I’ve Been Looking Forward to This
You are likely reading this in a setting similar to the one where I am writing this post. A well-defined workstation with everything you may need within a few meters including a coffee machine. This was recently flipped for me, I did not even have a chair. I had great hopes for the day ahead with travelling interstate for a team function. I threw three USBs into my bag mostly as a good luck charm than anything else and off I went.
Realistically, with an early morning, skipped breakfast and a stubborn desire for a good first coffee, I was heading straight for disaster. Within minutes of stepping into the office, a new engagement kicked off… the coffee will have to wait. One hour later, I found myself on the floor of a server room, thankful that I had thrown the three USBs into my bag; they turned out to be lifesavers. This was all part of my first onsite ransomware engagement, a moment I had been looking forward to for some time.
This experience prompted me to rethink my preparedness for future onsite engagements. While I was prepared for what did occur, it did raise some potential scenarios that could arise for which I was not fully equipped. This led me to create a kit of sorts that will ensure I have the bare essential tools to handle most scenarios without breaking the bank. The ideal solution would entail a fully preconfigured digital forensics kit, including a write blocker, etc. However, for those who do not have an endless budget, this may be a good starting point.
What I was After
- Something cheap that it won’t hurt the budget.
- Be portable and can be placed in a backpack.
- Enough to get out of most situations although, does not need to be perfect.
The Kit
The kit I’ve ended up putting together is barebones and includes:
- 4 x USBs
- 2 x 32 GB USBs for booting / tool install scripts
- 1 x 64 GB USB for DFIR tooling
- 1 x 128 GB USB for smaller outputs such as KAPE
- 1 x 2 TB SSD Drive
- M.2 to USB A
- Cables and adapters
- SATA to USB
- USB A to USB C
- USB C to USB C
- USB A Male to USB C Female
- USB A Female to USB C Female
- Power Adapter to USB A
- Power Bank
- USB C Hub
- Network Cable
- Notebook
- Masking tape
- Pen and Permanent marker
- Policies and Documents (Printed or Stored on USB Drives):
- Incident Response Forms such as Chain of Custody
- Incident Response Playbooks and Plans
- Key Contact Information
This Is Not Perfect
The kit is far from perfect… there are going to be times where you haven’t encountered a particular problem before. That is okay, it is an opportunity to add a new solution into your kit for next time.