Camera Detection · Volume 12
CameraDetection Volume 12 — The sweep workflow and methodology
Seven-stage room-sweep playbook · modality order rationale · Airbnb and hotel field version · instruments point, humans confirm
12.1 About this volume
The volumes before this one established the detection physics (Vols 2–4), the per-emission-class deep dives (Vols 5–6), the DIY device designs (Vols 7–8), the commercial detector survey (Vol 9), the open-source project landscape (Vol 10), and what the gear already on the bench can do today (Vol 11). Every prior volume established what works and why. This volume answers the complementary question: in what order do you run the methods, how do you sequence them, and when do you stop?
The answer is not “run everything at once.” Detection methods differ by cost, by time to execute, by the camera classes they catch, and by the power states they cover. Running them in the wrong order wastes time, misses evidence, and produces the false confidence of a “clean sweep” that has not closed all the gaps. This volume assembles the full procedure: a seven-stage room-sweep playbook (§2), the rationale for the stage order (§3), a ten-minute field version for Airbnb and hotel use (§4), and the professional discipline that ties it all together — instruments point, humans confirm (§5).
[Three honest constraints — load-bearing throughout this volume]
- Non-emitting SD-only and wired cameras defeat every RF stage. No RF sweep, Wi-Fi scan, or network fingerprint finds a camera that transmits nothing. Stages 1 and 2 are completely blind to this class. The sweep must continue through Stages 3–7 to have any meaningful chance of finding a non-emitting camera.
- Wi-Fi detection is fingerprint plus behavior — not magic. OUI matching breaks under MAC randomization and generic chipsets. Traffic-rate / motion-correlation (Vol 3 §5) is the robust tell. A clean Stage 2 means no camera-brand device was visible on the network at scan time — not that no Wi-Fi camera is present.
- Analog and cellular cameras require different radios than the Wi-Fi scanner. An ESP32 Wi-Fi scan is fully blind to FM-video carriers on 1.2 GHz, 2.4 GHz, and 5.8 GHz. A HackRF or RTL-SDR sweep is the required instrument for those bands. The two paths are complementary, not interchangeable.
Posture. Every stage of this sweep is oriented toward defensive counter-surveillance: finding cameras installed in a space you occupy and are authorized to inspect — the hotel room you are sleeping in, the Airbnb bathroom, the changing room at a gym you use. Offensive-adjacent steps (deauth-confirm; analog FM-video demodulation of a found carrier) are gated to consenting-environment use and cross-referenced to ../../_shared/legal_ethics.md.
Provenance. All per-stage time estimates, detection-range claims, and sensitivity figures are spec-sourced from vendor documentation, published research, and prior volumes in this series, pending bench verification against actual camera hardware.
[FIGURE SLOT — Vol 12, § 1] A sweep in progress: a person in a hotel room holding a SpyFinder Pro lens finder at eye level, with a smartphone running Fing on the desk and a PortaPack H2+ spectrum analyzer nearby. Source: Photo Helper search “hotel room hidden camera detector sweep SpyFinder Pro” — or a TSCM vendor product-demo photo. Caption when filled: “Figure 12.1 — A layered room sweep combining a network scan (phone), lens retroreflection finder (SF-103P), and spectrum analysis (PortaPack). No single instrument covers all camera classes; the procedure’s value is in the combination. Photo: [credit]. [License].“
12.2 The room-sweep playbook
The room-sweep playbook sequences every modality established in Vols 2–11 into a single defensible workflow, ordered from broad-and-fast to narrow-and-definitive. Every stage feeds into the “instruments point, humans confirm” discipline in §5: an instrument flags an anomaly, a human physically investigates it, and the result is a confirmed find or a confirmed false positive.
The flowchart below is the load-bearing centerpiece. Read it top-to-bottom as a decision sequence with branching at each hit.
═══════════════════════════════════════════════════════════════════════════════
THE SEVEN-STAGE ROOM-SWEEP FLOWCHART
═══════════════════════════════════════════════════════════════════════════════
╔════════════════════════════════════════╗
║ STAGE 0: ENTRY AND PREPARATION ║ 3–10 min
║ Document baseline — sketch layout; ║
║ photograph smoke detectors, USB ║
║ chargers, picture frames facing bed; ║
║ note any unfamiliar objects. ║
╚═══════════════════╤════════════════════╝
│
▼
╔════════════════════════════════════════╗
║ STAGE 1: BROADBAND RF SWEEP ║ 5–15 min
║ Tool: HackRF + osmocom_fft / ║
║ PortaPack Mayhem; or broadband bug ║
║ detector (K18-class fallback). ║
║ Sweep 1.2 / 2.4 / 5.8 GHz bands ║
║ for persistent narrowband FM carrier. ║
╚═══════════════════╤════════════════════╝
│
┌────────────┴───────────────┐
│ CARRIER FOUND? │
┌────┴─────┐ ┌─────┴────┐
│ YES │ │ NO │
│ WFM demod│ │ Stage 2 │
│ confirm; │ └─────┬────┘
│ RSSI walk│ │
│ to source│ │
│ (legal_ │ │
│ ethics) │ │
└────┬─────┘ │
└────────────────────────────┤
▼
╔════════════════════════════════════════╗
║ STAGE 2: WI-FI NETWORK SCAN ║ 5–15 min
║ Sub-A: Fing on room Wi-Fi — OUI + ║
║ mDNS / ONVIF discovery. ║
║ Sub-B: AWOK Marauder scanap/scansta ║
║ — off-net radio visible. ║
║ Sub-C: PCAP + tshark traffic-rate ║
║ motion-correlation confirm. ║
╚═══════════════════╤════════════════════╝
│
┌────────────┴───────────────┐
│ CAMERA CANDIDATE? │
┌────┴─────┐ ┌─────┴────┐
│ YES │ │ NO │
│ RSSI walk│ │ Stage 3 │
│ + RTSP │ └─────┬────┘
│ probe; │ │
│ physical │ │
│ locate │ │
└────┬─────┘ │
└────────────────────────────┤
▼
╔════════════════════════════════════════╗
║ STAGE 3: OPTICAL LENS RETROREFLECTION ║ 10–20 min
║ Tool: SpyFinder Pro SF-103P ║
║ (ring LED finder, 2–14 m stated); ║
║ or phone flash + front cam at < 2 m. ║
║ Darken room; sweep horizontal strips. ║
║ ★ Works on POWERED-OFF cameras ★ ║
╚═══════════════════╤════════════════════╝
│
┌────────────┴───────────────┐
│ GLINT FOUND? │
┌────┴─────┐ ┌─────┴────┐
│ YES │ │ NO │
│ Mark; │ │ Stage 4 │
│ inspect │ └─────┬────┘
│ every │ │
