skip to content
DFIRinProgress Blog

Onsite Madness: A Barebones DFIR Kit

/ 3 min read

cybersecurity , onsite

I’ve Been Looking Forward to This

You are likely reading this in a setting similar to the one where I am writing this post. A well-defined workstation with everything you may need within a few meters including a coffee machine. This was recently flipped for me, I did not even have a chair. I had great hopes for the day ahead with travelling interstate for a team function. I threw three USBs into my bag mostly as a good luck charm than anything else and off I went.  

Realistically, with an early morning, skipped breakfast and a stubborn desire for a good first coffee, I was heading straight for disaster. Within minutes of stepping into the office, a new engagement kicked off… the coffee will have to wait. One hour later, I found myself on the floor of a server room, thankful that I had thrown the three USBs into my bag; they turned out to be lifesavers. This was all part of my first onsite ransomware engagement, a moment I had been looking forward to for some time.

This experience prompted me to rethink my preparedness for future onsite engagements. While I was prepared for what did occur, it did raise some potential scenarios that could arise for which I was not fully equipped. This led me to create a kit of sorts that will ensure I have the bare essential tools to handle most scenarios without breaking the bank. The ideal solution would entail a fully preconfigured digital forensics kit, including a write blocker, etc. However, for those who do not have an endless budget, this may be a good starting point.

What I was After

  • Something cheap that it won’t hurt the budget.
  • Be portable and can be placed in a backpack.
  • Enough to get out of most situations although, does not need to be perfect.

The Kit

The kit I’ve ended up putting together is barebones and includes:

  • 4 x USBs
    • 2 x 32 GB USBs for booting / tool install scripts
    • 1 x 64 GB USB for DFIR tooling
    • 1 x 128 GB USB for smaller outputs such as KAPE
  • 1 x 2 TB SSD Drive
  • M.2 to USB A
  • Cables and adapters
    • SATA to USB
    • USB A to USB C
    • USB C to USB C
    • USB A Male to USB C Female
    • USB A Female to USB C Female
    • Power Adapter to USB A
    • Power Bank
    • USB C Hub
    • Network Cable
  • Notebook
  • Masking tape
  • Pen and Permanent marker
  • Policies and Documents (Printed or Stored on USB Drives):
    • Incident Response Forms such as Chain of Custody
    • Incident Response Playbooks and Plans
    • Key Contact Information

This Is Not Perfect

The kit is far from perfect… there are going to be times where you haven’t encountered a particular problem before. That is okay, it is an opportunity to add a new solution into your kit for next time.