Physical Search

Preperation

Searching

Checklist



Telephone Search

Residential Telephone Systems

Commercial Telephone Systems

Outside Plant Searches



Specific Device Searches

Devices



Physical Search



Physical search is by far the most effective method of locating surveillance devices if properly executed. You'll need to be careful and methodical if you want to try and find surveillance devices, and have a workable plan of attack. Begin by finding a place to prepare yourself outside the area you're going to inspect.



Preperation


Get a roll of kraft paper, some masking tape and a fistful of Sharpie markers in different colors. Tack a good sized piece of kraft paper up on a wall and sketch a seperate floor plan for every room you plan to search, noting large pieces of furniture, electrical outlets, stereo equipment, intercoms, and telephone and data jacks. Label electrical stuff in red, phone lines and jacks in orange, HVAC in blue, etc. Make a note of what kind of floor covering is in each room (carpet, tile, etc.) and what the ceiling material is (plaster, tile, panelling, etc.).


Get your equipment together and lay it out neatly. Make sure the disposable batteries are fresh out of the pack and the rechargables fresh off the charger. Everything turns on, tunes in and does not drop out. Once you're sure all tools are ready, and have a chart of what's where and what could be hidden where, the actual search begins.

 


Begin by taking a flashlight and shining it at an angle across the walls. Any small holes will be immediately noticeable. If you see any small holes in the wall, jam a darning needle into it. HARD. Look for odd discolorations (caused by poorly matched paint covering fine wires or metallic paint) or bumps (from devices covered by well matched paint, or under wallpaper) too. At this point a professional team would likely use a thermography scan or X-ray to determine what is inside/behind the walls.


Once you're satisfied that there are no tiny holes in the wall that could be housing a microphone or small camera and that there is nothing lurking under the wall coverings, get on your hands and knees and direct your light at the junction between the walls and the floor looking for fine wires. Rake at the carpet edges with a dental pick.


At this point, you'll want to start looking for both wires and batteries, the other tell-tale sign of a surveillance device. Get an inspection mirror and start looking under any semi-permenant fixtures in the room. Any light fixtures in the area will need to be checked for light modulators and carrier current devices. Take them apart and look for circuit boards (lights don't need any). Face plates should come off all light switches and power outlets. The covers should be taken off all phone and data jacks. Anything that doesn't look like it belongs probably doesn't.


Have you looked everywhere? You're sure? Have you lifted the ceiling tiles and made sure there was nothing lurking on the other side? Taken the cover off the smoke detector and compared it to a detector of the same make and model that you just bought? Did you check the upholstery for signs of tampering, including underneath? Did you stand on a chair and check the top of every air core door looking for holes? You remembered to look at the bottom of the door with an inspection mirror, didn't you? Hot air registers were removed and the ducts inspected? The list could go on for pages (and does in A Beginning Sweepers Handbook); but the point is that you'll need to exercise both your paranoia and your imagination in order to root out surveillance devices.


 

Physical Search Checklist


Hardwire

[ ] Floorboards examined with pick and high-intensity light

[ ] Walls examined for fine wires

[ ] Hollow doors examined top, bottom and under hinges

Carrier Current

[ ] Covers removed from electrical outlets

[ ] Covers removed from light switches

Contact

[ ] Walls examined for small holes

[ ] Ceiling tiles lifted

Phones

[ ] Jacks disassembled

[ ] Raceways examined

[ ] Wires traced back visually

Cameras

[ ] Walls examined for small holes

Light

[ ] All lights examined for signs of tampering

RF



Searching residential lines:
 
By far the most productive portion of any phone sweep is the physical search. Get a mag-lite, spudger (or dental pick) and a dentist's mirror. Start at your phone and trace the wire back as far as you can.  Take the cover off every phone jack and tug at the wire regularly (look for fine wires connected to the line). If you see a 66 block , look behind it with the mirror. There should be no wiring or paint on the back.

 If you can trace your wiring back to the demark point, open the thing up and have a look around. You should see no splices attached to you pair. If the line terminates in an NID, open the side labeled "Telco Access Only" (you'll need a 3/8th nut driver). Probe around looking for splits, things that don't appear to belong, etc. The majority of a demark's parts are modular, so remove them and look inside and behind them.

 Demark Pics

 
 

Searching commercial lines:

Searching in an office environment presents a whole new universe of problems (not the least of which being "What are you doing here?"). Commercial buildings have complex phone systems and cabling; making the physical search several magnitudes more difficult, but not impossible. Trace the line back from your phone to it's jack, looking for fine wires or other things that look out of place. If your phone uses a 25 pair cable, like the ones below,  look for bits of glue or tape that might be covering up slits in the sheath or other signs of tampering. If the wiring ends in a jack, take the cover off and have a look around. Talk to a networking guy before removing the jack so you don't break it, or find out to late that fiber and telephone cabling were sharing a raceway. Next stop on the debugging will be the wiring cabinet.

Wiring cabinets are part of what make office networks unique. Wiring cabinets are the walk-in closets found on every floor of a building housing that particular floor's phone and LAN equipment. Each cabinet should be locked up tight. If it isn't, complain loudly to the networking staff. Unlocked wiring closets make transmitter placement WAY too easy. Unlock the cabinet and have a look around; there should be no signs of recent spray painting (could be used to cover fine wire leads or metallic paint leads), no wires on the back of the wiring blocks, and everything with a tag labeled "Do Not Remove" with a telco logo on it should be checked. Check again for cables with tape or paint on them that could be covering tamper marks. Pull apart Amphenol connectors and single line taps to confirm that there is nothing hidden inside. Don't get overwhelmed if there are LOTS of cables, the hellish tangle of wires
in the cabinet can be sorted through by color code. Because you're looking for devices connected to phone lines, pay particular attention to blue
(horizontal voice), orange (telco trunks) and red (key system cabling) cross connect cables.

