Have a Security Policy 

It should contain an Incident Response section.

SANS Security Policy Project

The ultimate goal of this SANS project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements.

NIST Security Documents

Track down National Institute of Standards and Technology publication 800-61 which is a Computer Security Incident Handling Guide.

Get something to carry all of your tools. 

Look for one with many pockets.

• A Computer bag at a minimum with lots of pockets.
• A Backpack is another option but it will depend upon the equipment you need to have.
• Suitcase. A complete set of response equipment can get heavy, a rolling computer bag or suitcase with wheels is nice.

Tools to Document Your Response 

Document Everything!

• Paper Notebooks. Be sure to keep track of time and actions taken.
• Pens, yes multiple pens and make sure they are not erasable.
• Audio Recording Device. Tape or Digital but be sure you have enough space to record events. Depending on the purpose of the response, there is not always enough time to write everything down do being able to record audio notes, saves time. Remember to state the time when you make a voice note.
• Digital Camera. Some models can validate their photos. The Nikon D2X can authenticate photos and know if they have been tampered with.
• Time Keeping Device. Watch, cell phone etc.

Check Lists and Cheat Sheet Plexo 

Keep checklists in the bag for quick reference

Reference material is very useful

Add to this list

Grab this list

Get the RSS feed: Keep an eye on this Plexo list. See who wins. And who's left in the dirt.

Get the widget: Add this Plexo list as a widget on your blog, site, forum, whatever. Be an influential. Show off your great find.

Get this on my lens: Attack of the clones! Grab this Plexo module for your own lens. Get YOUR readers to vote for their favorites.

• Add to Bloglines
• Add to My Yahoo
• Add to Google
• Add to Technorati
• Add to NewsGator
• Add to My MSN
• Grab the XML

Please pick your widget size and display. Then click "Make the Widget" to get the code that's just right for you.

Pick your widget size:

Small size: Best for blog sidebars, and areas 250 pixels or less
Standard size: Best for blog posts, and areas greater than 250 pixels wide

How many list items to show? 5 10 15 All

Make the Widget!

Voila: Just copy and paste this code into your own site. Have fun!

Oopsey! Please login to Squidoo in order to add this module to your lens.

Add more links    Submit

Type or paste links below (one per line):
(Ex: http://www.cuteoverload.com) Help me find links

Done Adding

Cancel

Have a Laptop 

Be sure you have a system to use to respond with.

• Be sure you have and adequate network card, no less than 100MB. You might prefer a giga-bit card since many networks are adapting this technology. The idea is to be able to monitor the network with your laptop.
• Have adequate memory for the tools you may be using.
• Have a CDRW or preferrable a DVD-RW device.
• Have USB ports to support USB media devices.
• Have a wireless network card if you support wireless networks.

Backup Media 

Make sure it is new media, not reused (defense tamping argument)

• Hard Drive. Minimum 250GB. At least one SCSI, IDE or USB device.
• Pen Drive. Given the cheap prices, 4GB minimum.
• CDROM Media
• DVD Media

Wireless Attack Response 

Wireless networks are everywhere.

• Wireless Network card with external antenna connector.
• Directional Antenna. These can help you find rouge access points.
• Wireless Auditing software. BackTrack (etc.)

Communication Resources 

Stay in Touch.

• Your Cell Phone, your charger and a spare battery.
• Call list. Always have your site's call list in your bag. If this is an external site, get one immediately for the location.
• GPG or other encryption software to support the transfer of information.
• If a team is responding, you might want FRS radios to support your communication. If the attack is wireless, you might be managing a deployed response team. A reviewer has added a hint - FRS radios are not allowed in EU - they are ok for US use only. EU can use PMR and LPD radios which are almost the same, except PMR has 8 channels, LPD has 79 channels. For most real-life situations PMR solutions should work.

Network/Technical Tools 

Be able to connect and monitor.

• A hub, not a switch or even better a network tap. It might be possible to monitor the traffic to the exploited host by using a hub. Many advanced switches can mirror a port for you to tap into and many networks support ingress and egress VLANS. Remember interrupting an active attack may let the attacker know you are responding.
• Cross-over cable. These are sometimes hard to find.
• A few ethernet network cables, preferably long (25ft.).
• An RJ45 cable extender. Sometimes a 25 foot cable is not enough.
• RJ45-Serial adapter. Cables to communicate with network equipment via serial connections might be necessary.
• Hardware Drive Write Blocker which will prevent an investigator from altering a drive under investigation
• Any other cables which are popular, USB, Firewire, serial, IDE, SCSI, SATA/eSAT.

Miscellaneous tools, equipment and resources 

• If it is possible, have a private room set up for coordinating the response team and reviewing collected evidence. The investigation should be kept private and the team protected from unnecessary interruptions.
• Zip Lock Bags for Evidence.
• LED Flash Light.
• Computer Tool Kit. Some agencies require that hardware (drives) impacted by an intrusion be removed, secured and sent to higher level security officials for further analysis or to be placed within better controlled environments.
• Business Cards (Your Credentials). It is possible for those responding to intrusion to be available as witnesses if a company pursues prosecution of computer crimes. Not all intrusions or compromises are done by external entities.
• Permanent Markers to mark evidence.
• A Leatherman multi-tool is very handy.
• A Power strip, you will have a lot of electronic equipment with you.

Protect and Control the Evidence. 

• Make sure you keep evidence under lock and key and only access it when two people are present. Be sure to record the date and time of each access to evidence.
• Police or Flagging Tape. Mark off the area or systems under investigation so no one accidentally tampers with the system under investigation.
• Post signs to inform users what not to touch and who to contact for further information.
• Document all access to the safe or cabinet where evidence is kept.
• Mark all evidence with a date and time. (zip lock bag idea).

Forensic Bootable CDROM Plexo 

Bootable Tools are very useful

Understand how to use forensic tools on a system to understand what has happened, tools that will not modify the system being investigated.

Add to this list

Grab this list

Get the RSS feed: Keep an eye on this Plexo list. See who wins. And who's left in the dirt.

Get the widget: Add this Plexo list as a widget on your blog, site, forum, whatever. Be an influential. Show off your great find.

Get this on my lens: Attack of the clones! Grab this Plexo module for your own lens. Get YOUR readers to vote for their favorites.

• Add to Bloglines
• Add to My Yahoo
• Add to Google
• Add to Technorati
• Add to NewsGator
• Add to My MSN
• Grab the XML

Please pick your widget size and display. Then click "Make the Widget" to get the code that's just right for you.

Pick your widget size:

Small size: Best for blog sidebars, and areas 250 pixels or less
Standard size: Best for blog posts, and areas greater than 250 pixels wide

How many list items to show? 5 10 15 All

Make the Widget!

Voila: Just copy and paste this code into your own site. Have fun!

Oopsey! Please login to Squidoo in order to add this module to your lens.

Add more links    Submit

Type or paste links below (one per line):
(Ex: http://www.cuteoverload.com) Help me find links

Done Adding

Cancel

Tools for your laptop 

Have the tools you need installed.

Add to this list

Grab this list

Get the RSS feed: Keep an eye on this Plexo list. See who wins. And who's left in the dirt.

Get the widget: Add this Plexo list as a widget on your blog, site, forum, whatever. Be an influential. Show off your great find.

Get this on my lens: Attack of the clones! Grab this Plexo module for your own lens. Get YOUR readers to vote for their favorites.

• Add to Bloglines
• Add to My Yahoo
• Add to Google
• Add to Technorati
• Add to NewsGator
• Add to My MSN
• Grab the XML

Please pick your widget size and display. Then click "Make the Widget" to get the code that's just right for you.

Pick your widget size:

Small size: Best for blog sidebars, and areas 250 pixels or less
Standard size: Best for blog posts, and areas greater than 250 pixels wide

How many list items to show? 5 10 15 All

Make the Widget!

Voila: Just copy and paste this code into your own site. Have fun!

Oopsey! Please login to Squidoo in order to add this module to your lens.

Add more links    Submit

Type or paste links below (one per line):
(Ex: http://www.cuteoverload.com) Help me find links

Done Adding

Cancel

Jump Bag Rules 

As was re-enforced by the SANS class, do NOT borrow from the bag.

1. Never take anything from the jump bag.
2. Audit the jump bag every quarter to be sure your tools are up to date.
3. Refresh your jump back after it is used.

Reader Feedback 

Please submit any additional ideas you have.

Reader feedback is a good way to share your experience.

VerticalJumpProject Learn something new everyday! 5* ...From the vertical jump project top secret fat loss Posted September 10, 2008

privateInvestigation wow! This is wonderful lens about computer security methods. I really appreciate with your lens, I think this lens is more useful to the people. I have created one more important lens that focuses on private investigator directory, thanks for giving such a great information. Posted June 16, 2008

My Other Security Lenses 

Computer Network Secure?

Computer security.  With many people switching their systems to a broadband network, the need for computer security education has grown. This lens provides an overview of computer security topics as well as links to resources I use to keep the s...

Physical Security

Securing the physical environment is a challenge but according to the COBIT framework covers the areas of site selection, physical security, controlling physical access, protecting against environmental factors and the proper management of a facility...

Learn to Wardrive

Auditing wireless networks is a good way to start exploring wireless networks, their popularity and the risks associated with them. This lens provides information on wardriving and wireless network security. I learned a lot by obtaining my SANS GAWN-...

Social Engineering

This lens is about how social engineering attacks are attempted against companies in order to gain access to computer system, data or other company assets. Social attacks are attacks which use employees as a way to gain unauthorized access and inform...

Incident Response Books 

Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition) (Radia Perlman Series in Computer Networking and Security)

by Edward Skoudis, Tom Liston

Amazon Price: $37.79 (as of 10/13/2008)

Incident Response: A Strategic Guide to Handling System and Network Security Breaches (Landmark)

by E. Eugene Schultz, Russell Shumway

Amazon Price: $32.57 (as of 10/13/2008)

Incident Response: Computer Forensics Toolkit

by Douglas Schweitzer

Amazon Price: $29.70 (as of 10/13/2008)

Incident Response

by Kenneth R. van Wyk, Richard Forno

Amazon Price: (as of 10/13/2008)

Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition (Information Security)

by Jr., Albert Marcella, Doug Menendez

Amazon Price: $62.95 (as of 10/13/2008)

Amazon Audio Devices 

Olympus VN-4100PC Digital Voice Recorder

Amazon Price: $46.38 (as of 10/13/2008)

Olympus WS-311M Digital Voice Recorder and WMA Music Player

Amazon Price: $63.69 (as of 10/13/2008)

Olympus VN4100 Digital Voice Recorder

Amazon Price: Too low to display (as of 10/13/2008)

Amazon USB Pen Drives 

PQI 8GB Traveling Disk Series i178 Slim USB Flash Drive. Sleek Look, Small in Size, Password Protection Software, High Speed (Read&Write) and Life Time Warranty (Color Blue)

Amazon Price: (as of 10/13/2008)

Sony 4GB Micro Vault USB Flash Drive Memory Card (Retail)

Amazon Price: (as of 10/13/2008)

TrekStor 21363 8GB USB-Stick Leather Edition Flash Memory

Amazon Price: $34.99 (as of 10/13/2008)

Amazon War Driving Kits 

Imperial WiFi Site Survey Kit for Wardriving (802.11b/g) 8471-WD

Amazon Price: (as of 10/13/2008)

7 dBi Magnetic Mobile 3x WiFi Booster Antenna (for MC and Wardriving)

Amazon Price: (as of 10/13/2008)

Prism 2.5 200 mW Wardriving and Security Auditing Kit

Amazon Price: (as of 10/13/2008)

Portable Hard Drives 

Lacie has released new drives with multiple connections types on each.

LaCie 301825U d2 Quadra 500 GB eSATA/FireWire800/FireWire400/USB 2.0 External Hard Disk

Amazon Price: $144.05 (as of 10/13/2008)

LaCie 301827U d2 Quadra 1 TB eSATA/FireWire800/FireWire400/USB 2.0 External Hard Disk

Amazon Price: $234.12 (as of 10/13/2008)

LaCie 301826U d2 Quadra 750 GB eSATA/FireWire800/FireWire400/USB 2.0 External Hard Disk

Amazon Price: $189.34 (as of 10/13/2008)

Digital Cameras on Amazon 

Some cameras can authenticate their photos which is a critical feature for digital evidence. Check the specs on the model you choose.

Nikon D700 12.1MP Digital SLR Camera (Body Only)

Amazon Price: $2,759.93 (as of 10/13/2008)

Nikon D60 Digital SLR Camera with 18-55mm AF-S VR Zoom Lens + Nikon 55-200mm AF-S VR Zoom Lens + 8GB SD Card + EN-EL9 Battery + Case + Cameta Bonus Accessory Kit

Amazon Price: $899.95 (as of 10/13/2008)

Nikon D40 6.1MP Digital SLR Camera + Nikon 18-55mm AF-S Lens + Nikon SLR Gadget Bag + Transcend 2GB 133x SecureDigital Card + USB Card Reader

Amazon Price: $469.95 (as of 10/13/2008)

Find an Appropriate Bag 

Save your back and get one with wheels.

Lots of pockets are also useful.

Kensington 62903 Contour Overnight Roller Suitcase and Notebook Carrying Case

Amazon Price: $86.72 (as of 10/13/2008)

Targus TXL617 17 XL Notebook Backpack

Amazon Price: $51.25 (as of 10/13/2008)

SwissGear Computer Backpack (Black)

Amazon Price: $34.19 (as of 10/13/2008)

Crime Scene Tape 

Protect the system or area under investigation by marking it off limits.

Barrier Tape, Police Line Yellow

Amazon Price: $9.00 (as of 10/13/2008)

Empire Level 77-0201 200' Barricade "Caution" Tape Commercial Grade

Amazon Price: $2.99 (as of 10/13/2008)

Conclusions