Skip to navigation | Skip to content

Share your knowledge. Make a difference.

Computer Security Jump Bag

1 - I can do better 2 - Jury's out 3 - Pretty darn good 4 - Splendiferous 5 - Awesometastic (by 4 people)   Your rating: 1 - I can do better 2 - Jury's out 3 - Pretty darn good 4 - Splendiferous 5 - Awesometastic

Ranked #504 in Tech & Geek, #13436 overall

Rated G. (Control what you see)

Computer Security Jump Bag

 

A Jump Bag is the term used to describe the bag or container holding all of the tools you need to appropriately respond to a computer security incident.

SANS Incident Handling Course covers the topic of Incident Handling in-depth. It is a great course which I have taken.

Have a Security Policy 

It should contain an Incident Response section.

A security policy will document the assets that are most important to a business and provide a foundation upon which an incident response plan will be based.
SANS Security Policy Project
The ultimate goal of this SANS project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements.
NIST Security Documents
Track down National Institute of Standards and Technology publication 800-61 which is a Computer Security Incident Handling Guide.

Get something to carry all of your tools. 

Look for one with many pockets.

  • A Computer bag at a minimum with lots of pockets.
  • A Backpack is another option but it will depend upon the equipment you need to have.
  • Suitcase. A complete set of response equipment can get heavy, a rolling computer bag or suitcase with wheels is nice.

Tools to Document Your Response 

Document Everything!

Some companies choose to prosecute people who attack, steal or exploit their resources. Detailed documentation can be submitted as evidence. Be aware that some institutions will prosecute their staff if they respond in a way which causes evidence to be lost. It is also useful to always have two people working on the response to validate the work being done and to reduce a defense argument that the evidence was tampered with.
  • Paper Notebooks. Be sure to keep track of time and actions taken.
  • Pens, yes multiple pens and make sure they are not erasable.
  • Audio Recording Device. Tape or Digital but be sure you have enough space to record events. Depending on the purpose of the response, there is not always enough time to write everything down do being able to record audio notes, saves time. Remember to state the time when you make a voice note.
  • Digital Camera. Some models can validate their photos. The Nikon D2X can authenticate photos and know if they have been tampered with.
  • Time Keeping Device. Watch, cell phone etc.

Check Lists and Cheat Sheet Plexo 

Keep checklists in the bag for quick reference

Reference material is very useful

http://www.sans.org/score/checklists/ID_Linux.pdf

SANS Intruder Detection Checklist (PDF file)1 point

http://sans.org/resources/tcpip.pdf

SANS TCP/IP Cheat Sheet (PDF file)1 point

CERT/CC Intruder Detection Checklist

Cert Intruder Detection Checklist0 points

XSS (Cross Site Scripting) Cheat Sheet

XSS (Cross Site Scripting) Cheat Sheet: Esp: for f more...0 points

SQL Injection Cheat Sheet

Ferruh Mavituna Blog, Web Application Security and more...0 points

Have a Laptop 

Be sure you have a system to use to respond with.

Be sure your system has adequate capabilities to respond to an incident.
  • Be sure you have and adequate network card, no less than 100MB. You might prefer a giga-bit card since many networks are adapting this technology. The idea is to be able to monitor the network with your laptop.
  • Have adequate memory for the tools you may be using.
  • Have a CDRW or preferrable a DVD-RW device.
  • Have USB ports to support USB media devices.
  • Have a wireless network card if you support wireless networks.

Backup Media 

Make sure it is new media, not reused (defense tamping argument)

It is possible that you will need to move files or devices in order to investigate an issue.
  • Hard Drive. Minimum 250GB. At least one SCSI, IDE or USB device.
  • Pen Drive. Given the cheap prices, 4GB minimum.
  • CDROM Media
  • DVD Media

Wireless Attack Response 

Wireless networks are everywhere.

Many companies have installed wireless networks to improve network access for their employees and allow them to be mobile. Wireless networks introduce many security issues so be sure to have appropriate hardware.
  • Wireless Network card with external antenna connector.
  • Directional Antenna. These can help you find rouge access points.
  • Wireless Auditing software. BackTrack (etc.)

Communication Resources 

Stay in Touch.

If your computer has been hacked, do not use it or the network to communicate with others about the incident.
  • Your Cell Phone, your charger and a spare battery.
  • Call list. Always have your site's call list in your bag. If this is an external site, get one immediately for the location.
  • GPG or other encryption software to support the transfer of information.
  • If a team is responding, you might want FRS radios to support your communication. If the attack is wireless, you might be managing a deployed response team. A reviewer has added a hint - FRS radios are not allowed in EU - they are ok for US use only. EU can use PMR and LPD radios which are almost the same, except PMR has 8 channels, LPD has 79 channels. For most real-life situations PMR solutions should work.

Network/Technical Tools 

Be able to connect and monitor.

  • A hub, not a switch or even better a network tap. It might be possible to monitor the traffic to the exploited host by using a hub. Many advanced switches can mirror a port for you to tap into and many networks support ingress and egress VLANS. Remember interrupting an active attack may let the attacker know you are responding.
  • Cross-over cable. These are sometimes hard to find.
  • A few ethernet network cables, preferably long (25ft.).
  • An RJ45 cable extender. Sometimes a 25 foot cable is not enough.
  • RJ45-Serial adapter. Cables to communicate with network equipment via serial connections might be necessary.
  • Hardware Drive Write Blocker which will prevent an investigator from altering a drive under investigation
  • Any other cables which are popular, USB, Firewire, serial, IDE, SCSI, SATA/eSAT.

Miscellaneous tools, equipment and resources 

  • If it is possible, have a private room set up for coordinating the response team and reviewing collected evidence. The investigation should be kept private and the team protected from unnecessary interruptions.
  • Zip Lock Bags for Evidence.
  • LED Flash Light.
  • Computer Tool Kit. Some agencies require that hardware (drives) impacted by an intrusion be removed, secured and sent to higher level security officials for further analysis or to be placed within better controlled environments.
  • Business Cards (Your Credentials). It is possible for those responding to intrusion to be available as witnesses if a company pursues prosecution of computer crimes. Not all intrusions or compromises are done by external entities.
  • Permanent Markers to mark evidence.
  • A Leatherman multi-tool is very handy.
  • A Power strip, you will have a lot of electronic equipment with you.

The Most Important Thing to Remember When Responding to An Incident

Relax.
Take your time and do not damage or invalidate evidence. What is the reason for your response, to return the system to an operational status or to collect evidence? What actions are you allowed to take? What actions can you take that will not alert the attacker to your response? Do you have proper authorization to proceed, is the authorization in writing and signed?

Protect and Control the Evidence. 

Your procedures and collection processes may be questioned in court.
  • Make sure you keep evidence under lock and key and only access it when two people are present. Be sure to record the date and time of each access to evidence.
  • Police or Flagging Tape. Mark off the area or systems under investigation so no one accidentally tampers with the system under investigation.
  • Post signs to inform users what not to touch and who to contact for further information.
  • Document all access to the safe or cabinet where evidence is kept.
  • Mark all evidence with a date and time. (zip lock bag idea).

Forensic Bootable CDROM Plexo 

Bootable Tools are very useful

Understand how to use forensic tools on a system to understand what has happened, tools that will not modify the system being investigated.

BackTrack - Remote-exploit.org

Wireless Auditing Bootable CDROM1 point

Helix - Incident Response & Computer Forensics Live CD by e-fense%u2122, Inc.

e-fense, Inc., the premier e-discovery, computer f more...0 points

Tools for your laptop 

Have the tools you need installed.

OmniPeek.com

A wireshark alternative2 points

Early Computer Security

Computer security is a must have for any body with more...1 point

Wi-Spy | MetaGeek

Wi-Spy Spectrum Analyzer0 points

Jump Bag Rules 

As was re-enforced by the SANS class, do NOT borrow from the bag.

Under no circumstance, borrow from your jump bag.
  1. Never take anything from the jump bag.
  2. Audit the jump bag every quarter to be sure your tools are up to date.
  3. Refresh your jump back after it is used.

Reader Feedback 

Please submit any additional ideas you have.

Reader feedback is a good way to share your experience.

VerticalJumpProject

Learn something new everyday! 5* ...From the vertical jump project top secret fat loss

Posted September 10, 2008

privateInvestigation

wow!
This is wonderful lens about computer security methods. I really appreciate with your lens, I think this lens is more useful to the people.
I have created one more important lens that focuses on private investigator directory,
thanks for giving such a great information.

Posted June 16, 2008

My Other Security Lenses 

Incident Response Books 

Incident Response: A Strategic Guide to Handling System and Network Security Breaches (Landmark)

Amazon Price: $32.57 (as of 10/13/2008)

Incident Response: Computer Forensics Toolkit

Amazon Price: $29.70 (as of 10/13/2008)

Incident Response

Amazon Price: (as of 10/13/2008)

Amazon Audio Devices 

Olympus VN-4100PC Digital Voice Recorder

Amazon Price: $46.38 (as of 10/13/2008)

Olympus WS-311M Digital Voice Recorder and WMA Music Player

Amazon Price: $63.69 (as of 10/13/2008)

Olympus VN4100 Digital Voice Recorder

Amazon Price: Too low to display (as of 10/13/2008)

Amazon War Driving Kits 

Portable Hard Drives 

Lacie has released new drives with multiple connections types on each.

Digital Cameras on Amazon 

Some cameras can authenticate their photos which is a critical feature for digital evidence. Check the specs on the model you choose.

Nikon D700 12.1MP Digital SLR Camera (Body Only)

Amazon Price: $2,759.93 (as of 10/13/2008)

Find an Appropriate Bag 

Save your back and get one with wheels.

Lots of pockets are also useful.

Targus TXL617 17 XL Notebook Backpack

Amazon Price: $51.25 (as of 10/13/2008)

SwissGear Computer Backpack (Black)

Amazon Price: $34.19 (as of 10/13/2008)

Crime Scene Tape 

Protect the system or area under investigation by marking it off limits.

Barrier Tape, Police Line Yellow

Amazon Price: $9.00 (as of 10/13/2008)

Conclusions 

This lens is another in my list of lenses covering computer security. Stop by my Computer Security and War Driving lenses if you get a chance.

Publish your knowledge of computer security by building a lens. It's easy!

Visit my Lensography for a look at other lenses I have contributed to the Squidoo community.
X
Edmands

About Edmands

Todd is a Systems Engineer with a Masters Degree in Systems Engineering/Information Assurance and an undergraduate degree in Geography. When time permits, he builds quality Squidoo lenses or practices his hobbies (Lego Robotics, rocketry, kites and studying creativity). His lenses support National Public Radio (NPR).

Edmands's Pages

See all of Edmands's pages