After confirming all wiring closets are clear, check the main closet (usually in the basement). This is where telco trunks appear, and a good amount of
heavy-duty networking gear is stored. Check just like you did the wiring cabinet.

* Note: This is likely not a step that should be taken by the average person.

Now the real nightmare begins, checking inter floor cabling. Ceiling risers, elevator shafts and floor ducts are often used to run network and telephone
cable, and because of their inaccessibility, make perfect places to hide wiretaps.

Before you start disassembling your phone, it would be wise to put a frequency counter next to the phone and take it off hook. Call a number that probably won't be answered anytime soon (like your ISP or the phone company). If the counter doesn't pick anything up after a few minutes there probably nothing in your phone. Its time to start checking your phone.
 
 
Searching in the outside plant: 

 Disclaimer: Messing around in the OSP is illegal difficult and dangerous,  but so are many telephone intercepts. Visually trace your telephone's wiring from the demark to as far back as you can. Remember that wiretappers need access to your line, so look for places where it can be gotten at easily (those cables are insulated with sheets of lead by the way, and any splicer will tell you it isn't easy to cut into them subtlety). Is there anyplace where you can reach a boot or splice cabinet? How about if you had a ladder or if you were leaning out a window? If not, keep moving. If you can reach out and touch a splice enclosure or a cabinet, try and open it. Cabinets (like the one at left) are usually held closed with a 3/8th" screw. The cover on a splice enclosure is held on by a series of metal clips attached to the bottom. Look for signs of recent activity... recently stripped screw heads, new looking cable ties, etc. At some point you'll see a cable routed down a pole and into the ground. This cable is on its way to the central office through a maze of pressurized, underground ducts. There's very little need to worry about wires in the Earth. 
 

 

I Found a Tap!!

 Think you found something? Don't panic yet, as there are plenty of  good explanations for what you found. Does it have a row of tiny little switches on it? Its probably an RF filter to prevent noise on the line, not  a transmitter. Did you find extra wiring attached to your phone line (especially in an OSP setting)? More than likely its a bridged tap, extra  cable left over from a previous installation or provided for redundant cabling. Is your line split? It could just be a botched installation. If you're absolutely sure you've found an illegal surveillance device take several pictures of it, and arrange a meeting with a competent TSCM firm. Not a private investigator. Not someone connected to a spy shop. A reputable, professional sweep team. If you're in doubt ask what kind of equipment they use, what sorts of training they've completed, and how many years they've spent in the business. If they try and feed you some line about classified government equipment (Note: many firms use proprietary instrumentation. Just be sure that everything they'll be using on a sweep isn't proprietary) or super secret training politely tell them to go to hell. Any competent sweep technician will be able to tell you about the majority of the gear they typically use, where they were trained, and how long they've been in business.

Specific Device Searches


Contact/Spike Microphones Take a flashlight and shine it at an angle across the walls. Any small holes should be immediately noticeable. If you do see any small holes in the wall, jam a darning needle into it. HARD. Look  for odd discolorations (caused by poorly matched paint that could be covering fine wires or metallic paint) or bumps (from devices covered by well matched paint or under wallpaper). Lift ceiling tiles and peek into air vents, looking for telltale black boxes, wires, or anything else that seems out of place. 
Hardwire Microphones Get on your hands and knees and direct your light at the junction between the walls and the floor looking for fine wires. Pull up the carpet edges, too. Check all microphones in the area for additional wires. Speakers should be examined for signs of tampering.
Carrier Current Devices All electrical appliances, light switches and power outlets should be checked for signs of tampering. Most simple appliances (such as lamps) don't need circuit boards. Check devices against schematics if possible.
Light Modulators Check all lighting for signs of tampering. Circuit boards aren't a normal component of lights. Check against device schematics or known clean sample. The circuitry needed for a light modulator can be hidden ANYWHERE inside of the power system.
Telephone Transmitters Take the cover off your phone and compare it to a schematic or known clean sample. Even this isn't foolproof, as PK Electronik makes a transmitter the size and shape of a ceramic capacitor. Start at your phone and trace the wiring back to the phone jack. Remove the cover of the phone jack and have a look around. Continue to follow the wiring back as far as you can. At no point should you see anything but wires. If the line terminates in an NID, open the side labeled "Telco Access Only" (you'll need a 3/8th nut driver). The majority of a demark's parts are modular, so remove them and look inside and behind them. Look for obvious transmitters and coils.
Splits Go over every inch of wiring looking for overt splices, (be especially wary of splices not made with Scotchlock connectors) and fine wires attached to phone wiring (a small hooked dental pick is a godsend for this). Examine 66 blocks in wring cabinets very closely, its possible to run fine wires behind the block, or use paint traces.
Hookswitch Compromises Take the cover off the phone in question and examine the hookswitch. There should be NOTHING connecting the two sides of the hookswitch, or contacts that are connected to them. Check the phones housing for signs of tampering.

* Signs of tampering include stripped screws, fresh looking paint, recently chipped plastic, chipped paint, scrape marks.

Index