Faraday and Mobile Forensics Today and Beyond
What is faraday? Simply, is a technology invented by Michael Faraday in 1831 and his work withelectromagnetism in which he developed the first faraday cage. This is the principle for what we now use in mobile forensics. It prevents (refracts) radio signals from reaching a mobile phone and prevent the loss or change of data from a seized device. We are mostly familiar with faraday bags. There are meshes, boxes and even rooms design to keep evidence safe from change and or deletion.
Cell phones operate on a wide range of radio frequencies, however most modern phones are LTE (Long Term Evolution) which evolved from its predecessors GSM/EDGE and UMTS/HSPA. LTE was developed for higher speed communication. Long Term Evolution covers many bands and it varies on what part of the world. Therefore phone manufacturers produce phones with multi-band capable radios. In the United States the range goes from 700 MHz to 2600 MHz.
The faraday material that you use should be able to cover those radio frequency bands. Checking with the manufacturer would be a good idea before using them. Also testing and validating them prior to use is a good procedure to follow.
Many may ask, with every carrier now having sim cards and all phones have airplane mode, all I have to so is remove the sim card and turn on airplane mode. Why bother with a faraday bag anymore? There have been multiple publications and papers written on the use of Faraday. Even it was mentioned in the Supreme Court Ruling of Riley v. California. Some of the more notable institutional publications are; Guidelines on cell phone forensics NIST (2008), Guidelines on Mobile Forensics NIST (2014), Best Practices for Mobile Phone examinations SWGDE (2009). There are multiple books available on Mobile Forensics. All at some point mention the use of Faraday. True there now more circumstances that don’t call for a faraday container with all carriers on LTE and airplane mode. The operating systems and security of the phones today pretty much mandate not to turn off the phones. There is a limited need for a faraday device. As this is true until recently. Things are changing the mobile world. Further on in this article we will seen the future of mobile and how it will relate to faraday.
With modern Android and iOS devices, it is not only the cellular network that is dangerous, It is the WiFi which is the silent killer. The problem is with “Google Find My Device” and “Apple iCloud Find My iPhone”, mobile devices can be remotely wiped even if disconnected from a cellular network. As seen below, both devices are not connected to cellular and Sim cards removed. As you can see both devices can be sent signals to destroy data.
The problem with with modern cell phones, one must be careful in handling these phones and making sure that both Cellular and Wifi connections are secure. Yes, removing the sim card will remove it from the cell networks, but the device can still be located via an internet connection. lets explore with each ecosystem, basically, referring to accessing and turning off Wifi.
Normally you would swipe from the top down and access airplane mode. But in the Android world not all is equal. Here are three examples of modern phones that have the same version of Android on them and behave differently. All devices have fingerprint sensor employed.
Samsung Note 8 (Android 7)
With a reboot or power loss, one can put the phone into airplane mode. Here removing the sim card and placing into Airplane mode would be sufficient. When this phone has lost power or rebooted, this negates the fingerprint sensor. However if the phone is locked and hasn’t lost power or rebooted, keeping power to the device is essential due to the fingerprint biometric sensor. There is an optional retinal scan as well. (24 hour inactivity time bomb)
LG V20 (Android 7)
On reboot or power loss, Airplane mode can’t not be turned on. When this phone has lost power or rebooted, this negates the fingerprint sensor. If technology exists to bypass the passcode, there are two options; one, turn off the device, reboot will keep the phone in the same state and off the network, two, keep the phone on, allow for additional power and place into a faraday container. With a locked but not powered off or rebooted device, airplane mode can be initiated and sim card removed. Keeping power is essential, there is a 24 hour inactivity time bomb.
Andy Rubin’s Essential ( Android 7)
On reboot or power loss Airplane Mode can be turned off. This wouldn’t require a faraday container. When this phone has lost power rebooted, this negates the fingerprint sensor. As with the Samsung and LG, keeping power to the device is essential due to the fingerprint biometric. (24 hour inactivity time bomb)
When the phone reboots or loses power, and in a locked state, Airplane mode can’t be turned on. When this phone has lost power or rebooted, this negates Touch ID and Face ID. As with Android you have two options. Depending on if technology exists to bypass the passcode, there are two options; one, turn off the device, reboot will keep the phone in the same state and off the network, two, keep the phone on, allow for additional power and place into a faraday container. With a locked but not powered off or rebooted iDevice, airplane mode can be initiated and sim card removed. Keeping power is essential if Touch ID or Face ID has been utilized. There is a 48 hour inactivity time bomb on iOS.
iDevice with iOS 11
iOS 11 threw things for a loop when is was recognized that when a device was placed in Airplane mode it would not shut down both Wi-Fi and Bluetooth. Most thought this being a programming glitch, but it was by design. Make sure when you initiate airplane mode that you visually inspect that Wifi has been cut off also. if needed manually turn if off.
Apple Watch Series 3 (GPS+Cellular) Watch OS 4
Here Apple has released a watch that can run independent from the iPhone. It can make phone calls and send text messages. One big problem. There isn’t a removable sim card in this device. Apple has introduced the embedded Sim. A passcode can also be placed on this device. A faraday container will be necessary. Even from Find my iPhone can wipe my Watch.
Samsung Gear 3 Tinzen 2.3.2
Samsung also did the same thing with the Gear 3. It can also run independent from the phone as well. Samsung also has placed an embedded sim placed into the watch. The Gear 3 can also be secured as well. This device can also be locked with a pin code. The Gear 3 can’t be erased from “Google Find my Phone”, however the phone within the Find My Gear, one can locate and erase it. Another reason to place into a faraday bag.
The Future is Now!
While there is now a limited need for faraday in modern cell phones. There is and will be a resurgence in the need for faraday. The Apple Watch and others are a glimpse into that future. That future is a world of embedded sims. The Apple, Samsung, and Googles of the world will manufacture cell phones without removable SIM cards. If Airplane Mode can’t be accessed, then a faraday device will have to be utilized.
That world is here now. Starting with Google and the Pixel 2. Google has developed and is utilizing Project Fi. This is the first of its kind for LTE. The Google Pixel 2 can be activated without a sim card. See Below.
I didn’t believe it myself until I activated and subscribed to Project. Then I removed the sim tray and behold there wasn’t one, no sim card. The future is here and soon Apple will follow suit. The new world will be sim less. there will be more situations in the future that will call for more use of faraday then we do today. the Pixel 2 (Android 8) is a perfect example if this. Upon reboot, and if any security is placed on the phone, for example a pincode, you can’t swipe down and enable Airplane Mode. Therefore you will have to have some kind of faraday device every time this phone gets powered on. The question will be in the same situation, if technology doesn’t allow for the bypass of the pin, or swipe codes, do you just shut the phone down?
Small List of useful Faraday Devices/Material
- Faraday Bags
- Faraday Boxes
- Arson Cans
- Aluminum Foil
Whatever material you use, it is important to test these for reliability and even within use. You don’t want to be caught with a faulty container. Also contact the manufacturer for specifications and that it will block signals from past and present phones.
Note: since we need to keep these devices on, and if you need to use a faraday device. These devices want to “Phone Home” and drastically reduce the life of the battery. Attaching an external power source to the phone while in a faraday device will help extend the battery life. Get where you need to go fast until you can secure the phone.