Computer Security Jump Bag

Get something to carry all of your tools.

Look for one with many pockets.

• A Computer bag at a minimum with lots of pockets.
• A Backpack is another option but it will depend upon the equipment you need to have.
• Suitcase. A complete set of response equipment can get heavy, a rolling computer bag or suitcase with wheels is nice.

Tools to Document Your Response

Document Everything!

• Paper Notebooks. Be sure to keep track of time and actions taken. If this is a forensic investigation a special binding might be required for the notebook so the evidence is not questioned.
• Pens, yes multiple pens and make sure they are not erasable.
• Audio Recording Device. Tape or Digital but be sure you have enough space to record events. Depending on the purpose of the response, there is not always enough time to write everything down do being able to record audio notes, saves time. Remember to state the time when you make a voice note.
• Digital Camera. Some models can validate their photos. The Nikon D2X can authenticate photos and know if they have been tampered with.
• Time Keeping Device. Watch, cell phone etc.

Have a Laptop

Be sure you have a system to use to respond with.

• Be sure you have and adequate network card, no less than 100MB. You might prefer a giga-bit card since many networks are adapting this technology. The idea is to be able to monitor the network with your laptop.
• Have adequate memory for the tools you may be using.
• Have a CDRW or preferrable a DVD-RW device.
• Have USB ports to support USB media devices.
• Have a wireless network card if you support wireless networks.

Backup Media

Make sure it is new media, not reused (defense tampering argument)

• Hard Drive. Minimum 250GB. At least one SCSI, IDE or USB device.
• Pen Drive. Given the cheap prices, 4GB minimum.
• CDROM Media
• DVD Media

Wireless Attack Response

Wireless networks are everywhere.

• Wireless Network card with external antenna connector.
• Directional Antenna. These can help you find rouge access points.
• Wireless Auditing software. BackTrack (etc.)

Communication Resources

Stay in Touch.

• Your Cell Phone, your charger and a spare battery.
• Call list. Always have your site's call list in your bag. If this is an external site, get one immediately for the location.
• GPG or other encryption software to support the transfer of information.
• If a team is responding, you might want FRS radios to support your communication. If the attack is wireless, you might be managing a deployed response team. A reviewer has added a hint - FRS radios are not allowed in EU - they are ok for US use only. EU can use PMR and LPD radios which are almost the same, except PMR has 8 channels, LPD has 79 channels. For most real-life situations PMR solutions should work.

Network/Technical Tools

Be able to connect and monitor.

• A hub, not a switch or even better a network tap. It might be possible to monitor the traffic to the exploited host by using a hub. Many advanced switches can mirror a port for you to tap into and many networks support ingress and egress VLANS. Remember interrupting an active attack may let the attacker know you are responding.
• Cross-over cable. These are sometimes hard to find.
• A few ethernet network cables, preferably long (25ft.).
• An RJ45 cable extender. Sometimes a 25 foot cable is not enough.
• RJ45-Serial adapter. Cables to communicate with network equipment via serial connections might be necessary.
• Hardware Drive Write Blocker which will prevent an investigator from altering a drive under investigation
• Any other cables which are popular, USB, Firewire, serial, IDE, SCSI, SATA/eSAT.
• A 9 pin to rj45 serial adapter in case you need to connect via a terminal application. It is also useful to have 9 pin gender changers.

Miscellaneous tools, equipment and resources

• If it is possible, have a private room set up for coordinating the response team and reviewing collected evidence. The investigation should be kept private and the team protected from unnecessary interruptions. The private room is especially necessary if you are responding to an internal incident which might lead to the forensic investigation of an employee's system.
• Zip Lock Bags for Evidence.
• LED Flash Light.
• Computer Tool Kit. Some agencies require that hardware (drives) impacted by an intrusion be removed, secured and sent to higher level security officials for further analysis or to be placed within better controlled environments.
• Business Cards (Your Credentials). It is possible for those responding to intrusion to be available as witnesses if a company pursues prosecution of computer crimes. Not all intrusions or compromises are done by external entities.
• Permanent Markers to mark evidence.
• A Leatherman multi-tool is very handy.
• A Power strip, you will have a lot of electronic equipment with you.
• Cable ties to organize cables in case you had to remove some.
• Anti-Static Bags for storage of electronic devices or drives.

Protect and Control the Evidence.

• Make sure you keep evidence under lock and key and only access it when two people are present. Be sure to record the date and time of each access to evidence.
• Police or Flagging Tape. Mark off the area or systems under investigation so no one accidentally tampers with the system under investigation.
• Post signs to inform users what not to touch and who to contact for further information.
• Document all access to the safe or cabinet where evidence is kept.
• Mark all evidence with a date and time. (zip lock bag idea).

Jump Bag Rules

As was re-enforced by the SANS class, do NOT borrow from the bag.

1. Never take anything from the jump bag.
2. Audit the jump bag every quarter to be sure your tools are up to date.
3. Refresh your jump back after it is used.