One facet of incident response that can present a challenge to CSIRT team members is the possibility that they may have to respond to incidents outside their own location. Off-site response is quite common in larger enterprises and is even the norm in CSIRTs that consult for other organizations. As a result, CSIRTs may often have to perform the entire response at another location, without the support of a digital forensics laboratory. With this challenge in mind, CSIRTs should prepare several jump kits. These kits are preconfigured and contain the hardware and software necessary to perform the tasks a CSIRT would be called upon to carry out during an incident. These kits should be able to sustain an incident investigation throughout the process, with the CSIRT identifying secure areas at the incident location in which to store and analyze evidence.
Jump kits should be portable and can be configured to fit within a secure hard-sided case, and should be ready to be deployed at any time. CSIRTs should ensure that, after each incident, the jump kit is restocked with any items that were utilized in the last incident, and that hardware and software are properly configured so that, during an incident, analysts can be confident in their availability. An example of a jump kit can be seen in the following photo:
At a minimum, a jump kit should contain the following:
- Forensic laptop: This laptop should contain enough RAM (32 GB) to image a hard drive in a reasonable amount of time. The laptop should also contain a forensic software platform (as previously discussed). If possible, the laptop should also contain at least one Linux forensic OS, such as CAINE or SIFT.
- Networking cables: Having several CAT5 cables of varying lengths is useful in the event that the CSIRT team has to access a network or patch into any network hardware, such as a router or a switch.
- Physical write blocker: Each kit should have a physical write blocker that can be used to image any hard drives that CSIRT personnel may encounter.
- External USB hard drives: The jump kit should contain several 1 TB or 2 TB USB hard drives. These will be used for imaging hard drives on potentially compromised systems.
- External USB devices: It is not forensically sound to store evidence collected from log sources or RAM captures on a potentially compromised system. The jump kit should contain several large-capacity (64 GB) USBs for offloading log files, RAM captures, or other information obtained from command-line outputs.
- Bootable USB or CD/DVD: While not utilized in every case, having several bootable Linux distributions can be useful in the event that the forensic laptop is currently performing another task.
- Evidence bags or boxes: It may become necessary to seize a piece of evidence and transport it off-site while an incident is ongoing. There should be the capability to secure evidence on-site without having to search around for a proper container.
- Anti-static bags: In the event that hard drives are seized as evidence, they should be transported in anti-static bags.
- Chain of custody forms: As was previously discussed, having a chain of custody form for each piece of evidence is critical. Having a dozen blank forms available saves the trouble of trying to find a system and printer to print out new copies.
- Toolkit: A small toolkit that contains screwdrivers, pliers, and a flashlight comes in handy when hard drives have to be removed, connections are cut, or the analyst has to access a dark corner of the data center.
- Notepad and writing instrument: Proper documentation is critical; handwritten notes in pen may seem old-fashioned, but they are the best way to reconstruct events as an incident continues to develop. Having several steno notebooks and pens as part of the kit ensure that CSIRT personnel do not have to hunt down these items while a critical event has just occurred. Jump kits should be inventoried at least monthly so that they are fully stocked and prepared for deployment. They should also be secured and accessible by CSIRT personnel only. Left in public view, these kits are often raided by other personnel in search of a screwdriver, network cable, or flashlight. For CSIRTs that support geographically dispersed organizations, with several kits at key locations, such as major office headquarters, data centers, or other off-site locations, it may be a good idea to have several of these jump kits pre-staged for use. This avoids having to cart the kit through an airport. An example of some items to be stocked in a jump kit can be seen in the following photo:
