→
Build a live-forensics USB
Many programs are worth having on a USB for live forensics. Test what works for you and your environment first. Note there are fewer tools for *nix systems — the landscape skews Windows — but plenty of Linux/Unix servers still exist, so account for them.
→
Prepare the USB
Make sure the USB is completely erased and of good quality.
- Buy from a known brand — Verbatim, SanDisk, Kingston. A cheap unknown USB is not good enough.
- Always use a brand-new one straight out of the box.
- Consider keeping a stack of factory-new USBs in the jump-bag, plus one write-block-capable USB (e.g. Netac) for storing your toolset read-only.
→
Two scenarios
- Lite version — lightweight, for specific purposes; carry tools for both *nix and Windows environments.
- Categories to cover: acquisition programs, memory dump, and a live-boot option.