that stored data remains unchanged as a result of the examination process.
FCBF OVERWRITING OF STORED DATA? TEXT MESSAGES WILL NOT BE OVERWRITTEN AS THEY DONT ENTER THE HANDSET AS SUCH, THERE IS A MESSAGE DISPLAYED TO TELL YOU THERE ARE MESSAGES WAITING TO BE READ,INDEED IF YOUR INBOX WAS FULL YOUR HANDSET WOULD NOT LET YOU READ THE WAITING MESSAGES UNTILL OTHERS ARE DELETED BY YOU, THE ONLY ITEM BOX YOU WILL OVERWRITE IS THE MISSED CALLS DIRECTORY,( AS THE HANDSET IS POWERED UP YOU MAY "RECEIVE" A CALL)
When you power on SOME handsets they update yes….but this is done by the internal clock/calendar setting so your faraday cage wont help you anyway as it doesnt need the airwaves to do it.
Lastly Home office rules state that post seizure text messages not only CAN be read they MUST be read, now if you use your Faraday cage to protect yourself from airwaves and, presumably you would the copy some details of SIM to access handset, when do you get YOUR post seizure messages FARADAY?….no thanks
FCBF OVERWRITING OF STORED DATA? TEXT MESSAGES WILL NOT BE OVERWRITTEN AS THEY DONT ENTER THE HANDSET AS SUCH, THERE IS A MESSAGE DISPLAYED TO TELL YOU THERE ARE MESSAGES WAITING TO BE READ,INDEED IF YOUR INBOX WAS FULL YOUR HANDSET WOULD NOT LET YOU READ THE WAITING MESSAGES UNTILL OTHERS ARE DELETED BY YOU,
Apologies Overwriting of deleted messages, primarily on the SIM if the "slots" arent full, and also on the handset.
Overwriting of deleted messages, primarily on the SIM if the "slots" arent full, and also on the handset.
F-c-b-f if you read the SIM first before handset you wouldn't lose deleted text messages.
I am new to the phone side of forensics so sorry if this is a stupid question. Completely understand that you would do the SIM card first, but would you not need to check the date and time setting on the phone before removing the card? and this brings us back to the requirement for faraday protection.
but would you not need to check the date and time setting on the phone before removing the card? and this brings us back to the requirement for faraday protection.
Hi pbeardmore, there is no definite position or mandatory requirement or legal enabler that prescribes that a procedure for radio dempening/barrier measures to be used or must be used.
No you wouldn't need to check the handset clock first unless the officer/defence solicitor specifically thought it had a bearing on a case. Unlike computer forensics, mobile phone forensics seeks to establish accuracy on timing matters from the clock details recorded in the mobile network records and not the user defined clocks which are invariably inaccurate. The overriding position is to deal with mobile phones on a case by case basis, using methodology best suited to the make/model under examination.
Use of radio dampening fields/barriers are not being used to be able to see the date and time stamp on a mobile phone and you wouldn't use dampening/barriers for that purpose, unless you are thinking about a particular mobile phone that is sync'd to a particular mobile network clock. In which case
a) as soon as a device is within dampening/barriers causing loss of sync with network what happens to the handset clock?
b) what about business enterprise devices sync'd clocks with servers that where a break in network connection sync timing could be critical to data being wiped?
c) in the case of mobile phones subscription, how many actually pay for a subscription for their devices to use GSM network clock and in which countries do the operators actually provide the mobile network sync clock service?
None of the above suggests any reason for the promulgated position of blanket approach always use faraday bags/barriers; which is analogous to the notion of suggesting I'll have Ketchup with eveything.
As usual, very useful advice, thanks, trewmte,
must buy you a pint if our paths cross.
PS how are you plans going for running some mobile phone forensic training, I have a grad who would be very interested