An incident is a matter of when, not if, a compromise or violation of an organization’s security will happen. The preparation of the Computer Incident Response Team (CIRT) through planning, communication, and practice of the incident response process will provide the necessary experience needed should an incident occur within your organization. Each phase from preparation to lessons learned is extremely beneficial to follow in sequence, as each one builds upon the other. The following phases will provide a basic foundation to be able to perform incident response and allow one to create their own incident response plan.
In Patrick Kral’s “Incident Handler’s Handbook,” the Jump Bag is emphasized as a critical component for incident responders. This section outlines Kral’s recommendations for assembling a well-equipped Jump Bag, which includes essential tools and equipment needed for on-site incident response and digital forensic investigations.
Patrick Kral’s Jump Bag Recommendations
1. Forensic Hardware
i.Portable Computer:
- Description: A robust laptop or portable workstation.
- Purpose: Used for running forensic software, data acquisition, and preliminary analysis.
- Example: High-performance laptop with sufficient RAM (16GB+), SSD, and multi-core CPU.
ii. External Hard Drives:
- Description: Reliable, high-capacity external drives.
- Purpose: For storing copies of acquired data and forensic images.
- Example: 1TB or larger external SSDs
iii. Write Blockers:
- Description: Devices that prevent data on storage devices from being altered.
- Purpose: To ensure the integrity of the evidence during data acquisition.
- Example: Tableau Forensic Bridge, WiebeTech Forensic DriveDock.
iv. Drive Adapters and Cables:
- Description: Various adapters and cables for connecting storage media.
- Purpose: To connect different types of drives (SATA, IDE, NVMe) and interfaces (USB, FireWire, etc.).
- Example: Universal drive adapters, USB 3.0 to SATA/IDE converters.
v. Portable Storage Devices:
- Description: USB flash drives, SD cards.
- Purpose: For quick data transfers and temporary storage.
- Example: 64GB or larger USB 3.0 flash drives.
vi. SIM Card Readers:
- Description: Devices for reading data from SIM cards.
- Purpose: To extract information from mobile phones.
- Example: SIM card adapters and readers.
2. Forensic Software
i.Forensic Imaging Tools:
- Description: Software for creating forensic images of digital media.
- Purpose: To create bit-by-bit copies of data for analysis.
- Example: FTK Imager, EnCase, dd (Unix tool).
ii. Data Recovery Tools:
- Description: Software for recovering deleted files and analyzing file systems.
- Purpose: To retrieve lost or deleted information.
- Example: R-Studio, Recuva, Autopsy.
iii. Live Response Tools:
- Description: Tools for capturing volatile data and system state information.
- Purpose: To collect data from running systems without altering the system state.
- Example: F-Response, Magnet RAM Capture, Sysinternals Suite.
iv. Password Recovery Tools:
- Description: Tools for recovering passwords and decrypting files.
- Purpose: To gain access to encrypted or password-protected data.
- Example: Passware Kit, ElcomSoft Password Recovery Bundle.
v. Network Analysis Tools:
- Description: Software for capturing and analyzing network traffic.
- Purpose: To investigate network-related incidents.
- Example: Wireshark, tcpdump.
3. Documentation and Legal Supplies
i. Chain of Custody Forms:
- Description: Forms to document the handling of evidence.
- Purpose: To maintain a legal record of who handled the evidence and when.
- Example: Printable chain of custody templates.
ii. Evidence Bags and Labels:
- Description: Bags and labels for securing and identifying evidence.
- Purpose: To protect and label physical evidence for identification and integrity.
- Example: Tamper-evident bags, evidence tags.
iii. Incident Response Checklists:
- Description: Standardized checklists for various incident response procedures.
- Purpose: To ensure consistent and thorough handling of incidents.
- Example: Checklist for initial response, data collection, containment, and documentation.
iv. Legal and Policy Documents:
- Description: Copies of incident response policies, privacy guidelines, and legal references.
- Purpose: To ensure compliance with organizational policies and legal requirements.
- Example: Incident response policy, data privacy policy, legal guidelines.
4. Miscellaneous Supplies
i .Basic Tools:
- Description: Small tools like screwdrivers, pliers.
- Purpose: For physically accessing hardware components.
- Example: Screwdriver kits, precision toolsets.
ii. Lighting:
- Description: Portable light sources.
- Purpose: For working in low-light conditions.
- Example: Flashlights, headlamps.
iii. Safety Equipment:
- Description: Equipment to protect against electrostatic discharge.
- Purpose: To prevent damage to electronic components during handling.
- Example: Anti-static wristbands, mats.
iv. Logbooks:
- Description: Notebooks for recording actions taken during the investigation.
- Purpose: To document processes and observations for later reference.
- Example: Incident response logbooks.
Additional Recommendations from Kral
i. Regular Updates and Maintenance:
- Keep the Jump Bag’s software tools and hardware components up to date.
- Perform periodic checks to ensure all items are functional and available.
ii. Customization:
- Tailor the Jump Bag to fit specific organizational needs and potential scenarios.
- Add or remove items based on the environment and typical incident types.
iii. Training:
- Ensure all incident responders are familiar with the tools and procedures.
- Conduct regular drills and simulations using the Jump Bag.
Practical Use of the Jump Bag
- Immediate Deployment: Quickly respond to incidents with ready-to-use tools.
- Data Acquisition: Use tools to acquire data while preserving evidence integrity.
- On-Site Analysis: Conduct initial analysis to guide further investigation steps.
- Documentation: Record evidence handling and investigative actions thoroughly.
Kral’s Jump Bag recommendations ensure that incident responders are well-prepared for various digital forensic and incident response scenarios, enabling efficient and effective handling of security incidents.