│ glint │ │
└────┬─────┘ │
└────────────────────────────┤
▼
╔════════════════════════════════════════╗
║ STAGE 4: IR-EMITTER SPOTTING ║ 3–5 min
║ Tool: Phone front camera ║
║ (verify IR sensitivity first: ║
║ TV remote test; front cam glow = OK). ║
║ Darken room completely; sweep for ║
║ white/purple 850/940 nm LED glow. ║
╚═══════════════════╤════════════════════╝
│
┌────────────┴───────────────┐
│ IR GLOW FOUND? │
┌────┴─────┐ ┌─────┴────┐
│ YES │ │ NO │
│ Physical │ │ Stage 5 │
│ inspect │ └─────┬────┘
│ source │ │
└────┬─────┘ │
└────────────────────────────┤
▼
╔════════════════════════════════════════╗
║ STAGE 5: THERMAL TRIAGE ║ 5–10 min
║ Tool: FLIR ONE Gen 3 (~$199) or Pro ║
║ (~$399). Sweep all room surfaces; ║
║ flag warm anomalies (powered cameras ║
║ run 5–15 °C above ambient, ║
║ spec-sourced). ║
╚═══════════════════╤════════════════════╝
│
┌────────────┴───────────────┐
│ THERMAL ANOMALY? │
┌────┴─────┐ ┌─────┴────┐
│ YES │ │ NO │
│ Cross │ │ Stage 6 │
│ with │ └─────┬────┘
│ Stage 3; │ │
│ inspect │ │
└────┬─────┘ │
└────────────────────────────┤
▼
╔════════════════════════════════════════╗
║ STAGE 6: NLJD (PROFESSIONAL) ║ 15–30 min
║ Tool: REI ORION 2.4 HX + 900 HX ║
║ (~$10k–$15k each, spec-sourced). ║
║ Detect semiconductor junctions. ║
║ ★ Works on POWERED-OFF cameras ★ ║
║ Skilled operator + 2nd/3rd ratio ║
║ check + tap test required. ║
╚═══════════════════╤════════════════════╝
│
┌────────────┴───────────────┐
│ HARMONIC HIT? │
┌────┴─────┐ ┌─────┴────┐
│ YES │ │ NO │
│ Ratio + │ │ Stage 7 │
│ tap test;│ └─────┬────┘
│ inspect │ │
└────┬─────┘ │
└────────────────────────────┤
▼
╔════════════════════════════════════════╗
║ STAGE 7: PHYSICAL SEARCH + BORESCOPE ║ varies
║ Tool: Eyes + flashlight + ║
║ borescope (~$50–$2,000) + ║
║ cable tracer (Triplett Fox & Hound). ║
║ Check ALL flagged locations + ║
║ systematic baseline of high-risk ║
║ objects (smoke dets / USB chargers / ║
║ picture frames / clocks / vents). ║
╚═══════════════════╤════════════════════╝
│
▼
╔════════════════════════════════════════╗
║ SWEEP COMPLETE ║
║ Document all anomaly verdicts. ║
║ "Clean sweep" ≠ "no camera present." ║
║ State which stages were executed and ║
║ which gaps remain (e.g., no NLJD). ║
╚════════════════════════════════════════╝
───────────────────────────────────────────────────────────────────────────────
Coverage summary:
Stage 1: Analog wireless cameras (1.2 / 2.4 / 5.8 GHz FM-video)
Stage 2: Wi-Fi/IP cameras (on-net + off-net radio visible)
Stage 3: ALL camera classes in ALL power states via lens optics
Stage 4: Powered cameras with active night-vision IR LEDs
Stage 5: Powered cameras generating heat
Stage 6: Powered-OFF cameras with semiconductors (professional only)
Stage 7: Everything remaining — definitive catch-all
───────────────────────────────────────────────────────────────────────────────Critical callout — a “clean” RF sweep does NOT mean “no camera is present.” Stages 1 and 2 together cover only RF-emitting cameras that happen to be transmitting during the scan window. An SD-only camera recording to a microSD card is invisible to every RF and network method, regardless of instrument quality or sweep thoroughness. The sweep is complete when Stage 7 is complete — not when Stage 2 is clean.
12.2.1 Stage 0 Entry and preparation
Before any instrument is unpacked, document the room. This baseline lets every anomaly flagged in Stages 1–7 be assessed against the room’s normal state.
Table 1 — 2.1 Stage 0 Entry and preparation
| Task | Purpose |
|---|---|
| Sketch or photograph room layout | Reference for anomaly location logging |
| Photograph all smoke detectors | Any with extra lens holes, extra lenses, or unfamiliar branding are Stage 3/7 priority targets |
| Photograph all USB wall outlets and chargers | Camera-in-USB-charger is a documented real-world placement vector |
| Count and locate picture frames facing sleep / changing areas | High-risk lens concealment locations |
| Note any object that seems new, out of place, or inconsistent with room style | Newly-placed objects rank higher in Stage 7 physical search |
| Check the phone’s Wi-Fi SSID list before joining any network | A camera AP (“IEGEEK_Cam”, “DLink_CAM”, hidden SSID with unusual signal) may be visible without association |
Time (spec-sourced): 3–5 min for a hotel room; 8–12 min for a furnished apartment with multiple rooms.
12.2.2 Stage 1 Broadband RF sweep
What it targets. Analog wireless cameras transmitting FM-video carriers on the 1.2 GHz (1080–1300 MHz), 2.4 GHz (2400–2500 MHz), or 5.8 GHz (5725–5875 MHz) ISM bands. These are always-on transmitters — visible from the moment they power up.
Instrument options:
Table 2 — Instrument options:
| Instrument | Coverage | Signal ID | Demod confirm | Budget |
|---|---|---|---|---|
| K18-class broadband detector | ~1–3 GHz effective | Power only (no frequency ID) | No | $20–60 |
| RTL-SDR v3 (aspirational) | 25 MHz–1.7 GHz standard | Waterfall display | FM audio | ~$30 |
| HackRF One + PortaPack H2+ | 1 MHz–6 GHz | Full waterfall + spectrum | WFM demod — watch the video | ~$500 owned kit |
| REI MESA 2.0 (TSCM professional) | 10 kHz–6 GHz calibrated | SmartBars, signal-type ID | Yes | ~$13k–$16k |
HackRF quick sweep (owned equipment):
# Sweep 2.4 GHz band (dominant analog cam band) — adjust freq/rate for other bands:
# 1.2 GHz: --freq 1200e6 --rate 10e6 --gain 16
# 5.8 GHz: --freq 5800e6 --rate 20e6 --gain 32
osmocom_fft --args "hackrf=0" --freq 2450e6 --rate 20e6 --gain 20 \
--fft-size 4096 --peak-hold
# An analog FM-video carrier appears as a persistent spike of roughly 8–14 MHz RF
# bandwidth (6–8 MHz video baseband, FM-modulated — Carson's rule) —
# NOT the 22 MHz OFDM shape of 802.11 traffic; present continuously, not bursty.
# At 3 m, a 10 mW spy cam produces approx. −75 to −85 dBm at the HackRF antenna.
# Spec-sourced — bench verify against actual analog camera hardware.On a hit. Tune gqrx to the carrier; set WFM demod, 8 MHz bandwidth. A camera produces FM-video baseband (50/60 Hz sync hum audible; composite video display via capture card). A baby monitor produces audio. Demodulation is the confirm step — gated to consenting-environment use per ../../_shared/legal_ethics.md and Vol 6 §2.7.
What Stage 1 misses. All non-emitting cameras (SD-only, wired); all Wi-Fi cameras transmitting OFDM (not FM); cellular cameras (licensed bands, low duty cycle, encrypted). A clean Stage 1 rules out actively transmitting analog-band cameras in range at scan time, nothing more.
Cross-references: Vol 2 §4 (RF/spectrum physics, analog-video band plans), Vol 6 §2 (FM-video demodulation procedure), Vol 9 §2–3 (commercial detector tier comparison).
12.2.3 Stage 2 Wi-Fi network scan
What it targets. Wi-Fi/IP cameras on the 2.4 GHz 802.11 band — either on the property network or operating their own AP. The stage runs three complementary sub-tracks.
Sub-track A — on-network scan (Fing, 2 min). Join the room’s Wi-Fi → Fing → Scan Network. Every device gets enumerated by OUI-resolved vendor, mDNS service, and IP. Camera-brand entries (Hikvision, Dahua, Wyze, Reolink, TP-Link Tapo, Amcrest, Eufy) are immediate candidates. Check Services for _rtsp._tcp and _onvif._tcp entries — direct camera indicators independent of OUI.
Sub-track B — off-network radio scan (AWOK Marauder, 5 min). Run scanap and scansta in Marauder to enumerate all APs and clients using the ESP32 in monitor (802.11 packet-capture) mode — including cameras on isolated SSIDs or their own AP. Cross-reference each MAC against camera-vendor OUI prefixes (Vol 5 §3.1; Vol 7 §5 full table). The radio is always visible even when the camera is off the property network.
Sub-track C — traffic-rate confirmation (PCAP, 2 min). The most robust detection tell for a Wi-Fi camera is uplink bitrate spike when motion is induced in its field of view (full treatment in Vol 3 §5):
# After PCAP capture from Marauder SD card (start/stop via startpcap/stoppcap):
# Walk across the camera's suspected field of view for 30 sec during capture.
tshark -r capture.pcap \
-Y "wlan.sa == 2c:aa:8e:f1:23:45" \
-T fields -e frame.time_epoch -e frame.len \
| awk '{s+=$2; if(NR%30==0){print NR/30"s:"s"B"; s=0}}'
# A camera's uplink rises 2–5× during motion and returns to baseline when still.
# This works through WPA2 encryption — ciphertext frame sizes track VBR bitrate.Deauth-force-reconnect (to observe a suspected camera’s reconnect behavior) is an optional escalation — gated to consenting-environment use per ../../_shared/legal_ethics.md.
On a hit. Run setchannel N to lock the Marauder to the camera’s channel; walk toward improving RSSI in 1 m steps, pausing 3–5 seconds to let the scan interval refresh; physically inspect the peak-RSSI area (Vol 5 §5.4 full RSSI-walk procedure). Probe RTSP port 554; ONVIF HTTP (port varies by manufacturer — 80, 8080, or 8899 — see Vol 5 §5 for the full port scan) if on-network access is available.
What Stage 2 misses. SD-only cameras, wired cameras, analog wireless cameras, cellular cameras, and any Wi-Fi camera that is not transmitting at scan time. A perfectly clean Stage 2 rules out actively transmitting 2.4 GHz cameras visible on or near the property network at scan time — not anything beyond that.
Cross-references: Vol 3 (OUI fingerprinting, mDNS/SSDP/ONVIF, traffic-rate), Vol 5 (IP-camera network behavior, RSSI-walk), Vol 11 §3 (Marauder station-scan workflow on owned hardware).
12.2.4 Stage 3 Optical lens retroreflection
What it targets. Every camera with an exposed lens — regardless of emission class, power state, or whether the device has a battery. Stage 3 is the only consumer-accessible method that catches a fully powered-off SD-only camera. The physics (Vol 4 §5): a camera lens retroreflects coaxially-placed illumination toward the observer because the lens elements and CMOS sensor form a cat’s-eye retroreflector.
Primary instrument: SpyFinder Pro SF-103P (~$148, web-verified). Red LED ring surrounding a central viewfinder; operator sweeps while peering through the viewfinder. A camera lens returns a persistent, depth-recessed glint that tracks with illumination angle — unlike specular surface flashes (metal screw, glass bottle, mirror) that appear at only one angle and vanish. Detection range: 0.6–14 m stated; conservatively 2–4 m for pinhole apertures in ambient lighting (spec-sourced, pending bench verification — Vol 9 §5.2).
Fallback. Glint Finder app (Android) activates the rear flash and toggles it while displaying the front camera; works at < 1–2 m for larger lenses. Phone flash + front camera as viewer approximates coaxial geometry at close range (Vol 11 §6.3–6.5).
Sweep procedure:
Table 3 — Sweep procedure:
| Step | Action |
|---|---|
| 1 | Dim room lights — closes curtains, reduces lamp brightness |
| 2 | Start at room entry; sweep in slow horizontal strips, top to bottom |
| 3 | Repeat from a second vantage point — recessed lenses may only reflect at certain angles |
| 4 | Prioritize: smoke detectors, USB chargers, alarm clocks, picture frames, air vents, decorative objects |
| 5 | Mark every glint with a sticky note or phone annotation |
| 6 | Physically inspect every marked location — no exceptions |
False-positive discipline. The false-positive rate in a furnished room is high — eyeglasses, glass bottles, metal screws, picture frame glass, mirrors. Every glint gets physically inspected. Skipping any glint leaves an unsweep gap. Full false-positive profile: Vol 4 §5.5.
Stage 3 is the non-emitting camera’s only consumer-accessible chance. An SD-only camera that is completely powered off can only be found by the optical sweep (Stage 3), NLJD (Stage 6, professional), or physical search (Stage 7). Executing Stage 3 carelessly is the single largest defensible-sweep gap for the non-professional sweeper.
12.2.5 Stage 4 IR-emitter spotting
What it targets. Night-vision cameras with active 850 nm or 940 nm infrared LED arrays. Zero additional hardware required beyond the phone already in the sweeper’s pocket.
Prerequisite: verify phone front camera IR sensitivity. Point a TV remote at the phone’s front camera and press a button. If you see the IR LED as a white/purple flash on screen, the front camera is usable. If not, the front camera has a full IR-cut filter — skip Stage 4 or use a different phone.
Procedure. Turn off all room lights to complete darkness. Open the front camera in video mode; disable night mode. Sweep slowly across all smoke detectors, USB outlets, picture frames, and decorative objects. An active 850/940 nm LED array appears as a bright white or purple-tinted cluster — unmistakably different from the ambient dark. Mark every glow and physically inspect.
What Stage 4 misses. Any camera without IR LEDs; cameras in standby (IR off); powered-off cameras; phones with full IR-cut front cameras. Stage 4 is a cost-zero supplement to Stage 3, not a substitute. Full treatment: Vol 4 §6.
12.2.6 Stage 5 Thermal triage
What it targets. Powered cameras generating heat — CMOS sensor, voltage regulator, Wi-Fi SoC, flash storage controller running at operating temperature. A powered camera in a typical enclosure runs 5–15 °C above ambient at its surface (spec-sourced from HeatDeCam CCS 2022 experimental conditions; actual delta varies with enclosure material and power consumption).
Instrument. FLIR ONE Gen 3 ($199–249, web-verified) attaches via USB-C; 80×60 px thermal, NETD < 150 mK. FLIR ONE Pro ($399) provides 160×120 px, NETD < 70 mK. At 3 m sweep distance, Gen 3 covers ~3.5 × 3.5 cm per pixel — a 15 mm camera module may span fewer than one pixel (spec-sourced).
Sweep. Hold the FLIR ONE at arm’s length and scan all surfaces at 2–3 m. Flag warm spots inconsistent with the object’s expected state: a smoke detector warmer than its neighbors, a USB charger block with anomalous heat distribution, a closed box that should be unpowered but is warm.
Defeat mechanisms. Thermal is defeated by insulation (camera inside thick ceramic), low-power sensors (< 500 mW → < 3 °C rise, marginal for Gen 3), cameras near other warm electronics, and powered-off cameras (no heat source). Full defeat table: Vol 4 §9.3, Vol 9 §6.2.
Stage 5 is a triage tool. Its role is to flag warm anomalies for physical investigation (Stage 7). It complements Stage 3 by providing evidence that a flagged location is powered and active.
12.2.7 Stage 6 NLJD
What it targets. Semiconductor junctions — regardless of power state. Every camera contains dozens of junctions (CMOS image sensor, voltage regulators, flash ICs, protection diodes). An NLJD transmits at f₀ and receives at 2f₀ and 3f₀ — harmonics only produced by a non-linear junction. The target device does not need to be powered. This is the only active electronic method that works on a completely powered-off camera.
NLJD is the professional’s answer to the power-off defeat. An adversary who powers down cameras before a sweep renders thermal, IR-emitter, EMI side-channel, and RF methods completely blind. NLJD is unaffected — the semiconductor junctions are detectable regardless of whether current is flowing. The optical sweep (Stage 3) and physical search (Stage 7) are the other powered-off-capable methods, but neither penetrates through walls and furniture without line-of-sight.
Instrument. REI ORION 2.4 HX (2.4 GHz excitation → 4.8/7.2 GHz harmonics; better resolution for surface-mount circuitry) and 900 HX (900 MHz → 1.8/2.7 GHz; better wall/furniture penetration). Price: ~$10,000–$15,000 per unit (spec-sourced; quote required from REI). Skilled-operator-dependent: the 2nd/3rd harmonic ratio + tap-test discrimination requires training. Full treatment: Vol 4 §7, Vol 9 §4.1.
Stage 6 placement. Stage 6 is late because it requires specialist equipment and a trained operator. For most traveler sweeps, Stage 6 is unavailable. Note this as an explicit gap in the sweep report — a clean sweep through Stage 5 without Stage 6 has not ruled out a powered-off SD-only camera beyond what the optical sweep (Stage 3) provided.
12.2.8 Stage 7 Physical search and borescope
What it targets. Everything the instruments missed — and every anomaly flagged in Stages 1–6 that requires a human to confirm or clear.
Stage 7 is the conclusion of the sweep. Every anomaly from prior stages gets physically investigated here (or inline at detection time). Additionally, Stage 7 provides a systematic baseline check of all high-risk locations that the instruments did not flag.
High-risk location checklist:
Table 4 — High-risk location checklist:
| Object | What to look for | Tool |
|---|---|---|
| Smoke detectors | Extra lens hole or second lens ring; any unfamiliar branding; PCB visible inside | Unscrew + flashlight |
| USB wall chargers and outlet blocks | Lens on any of the four faces (including cord-entry face) | Flashlight + borescope if enclosed |
| Digital photo frames / picture frames | Additional lens hole on face; extra weight suggesting added electronics | Remove + inspect |
| Alarm clocks and clock radios | Lens on face; heavier than expected (added PCB) | Remove + inspect |
| Air vents and HVAC grilles | Camera module at interior face | Flashlight + borescope |
| Plants and decorative items | Pinhole lens at soil/foliage boundary or in pot wall | Flashlight close-range |
| Wall-mounted TVs | Coaxial cable runs entering wall (wired cam); extra holes behind TV | Move TV; cable trace |
| Closet ceilings and under furniture | New wiring runs; coaxial cable; recently disturbed panels | Flashlight + cable tracer |
Borescope use. A flexible LED borescope (~$50–$200 consumer, ~$2,000 professional) allows inspection inside enclosed objects, wall voids (via existing holes), and appliance cavities without destructive opening. For smoke detector interiors, clock radio interiors, and closet ceiling voids, the borescope reduces false certainty without physical disassembly.
Wired-camera track. Wired cameras are detected by cable-side methods, not RF: a tone generator (Triplett Fox & Hound 3399, ~$95 spec-sourced) traces a coaxial or Cat5 run through walls. TDR locates impedance discontinuities (splices, taps) along a cable run. PoE/LAN scanning on the property network finds powered IP cameras connected by Cat5 (RTSP port 554; ONVIF HTTP port varies by manufacturer — 80, 8080, or 8899 — see Vol 5 §5; PoE wattage class). Full wired track treatment: Vol 4 §4.2, Vol 6 §5.
Cross-references: Vol 4 §11 (borescope and physical search), Vol 6 §5 (wired camera detection track).
12.3 The modality order
12.3.1 The sequencing principle
The seven stages follow one organizing principle: broad and fast first; narrow and slow last; definitive last of all.
Each stage adds coverage over the previous stages at increasing cost in time, money, operator skill, and equipment. The early stages are cheap, fast, and broad — they cover large fractions of the room quickly but are completely blind to non-emitting cameras. The late stages are slow, expensive, and definitive — they close the gaps the early stages leave open.
The sequencing rationale:
-
Capture the easy wins first. An always-on FM-video camera carrier is trivially visible in a 5-minute HackRF sweep. A naively installed Wi-Fi camera on the property network with its OUI in the Fing list takes 2 minutes to find. Skipping these because they feel too simple means spending hours in physical search for something that an SDR or a network scan would have flagged in minutes.
-
Use broadband results to scope the physical search. Anomalies flagged in Stages 1–3 (a carrier from the direction of the closet; an OUI match from an IP in the 192.168.x range; a glint from the smoke detector) narrow Stage 7 target list from “the entire room” to “three specific locations plus the room baseline.” Without Stages 1–3, Stage 7 is a complete blind search.
-
Cover powered-off cameras with the middle stages. Stages 1–2 are entirely blind to a powered-off camera. Stage 3 is the first stage that catches a powered-off camera — any camera with an exposed lens returns a glint regardless of power state. Stage 6 is the first stage that catches a powered-off camera even when the lens is obscured. If an adversary powers down devices before a sweep, the early stages give false confidence; Stages 3 and 6 are where the powered-off camera is caught.
-
Human confirmation is always the last step, per anomaly. For every anomaly flagged by any instrument, physical confirmation is the immediate next step. No stage ends without a verdict for every flag: confirmed find, or confirmed false positive.
12.3.2 Stage-order table
Table 5 — 3.2 Stage-order table
| Stage | Primary instrument | Catches (camera class) | Does NOT catch | Min. budget | Skilled op? | Time (spec-sourced) |
|---|---|---|---|---|---|---|
| 0: Prep | Eyes + phone notes | Establishes baseline; no detection | — | $0 | No | 3–10 min |
| 1: RF sweep | HackRF + osmocom_fft or K18 detector | Analog wireless cams: 1.2/2.4/5.8 GHz FM-video | ALL non-emitting; Wi-Fi (802.11 not FM); cellular | $20 (K18) / $500+ (HackRF) | No (K18); basic HackRF | 5–15 min |
| 2: Network scan | Fing + Marauder / Nyan Box + tshark | Wi-Fi/IP cams (on-net OUI/mDNS + off-net radio + traffic-rate) | ALL non-emitting; analog wireless; cellular; off-net with no visible radio | $0 (Fing) / $180 (Nyan Box) | No | 5–15 min |
| 3: Optical lens | SpyFinder Pro SF-103P or phone flash | ANY camera in ANY power state — powered-OFF lens is detectable | Deeply obscured lenses; lenses not in sweep line-of-sight | $0 (phone) / $148 (SF-103P) | No (discipline required) | 10–20 min |
| 4: IR-emitter | Phone front camera | Powered cameras with active 850/940 nm IR LEDs | No-IR cams; standby (IR off); powered-off; phones with full IR-cut front cam | $0 | No | 3–5 min |
| 5: Thermal | FLIR ONE Gen 3 or Pro | Powered cams generating heat above noise threshold | Powered-OFF cams; well-insulated cams; low-power cams | $199 (Gen 3) | No | 5–10 min |
| 6: NLJD | REI ORION 2.4 HX / 900 HX | Semiconductor junctions in ANY power state — powered-OFF detectable | PIM / rusty-bolt (ratio + tap test required); cams behind thick shielding | ~$15,000+ | Yes — essential | 15–30 min |
| 7: Physical | Eyes + flashlight + borescope + cable tracer | Everything instruments missed; all anomaly confirmations | Only what the operator physically skips | $50 (borescope) | No | Varies |
12.3.3 What each stage rules in and out
Table 6 — 3.3 What each stage rules in and out
| Stages completed | Definitively ruled out (at that location, at scan time) | What remains open |
|---|---|---|
| Stage 1 clean | Actively transmitting analog wireless cams in detection range at scan time | ALL non-emitting; Wi-Fi; cellular; cams not transmitting at scan time |
| Stages 1–2 clean | Above + transmitting Wi-Fi cams on or near the property network | ALL non-emitting; analog (missed by Wi-Fi scan); any cam not transmitting |
| Stages 1–3 clean | Above + cameras with exposed lenses at sweep angles and distances covered | Cams with deeply recessed/obscured lenses; sweep angles missed |
| Stages 1–5 clean | Above + powered cams above thermal detection threshold | Powered-OFF cams; insulated cams; cams below NETD threshold |
| Stages 1–6 clean (NLJD) | Above + cams with semiconductor junctions reachable by the NLJD probe | Cams behind thick shielding; NLJD probe positions not reached |
| Stages 1–7 clean | Maximum defensible claim: no camera found by any method in this sweep | Cams the operator physically missed; limitations noted in sweep report |
The honest ceiling: A clean sweep through all seven stages with proper instruments represents the most defensible counter-surveillance sweep available to a civilian or professional TSCM operator. It is not an absolute guarantee. A professionally installed pinhole camera with a deeply recessed lens, careful thermal insulation, and positioning that prevented NLJD probe access could survive a thorough sweep. State this limitation in every sweep conclusion.
12.3.4 Parallelism and time management
Some stages can run concurrently when equipment or staffing permits:
Table 7 — Some stages can run concurrently when equipment or staffing permits
| Concurrent pair | Method | Benefit |
|---|---|---|
| Stage 1 (HackRF on laptop) + Stage 2 (AWOK Marauder) | Both scan independently and simultaneously | Reduces Stages 1+2 combined time by ~40–50% |
| Stage 2 background (Fing running) + Stage 4 (IR sweep) | Fing runs autonomously while operator walks the IR check | Stage 4 costs 3–5 min; no instrument conflict |
| Stage 3 (SF-103P optical) + Stage 5 (FLIR ONE thermal) | Two-operator sweep of same zone | Cuts total sweep time roughly in half (requires two people) |
| Stage 7 physical + anomaly confirmations from prior stages | Physical inspection incorporates all prior-stage flags inline | Prevents visiting the same location multiple times |
Single-operator time budget for a standard hotel room (spec-sourced):
Table 8 — Single-operator time budget for a standard hotel room (spec-sourced):
| Stages completed | Single operator | Two operators |
|---|---|---|
| Stages 0–2 (network + RF) | 15–25 min | 10–15 min |
| Stages 0–5 (no NLJD) | 35–55 min | 20–35 min |
| Stages 0–7 (no NLJD) | 50–90 min | 30–55 min |
| Stages 0–7 with NLJD | 75–130 min | 45–75 min |
12.4 Airbnb hotel changing room field version
12.4.1 The field sweep philosophy
The full seven-stage playbook is appropriate when equipment is available and time is not severely constrained. In a vacation rental, hotel room, or changing facility, the traveler typically has: one smartphone, possibly one detector, 10–20 minutes, and no forensic accountability for the sweep outcome.
The field version’s goal: in 10 minutes with a phone, identify any naively installed camera — the overwhelming majority of real-world cases are cameras installed by non-expert property owners using off-the-shelf Wi-Fi cameras — and flag any location suspicious enough to warrant physical inspection or escalation. The field version is a triage, not a full defensive sweep.
What the field version realistically covers:
- Wi-Fi cameras on the property network via Fing (OUI + mDNS) ✅
- Camera-like SSIDs visible without joining the network ✅
- Obvious physical placements in known locations ✅
- IR-equipped cameras in darkness via phone front cam ✅
- Camera lenses at close range via phone flash retroreflection ✅ (limited range)
What the field version cannot cover:
- Analog wireless cameras (no spectrum analyzer) ✗
- SD-only cameras at > 1–2 m from sweep path ✗
- Off-network cameras using MAC randomization or generic chipsets ✗
- Cellular cameras ✗
- Wired cameras ✗
- Powered-off cameras at distance ✗
12.4.2 Phone-only sweep procedure
Stage-order note. This card runs the IR sweep (full-playbook Stage 4) at minutes 6–8 before the retroreflection check (Stage 3) at minutes 8–10, inverting the full-playbook order. The reason: the phone’s IR sweep costs zero extra time and no additional hardware, while phone-based retroreflection is range-limited to < 1–2 m and is slower to execute; the SF-103P that earns Stage 3 its earlier slot in the full playbook is not part of the phone-only kit.
Time budget: 10 minutes. Equipment: phone only.
┌──────────────────────────────────────────────────────────────────────────┐
│ PHONE-ONLY 10-MINUTE FIELD SWEEP CARD │
├───────┬──────────────────────────────────────────┬───────────────────────┤
│ Min │ Action │ Tool / App │
├───────┼──────────────────────────────────────────┼───────────────────────┤
│ 0–2 │ Join room Wi-Fi → Fing → Scan Network. │ Fing (free, iOS / │
│ │ Flag camera-brand OUIs. Check Services │ Android; fing.com) │
│ │ for _rtsp._tcp or _onvif._tcp entries. │ │
├───────┼──────────────────────────────────────────┼───────────────────────┤
│ 2–3 │ Phone Wi-Fi settings: view full AP list. │ Phone Settings │
│ │ Flag camera-like SSIDs ("iCamera", │ → Wi-Fi → more nets │
│ │ "DLink_CAM", hidden SSIDs at unusual │ │
│ │ RSSI suggesting a device in the room). │ │
├───────┼──────────────────────────────────────────┼───────────────────────┤
│ 3–6 │ Physical inspection — HIGH-RISK objects: │ Eyes + phone torch │
│ │ • All smoke detectors (extra lens hole?) │ │
│ │ • All USB wall chargers (all four faces) │ │
│ │ • Alarm clock faces │ │
│ │ • Picture frames facing bed or shower │ │
│ │ • Any new or out-of-context object │ │
├───────┼──────────────────────────────────────────┼───────────────────────┤
│ 6–8 │ Turn off all lights → front camera in │ Phone front camera │
│ │ video mode → sweep all high-risk objects │ (no app required) │
│ │ for IR glow (white/purple cluster). │ │
├───────┼──────────────────────────────────────────┼───────────────────────┤
│ 8–10 │ Lights on: phone flash at eye level + │ Glint Finder app │
│ │ front camera as viewer. Walk slowly │ (Android) or phone │
│ │ to within 1 m of each suspect surface. │ flash + front cam │
│ │ Inspect every retroreflective glint. │ │
└───────┴──────────────────────────────────────────┴───────────────────────┘If Fing finds a camera-brand device. Note the IP, vendor, and channel/RSSI. Walk toward stronger signal readings in the Fing device list. Physically inspect the highest-RSSI area.
If the IR check finds a glow. Note the direction and vertical angle. Turn lights on and physically inspect the exact location — the glow position in the phone display corresponds directly to the object’s horizontal and vertical direction from the camera lens.
If the flash retroreflection finds a glint. Physically inspect every glint at < 1 m. Even the phone flash can produce a detectable glint from a small pinhole lens at close range if the geometry is right. Skipping a glint leaves the sweep incomplete.
12.4.3 Phone plus one instrument
Adding a single instrument transforms the phone-only field sweep. Priority order:
Table 9 — Adding a single instrument transforms the phone-only field sweep. Priority order
| Instrument added | What it adds over phone-only | Cost | Strongest coverage expansion |
|---|---|---|---|
| SpyFinder Pro SF-103P | Optical retroreflection at 2–14 m vs. phone’s < 1–2 m; catches powered-OFF cameras at sweep distance | ~$148 | ALL camera classes in ALL power states at room-scale distance |
| FLIR ONE Gen 3 | Thermal triage for powered cameras; fast broad-area scan | ~$199–249 | Powered cameras running warm anywhere in the room |
| Nyan Box (aspirational) | Native Wi-Fi confidence scoring + real-time RSSI walk; no manual OUI lookup | ~$180 | Wi-Fi cameras on/off-network; replaces manual AWOK workflow |
| AWOK Dual Touch V3 (owned) | Marauder station scan + manual RSSI walk; catches off-network cameras | Owned | Wi-Fi cameras visible even without joining the property network |
The SF-103P is the highest-value single-add for the field sweep. The phone-only sweep is most constrained by the lens-retroreflection range gap — the phone flash technique works at < 1–2 m, leaving a 3–5 m gap at typical sweep distances. The SF-103P closes that gap and also finds powered-off SD-only cameras that no RF method can catch. At ~$148, it provides greater coverage breadth than the FLIR ONE and is the single-purchase recommendation for travelers who add only one instrument.
12.4.4 What the field version cannot rule out
What a clean 10-minute phone sweep genuinely rules out: Any naively installed Wi-Fi camera on the property network (Fing OUI + mDNS), any camera with active IR LEDs in a darkened room, and any camera with a lens exposed within 1–2 m of a reachable surface. That covers a substantial fraction of documented real-world covert camera deployments in vacation rentals — but not all.
What a clean 10-minute phone sweep does NOT rule out: Analog wireless cameras (1.2/2.4/5.8 GHz — no spectrum sweep). SD-only cameras at > 1–2 m from the sweep path. Off-network cameras using MAC randomization or generic OUI. Cellular cameras. Wired cameras. Cameras powered off at time of sweep. The field sweep is a triage — not a forensic sweep. State this limitation explicitly if you report the outcome to anyone.
12.5 Instruments point humans confirm
12.5.1 The principle
The principle, stated precisely: An instrument’s job is to produce anomaly flags — locations, frequencies, device entries, temperatures, or harmonic responses that differ from the expected background. The human’s job is to physically investigate every flag and produce a verdict — “confirmed camera” or “confirmed false positive” — before the sweep of that zone is considered complete. A sweep that stops at the instrument result and does not physically investigate every flag has not completed the sweep.
This principle was introduced in Vol 4 §2.2 in the context of non-emitting cameras and is restated here as the organizing spine of the entire playbook. It has one load-bearing corollary: the absence of instrument flags is not confirmation of absence. Each stage has blind spots; the honest sweep report acknowledges each one explicitly.
The principle governs every stage, every budget level, and every instrument class. A $20 K18 broadband detector flags “elevated RF power here” and a human must investigate the physical source. A $15,000 REI ORION NLJD flags a harmonic response and a human must physically inspect the site. In both cases the instrument narrows the search space; the human closes it.
12.5.2 Per-stage anomaly-to-confirm map
Table 10 — 5.2 Per-stage anomaly-to-confirm map
| Stage | What the instrument flags | Human confirm step | Confirm verdicts |
|---|---|---|---|
| 1: RF sweep | Persistent narrowband carrier in 1.2/2.4/5.8 GHz band | WFM demodulate to confirm FM video vs. baby monitor/AV sender; RSSI-walk toward carrier source; physical inspect | Confirmed: video demodulates; camera housing with lens at source. FP: baby monitor, AV extender, FPV receiver |
| 2: Network scan | Camera-brand OUI, mDNS/ONVIF service, or traffic-rate spike on motion | RSSI-walk with Marauder (setchannel N; walk; re-read RSSI); probe RTSP port 554; physical inspect peak-RSSI location | Confirmed: camera housing with lens at peak-RSSI location. FP: misidentified router or phone |
| 3: Optical | Retroreflective glint returning persistently from a spot | Walk to glint source; illuminate with flashlight; inspect for lens aperture or pinhole behind translucent cover | Confirmed: camera lens aperture visible. FP: eyeglass lens, screw, bottle, mirror — no camera-scale lens aperture |
| 4: IR-emitter | Bright white/purple glow on front-camera display in darkness | Turn on lights; physically inspect glow source for IR LED cluster and camera module | Confirmed: IR LED array + camera module present. FP: TV remote, infrared proximity sensor, IR motion detector |
| 5: Thermal | Warm anomaly inconsistent with object’s expected thermal state | Cross-reference with Stage 3 (optical sweep same area); physically inspect the warm object for lens, wiring, or added electronics | Confirmed: warm object contains camera hardware. FP: phone charger, power strip, lamp transformer |
| 6: NLJD | Harmonic energy at 2f₀ or 3f₀ from a location | (1) 2nd/3rd harmonic ratio check; (2) tap test — semiconductor is stable, PIM source modulates on tap; (3) optical + physical inspect | Confirmed: ORION ratio + tap test consistent; physical inspection reveals camera or electronic device. FP: oxidized metal contact (PIM) — modulates on tap |
| 7: Physical | Visual anomaly: extra hole, new screw, unusual weight, unfamiliar fixture | Open or inspect the object; do not disturb a found camera — photograph in situ first | Confirmed: camera module, lens, circuit board, or recording media found. FP: legitimate fixture, pre-existing hole with no camera |
12.5.3 The suspected-class decision tree
When an anomaly is flagged, the decision “which confirmation method next?” depends on the suspected camera class and its likely power state. Consult the power-state capability matrix in Vol 4 §4 for the full lookup: that matrix maps every detection method against the three power states (powered + capturing / powered standby / fully off) and provides honest reliability ratings for each cell. The decision tree below applies its logic operationally.
┌─────────────────────────────────────────────────────────────────────────┐
│ SUSPECTED-CLASS DECISION TREE — Anomaly → Best confirm method(s) │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ANOMALY FOUND — what does the stage suggest? │
│ │ │
│ ├── RF carrier (Stage 1) │
│ │ Class: ANALOG WIRELESS camera │
│ │ State: ACTIVE (carrier present only when transmitting) │
│ │ Confirm: WFM demod → FM video confirm → RSSI walk → locate │
│ │ Vol 4 §4: powered+capturing → Stage 1 ✅ │
│ │ │
│ ├── Camera-brand OUI / mDNS / RTSP (Stage 2) │
│ │ Class: WI-FI / IP camera │
│ │ State: ACTIVE (transmitting to network) │
│ │ Confirm: traffic-rate motion test (Vol 3 §5) → RSSI walk │
│ │ → physical locate; RTSP probe port 554 │
│ │ Vol 4 §4: powered+capturing → Wi-Fi ✅ │
│ │ │
│ ├── Optical glint (Stage 3) │
│ │ Class: ANY camera (lens is a passive optical element) │
│ │ State: ANY — including FULLY OFF │
│ │ Confirm: physical inspect glint source; borescope if enclosed │
│ │ Cross with Stage 5 (is it warm → powered?) │
│ │ Cross with Stage 6 NLJD (if off and professional budget) │
│ │ Vol 4 §4: reader's map §3 — optics covers all three states ✅ │
│ │ │
│ ├── IR glow (Stage 4) │
│ │ Class: Night-vision camera with active IR LEDs │
│ │ State: POWERED + ACTIVE IR │
│ │ Confirm: physical inspect; cross with Stage 5 (thermal confirm) │
│ │ Vol 4 §4: powered+capturing (IR LEDs active) ✅ │
│ │ │
│ ├── Thermal anomaly (Stage 5) │
│ │ Class: POWERED camera (any RF class) │
│ │ State: POWERED (thermal requires heat) │
│ │ Confirm: optical sweep of warm area (Stage 3 at that spot); │
│ │ physical inspect warm object │
│ │ Vol 4 §4: powered+capturing ✅; powered/standby marginal; │
│ │ fully off ❌ (no heat source to detect) │
│ │ │
│ ├── NLJD harmonic hit (Stage 6) │
│ │ Class: ANY electronic device including camera │
│ │ State: ANY — including FULLY OFF │
│ │ Confirm: 2nd/3rd ratio check + tap test → optical sweep of area │
│ │ → physical inspect or borescope │
│ │ Vol 4 §4: all three power states → NLJD ✅ │
│ │ │
│ └── No instrument flag — location suspicious by context │
│ Class: UNKNOWN (possibly SD-only or wired, possibly off) │
│ State: UNKNOWN │
│ Confirm: optical sweep (Stage 3) at that specific location; │
│ physical inspect; borescope if enclosed │
│ Vol 4 §4: reader's map §3 — for unknown state, start with │
│ optical retroreflection (covers all states) │
│ then NLJD if available │
└─────────────────────────────────────────────────────────────────────────┘Using the Vol 4 power-state matrix operationally. The matrix in Vol 4 §4 is the lookup table for every node in this decision tree. When choosing between competing confirm methods, the matrix tells you which one covers the suspected power state. Key implications:
- Camera might be powered off (adversarial scenario, or device found cold): NLJD (Stage 6) is the only active electronic method. Optical (Stage 3) and physical search (Stage 7) are the other powered-off-capable methods.
- Camera is probably active (carrier found, OUI on network, IR glow observed): any “powered + capturing” method works. Start with the fastest available confirm.
