Making a Watcher Force

Advanced, intrusive surveillance techniques are more and more likely to be in the toolbox of John Q Patrolman. Here’s how cops are being trained to hack the airwaves.

Digital forensics and even metadata surveillance are becoming considerations as routine for every rank-and-file gumshoe as preserving a homicide scene’s biometric evidence (e.g., fingerprints, blood for DNA testing, etc).

It seems like any police department rating a radar gun has also purchased a UFED, a Universal Forensic Extraction Device. The devices, introduced by Israeli security firm Cellebrite 10 years ago and sold by dozens of other companies under different branding, give cops a sort of skeleton key that lets them attach a wide array of electronic media — computers, iPhones, tablets, etc — and extract all potentially usable data wholesale, in a more or less “set-it-and-forget-it” operation.

Cell phone and other wireless communication records, analyzed a la Big Data, are also becoming a part of routine police work.

Extracting criminal intelligence from that data is another proposition altogether.

Expert consultant firms provide training to local departments on continuously updated hardware and software complexities, as well as the nuances of dealing with different service providers when seeking call records. Verizon, Sprint, and AT&T all have different standards for data retention and unique processes for obtaining customer records, and knowing what one can get from whom is critical to conducting an efficient investigation.

PATC Tech Digital Forensics specializes in training law enforcement to use those tools and interpret the data (as well performing these tasks for agencies as consultants). PATC Tech is, according the website, a “division of the Public Agency Training Council, the largest provider of public safety training and legal liability management in the United States.” The two principal trainers are former Pennsylvania State Troopers.

Published here are PATC Tech’s Powerpoint presentations on obtaining and using records each major carrier — AT&T, Verizon, Sprint, and T-Mobile.

As has become a distinguished pattern of mostly post-9/11 surveillance infamy, AT&T is the standout when it comes to retaining records of its customers communications.

I reported for The Daily Beast last October, in a story about Operation Hemisphere, how “AT&T retains its cell tower data going back to July 2008, longer than other providers. Verizon holds records for a year and Sprint for 18 months.”

The PATC presentation Cellular Records Review and Analysis Part 1: AT&T names a few of the company’s accommodating idiosyncrasies.

AT&T can provide locations for Voice, SMS and Data for a very long time. (Which is not common.)
Tower Dumps also include Voice, SMS and Data. (Which is not common.)

By contrast, “Tower Dumps are Voice only” with Verizon and Sprint — the T-Mobile presentation does not say what data is included in tower dumps, but does say that after recent updates more records are now available from the company.

All of the presentations are below.

While it does not have the variety of data available that AT&T does, Sprint’s retention of subscriber information, according to the PATC presentation: “Unlimited.”

“T-Mobile has recently changed their records. For a long time they could not supply SMS locations, and in many instances were not able to supply sector information for calls. In the last few months the records have changed drastically.”

Take note that the presentations don’t say “get a subpoena,” rather, trainees are instructed simply to obtain records through “legal process.”

There are many scenarios under which third-parties other than law enforcement and your service provider might obtain your call metadata, as highlighted in this detailed presentation on cell phone data analysis by a private insurance investigator.

Image from presentation by Bill McGirk CTF, Cellular Solutions, LLC

For those irksome situations where one must get a warrant or whatever, PATC includes templates with language for serving different carriers.

PATC trains police with DART Pro and Maplink softwares for mapping of call records, which the company’s literature says its investigators use.

Trainers at PATC also show cops how to extract all of the data from physical devices with tools like Oxygen Forensic Detective.

For those of you thinking “Stingray or GTFO,” we have something for you.

PATC also trains law enforcement on offensive SIGINT/COMINT hacking with equipment manufactured by SRT Wireless.

Most of the presentation outlines the basics of WiFi and the threat landscape.

Six “WiFi Exploit Tools” are mentioned, only four featured.

Two are bread-and-butter 802.11 hacking programs, Kismet and AirCrack-NG.

Cardinal / Shadow

Florida’s FDLE, the state law enforcement agency, purchased a Cardinal system in 2015.

The technology is closely guarded — as you can see, the cost is even redacted in the above Homeland Security document.

Sunrise, Florida, on the other hand, did not the redact the price from the quote uploaded to the municipal cloud combined with a Harris Corporation purchase order (see link “Pricing). The Cardinal-3 vehicle-mounted Wifi tracking system plus the Gatekeeper “Leave Behind” device, a Nokia Sidekick programmed to alert the user when a target is in range.

This has been part one of at least 3 on the subject, perhaps more on just PATC, due its ubiquity.

All of the documents linked above and more will compiled in this Google Drive folder.


Making videos from Powerpoints! Arts and crafts!

Like what you read? Give Kenneth Lipp a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.