Chapter 4
Procedures and Actions Following the Discovery of an Actual or Suspected Clandestine Technical Surveillance Device or Penetration.
  1. Discovery by the Customer
    1. Inform the customer he should
      1. Secure the area in which the suspect device is located.
      2. Continue operating in as normal a manner as possible, at the same time discontinue any discussions in which sensitive information takes place. Do this in as non-alerting a manner as possible.
      3. Not attempt to locate and/or remove the device from the area prior to the arrival of the TSCM team.

  2. Discovery by the TSCM team
    1. Inform the customer he should maintain normal operations EXCEPT all information of a sensitive or classified nature should cease.
    2. Work with the customer (security department) to insure that the area is secured and that the device (if located) is not removed or disturbed.
    3. Follow prescribed procedures for recommendations and/or assistance.
    4. Work with the customer to determine their desires. Explain their options.
      1. Locate and remove the device.
      2. Locate the device, but leave it in place and attempt to identify the potential listening posts (LP).
      3. Locate the device and/or feed false and misleading information. (Insure that the customer realizes this is an extremely difficult operation to undertake and should be attempted only by those with the proper knowledge and training.)
      4. Notify the proper authorities. Wiretapping and eavesdropping are illegal and are criminal acts punishable by a fine and/or imprisonment.

  3. Written Log Detailing Activities
    Initiate a written log (may be supplemented, not replaced, by audio recorder) in which all activities are logged. Entries should be in the form of TIME and a single entry for that time period. Subsequent entries should be under a different time entry.
    1. The written log should contain, as a minimum, the following information:
      1. Time of any pertinent activity.
      2. Names of ALL persons briefed on the existence of the device.
      3. Information describing how the device was located or discovered, to include names of persons making the discovery.
      4. Location, room number, building number, floor plan drawing showing location, etc.
      5. Activities taking place when the device was located. Include any recent events taking place in the area.
      6. Information pertaining to the actual device, prior to removal:
        1. Transmitting device
          1. Frequency
          2. Type modulation
          3. Estimated range
          4. Size and location
          5. Pictures
          6. Measure the distance from the device and obtain an RF or S meter reading for future reference. Obtain these readings hourly for the duration of the time the device is left installed.
          7. Obtain audio recordings for later analysis.
            1. Line borne Intelligence
              1. Type line (Number and locations of instruments if found on a telephone line.
              2. Type of modulation
              3. How located
              4. Area of origination
              5. Estimated range
              6. Obtain audio recordings for later analysis.
              7. Trace the line pair back to its origin if possible in an attempt to locate the listening post. If the listening post is located, either photograph or make a sketch of the location of the equipment employed. Include manufacturers, model numbers and serial numbers if possible. Do not disturb the positioning of the equipment if at all possible as the location may be alarmed.

      7. Information pertaining to the device after removal:
        1. Transmitting device
          1. Power requirements
          2. Physical size and description
          3. Whether the device was disguised (Trojan Horse) or merely hidden in an area of convenience.
          4. Voltage of the power source. (If the device was battery operated, what was the voltage of the power source when removed. Describe battery and measure voltage while in operation as well as when disconnected from device.) Do not discard the power source, disconnect it as soon as possible after removal of the device and provide BOTH for analysis and evaluation. (This may be performed by your organization, local police, or a federal agency.)
          1. Line borne device
            1. 1 Determine whether the device operates both on hook and off hook if installed on a telephone or telephone line.
          2. Determine operating voltages.
          3. Physical size
          4. Was the device disguised (Trojan Horse) or hidden in an area of opportunity.
    NOTE: NEVER ATTEMPT TO COMMIT ANYTHING OF ANY IMPORTANCE TO MEMORY. WRITE IT DOWN. PUT IT ON TAPE. NEVER ATTEMPT TO COMMIT IT TO MEMORY. THIS CANNOT BE OVERLY STRESSED.

    DON'T BE AFRAID TO BE REDUNDANT. THERE CAN NEVER BE TOO MUCH INFORMATION. IT IS EASIER TO DELETE INFORMATION THAN TO TRY TO RECALL OR RECONSTRUCT IT.