- Power state unknown: start with optical retroreflection (works in all three states per Vol 4 §4, the “most universal” rating). Then NLJD if in budget. Then physical search.
- Suspected wired camera: the Vol 4 §4 wired-camera addendum (§4.2) identifies the correct sub-track: PoE/LAN scan, cable tracing, TDR, find-the-recorder. No RF method applies.
12.5.4 The honest ceiling
The sweep’s honest ceiling: The complete seven-stage playbook, correctly executed with all instruments including a professional NLJD, is the most defensible counter-surveillance sweep currently available to a civilian or TSCM professional. It is not an absolute guarantee. Residual gaps remain:
1. Operator coverage gap. Stages 3 and 7 depend on the operator sweeping every surface at the right angle and distance. A deeply recessed lens behind a 1 mm drilled hole that was not in the SF-103P’s sweep arc may not produce a visible glint.
2. NLJD budget gap. Stage 6 requires ~$15,000 in instruments and a trained operator. Without it, a powered-off camera at a location not exposed to the optical sweep and not flagged by physical inspection remains undetected. No consumer-priced technique closes this gap.
3. Timing gap. A camera powered off during the sweep and powered back on after exit is undetected by every method except Stage 3 (optical) and Stage 7 (physical). Repeat sweeps at unexpected times reduce but do not eliminate this risk.
4. Cellular camera gap. A camera with an LTE SIM card, bursting on licensed bands at low duty cycle, is practically undetectable without IMSI-catcher class instrumentation. No stage in this playbook reliably catches a well-configured cellular camera. Note as an unresolved gap in every sweep report.
State these limitations explicitly in any sweep conclusion. “The sweep found no evidence of a hidden camera” means no anomaly was confirmed by the methods applied. It does not mean “no hidden camera is present.” The professional standard requires this distinction.
12.6 Resources
12.6.1 Within this series
Table 11 — Within this series
| Volume and section | Relevance to Vol 12 |
|---|---|
| Vol 2 §4 — RF/spectrum, analog-video band plans | Stage 1 physics: what an FM carrier looks like on a waterfall; RBW and sweep parameters |
| Vol 3 §5 — Traffic-rate / motion-correlation | Stage 2 confirm: VBR encoder as passive sensor; full PCAP analysis procedure |
| Vol 4 §3 — Reader’s map (suspected state → method) | Input to §5.3 decision tree — the power-state-grouped method selection table |
| Vol 4 §4 — Power-state capability matrix | The master lookup table for §5 — which method for which camera class in which power state |
| Vol 4 §5 — Optical lens retroreflection | Stage 3 physics: retroreflection, LAPD ToF/ML, SpyFinder Pro, false-positive profile |
| Vol 4 §6 — IR-emitter spotting | Stage 4 physics: 850/940 nm IR LED detection; phone front-camera IR sensitivity |
| Vol 4 §7 — NLJD | Stage 6 physics: harmonic ratio, tap test, rusty-bolt false positives, REI ORION |
| Vol 4 §9 — Thermal | Stage 5 physics: HeatDeCam, FLIR ONE triage, defeat mechanisms |
| Vol 5 §5 — RSSI-walk localization | Stage 2 confirm: warmer-colder walk procedure, EMA filter, directional antenna option |
| Vol 6 §2 — Analog wireless demod | Stage 1 confirm: FM-video demod signal chain, gqrx steps, composite video display |
| Vol 6 §5 — Wired-specific track | Stage 7 wired camera sub-track: cable tracer, TDR, PoE/LAN, PLC conductor |
| Vol 9 §5 — Lens finders | Stage 3 instrument: SpyFinder Pro SF-103P product review, pricing, discipline |
| Vol 9 §6 — Thermal gear | Stage 5 instrument: FLIR ONE Gen 3 / Pro specs, triage role, defeat mechanisms |
| Vol 11 §7.2 — Gear × emission-class matrix | Owned-gear coverage matrix; informs Stage 1/2 instrument selection |
| Vol 11 §7.3 — Decision flowchart (which gear first) | Owned-gear sequencing basis for §2 and §4 |
| Vol 15 — Field cards | The laminate-ready field cards in Vol 15 will condense the §4 sweep procedure into a pocket reference |
12.6.2 Legal and ethics references
../../_shared/legal_ethics.md— The legal envelope for all sweep activities, including the consenting-environment gates for deauth-confirm (Stage 2 Sub-track C) and analog FM-video demodulation (Stage 1 confirm). Read before any sweep that involves decoding a found signal or inducing a camera’s reconnect behavior.- Jurisdiction note. Sweeping your own space — a hotel room, rented Airbnb apartment, or changing room you occupy — is generally legal without special authorization in most jurisdictions. Sweeping someone else’s space, decoding intercepted signals, or removing a found device may require legal review. When in doubt: document in place, do not touch, and consult appropriate authority.
12.6.3 External instruments and key products
Table 12 — External instruments and key products
| Instrument | Source | Stage | Price (spec-sourced unless noted) |
|---|---|---|---|
| SpyFinder Pro SF-103P | kjbsecurity.com; bhphotovideo.com | Stage 3 — primary optical instrument | ~$148 web-verified |
| FLIR ONE Gen 3 | flir.com; Walmart; Amazon | Stage 5 — thermal triage | ~$199–249 web-verified |
| FLIR ONE Pro | flir.com | Stage 5 — higher-sensitivity thermal | ~$399 web-verified |
| REI ORION 2.4 HX | reiusa.net (quote required) | Stage 6 — NLJD professional | ~$10k–$15k spec-sourced |
| REI ORION 900 HX | reiusa.net (quote required) | Stage 6 — NLJD wall penetration | ~$10k–$15k spec-sourced |
| Triplett Fox & Hound 3399 | triplett.com | Stage 7 wired track — cable tracer | ~$95 spec-sourced |
| Fing | fing.com/app (iOS + Android; free) | Stage 2 Sub-track A | Free |
| Glint Finder | Aptoide / APK (Android; free) | Stage 3 phone fallback | Free |
| gqrx | gqrx.dk (macOS / Linux; free) | Stage 1 FM-video demod confirm | Free |
| osmocom_fft (gr-osmosdr) | github.com/osmocom/gr-osmosdr | Stage 1 HackRF spectrum display | Free |
| ESP32 Marauder | github.com/justcallmekoko/ESP32Marauder (MIT) | Stage 2 Sub-tracks B+C | Free firmware |
This is Volume 12 of a fifteen-volume series. The room-sweep playbook in this volume is the operational synthesis of every detection method established in Vols 2–11. Volume 13 covers operational posture, legal and ethical boundaries in depth, and the professional sweep report format. The field cards in Vol 15 will condense the §4 sweep procedure from this volume into a laminate-ready pocket reference.