Jump-bag
The purpose
Mentioned before, then it is a good idea to assemble the pieces. Thereby, everything you need is only 1 place. The things in the bag are important components and must remain in the bag in peacetime, otherwise it loses its value right there when you need to use it. It also gathers all its documentation including contingency plans, contact information for vital partners, incident handling and management. It is important that it is written out, in case of crashes, attacks, or anything else that is to blame for things not working.
Content
The content is first and foremost what you need and there is no fact list here. I have written down something that I want in my bag.
- Pen and paper - probably the most overlooked and yet the most important. To be able to make notes and write times and who you talked to. I even use my SIR_checklist to make sure I have it all with me.
- Printed documentation of contingency plans, contact information for vital partners, Incident handling and management.
- Hard drives - preferably different sizes and with space if you need to make a data security.
- USB - USB keys can be a good thing if you need to have copies of data or pass on data. It's a cheap way to share data-bearing media.
- Tool set - a good tool set is indispensable so that equipment can be disassembled when needed. Some sets come with lids that can be used as a screw collector. (Tip - a small magnet can come in handy if there are few screws. IFixit sets have a lid that can be used for the purpose.
- Antistatic bracelet is also a good detail.
- A multitool, can come in handy in many respects.
- Headlamp - good working light is not out of the way.
- Write protection - USB with Caine Linux, Hardware or software write protection.
- Computer - preferably one with Linux, so it's easier to deal with malware. If necessary, have a computer with the company image so that you can test the latest virus definitions with the purchased Antivirus suite. Remember power supply!
- Water, something to eat about eg muslibar or similar. That with water and musli bar is not some crazy thing if you are going for several hours. (Before establishing "who does what" and managing the logistics for food, shift schedules and calls, etc.)
- Personal belongings like deodorant, toothbrush (It is not my invention, would have liked to have had it during some of the incidents I have participated in)
- Cables - Network cables, USB cables (USB A to mico-usb, USB C, etc.), USB to SATA, Adapter devices for SSD NVME / M.2 hard drives (Remember that there are several types)
- Card reader for several formats.
- Possibly a small network router and a switch. So a small separate network can be used. (gl inet routers are perfect for this purpose as they have VPN capacity as both server and client and thereby encapsulate the network)
- Camera is often overlooked. If you need to document something, then a picture can be really good to have as documentation. The camera can be standalone or from the phone. The latter is probably more valuable, as you often have control of the power in the phone than on a camera lying in a bag 😉
Things that may be worth considering
- Powerbank
- SD card as extra.
- Headphones from shielding you from noise in large room office
- USB drive with write protection option (such as kangaroo or netac). Can be used for several tasks.
Write protection
Write protection - write protection is the technology that ensures that no data is changed when securing equipment. This is probably the most vital of all equipment. Since it must be able to secure data in the right way.
Hardware write protection
This is a device that is put between data-bearing media and your computer. Often requires adapters and many hardware write protectors can not be used for USB, so a software solution is cheaper.
Software write protection
Work the same way. Here you boot up on a USB medium and run a live image and or install software on your workstation. Then you can connect the devices you need.
The hardware components are more expensive, they cost from approx. 3,500.- D.kr. And up after.
The software costs from approx. 2,000.- D.kr. and up after, from proprietary solutions. Caine Linux does not cost anything and is quite good software for the purpose and gets the job done.
Computer
Having one or more computers is always a good idea. A computer with the company's Image and settings, as a kind of test. So if you need to test the defenses on a standard machine, then you have one at hand.
TIP:
It might be a good idea to ally with a supporter, for re-installation of the above PC. In case of any accident / error.
Having a computer with Linux and maybe Kali Linux is a good idea. If you need a relatively secure environment to work with malware files. In this context, a Linux PC is perhaps a little more "immune" on a windows network. (Remember nothing is 100%)
Locked off room is a must, as this removes the analyst from prying eyes to the process. This is also a stressfactor when working in open spaces. Remember its collegaues or suspects that is innocent until proven otherwise
Service wheel / maintenance
The above is not worth much if it is not updated or reviewed once in a while. It is really important that there is control over the bag and the documents that are in it. If it is not maintained and updated, then it is something that is going to take time. It is often time you do not have, or want to spend.
Make a list of the effects you want in your bag so it's easier to work with.
Assistive technology
As part of a contingency plan, it can be smart to have some tools that are deployable in case of attack. As ex velociraptor
A DFIR server for eg velociraptor from [velocidex] (https://github.com/Velocidex/velociraptor) (This is a thought to be tested. It might make sense to have a server where files could be downloaded from or uploaded via FTP / SFTP) so that there is collection on all artifacts in one place and in a closed environment.