Build Your Own Forensics Go-Bag9 min read

Everyone has their own take on the components which make up a basic DFIR go-bag for when that inevitable call from a client comes. I always have with me a small collection of devices and boot USBs which I think are useful in most cases, mostly because I’ve found myself in situations where any of these things would have been really helpful to have at hand. For larger incidents, I’d recommend having a larger case with a few more critical pieces of hardware, but we’ll get to that below.

The Bag

The go-bag itself is important because an analyst ultimately needs to be able to fit their kit in it. Ever since I had an Alienware 17R3, I’ve been partial to the Alienware Vindicator series. It’s super comfortable to wear, has plenty of space for the vast majority of laptops (I’ve since switched to a 15″ MacBook Pro to skill up in OS X, among other reasons, and I can easily fit two in this bag if desired), and it’s fairly well laid out inside. It does lack some of the more modern touches like built in power, etc, but does open completely flat for easier packing/unpacking.

If this isn’t your style, I’ve heard good things about the GoRuck series of backpacks, which would be my second choice, and a change I’ve been considering making for a while. Alternatively, one might consider a photography backpack, with reconfigurable internal space(s).

Storage

Arguably the first thing to go in any forensicator’s bag (technically I suppose a powerful forensic laptop is first because no other items are much use without one, but we’ll consider this to be a given) should be some fast portable storage. I use an encrypted Samsung T3 (500GB) which, at least until now, has been more than enough. More storage would be nice, but for the price point of this external SSD, it’s pretty difficult to pass up.

Contained within this drive are:

  1. Soft-copy documents: it’s always worth having a copy of the various documents required during an engagement – chain of custody, device examination forms, a field kit checklist (more details on this later), cheat sheets (SANS have a lot of posters and cheat sheets which are super handy to have available), and so on
  2. Various forensic tools: portable executables are invaluable a lot of times, such as FTK Imager Lite, NirSoft tools such as BrowsingHistoryView, USB tools such as USBDeviceForensics/USBDeview, the Sysinternals or TZWorks suites of tools, or X-Ways (my personal favourite for analysis) to name a few
  3. ISOs: while analysts probably want to have some pre-made bootable USBs with them, it’s always a good idea to have the various base ISOs available in case a USB doesn’t work on a particular device, becomes corrupt, or any other scenario which comes up every now and then. Recommend are Deft, Kali, Paladin/Paladin Edge, and Helix to start
  4. Virtual Machines: In case it’s required to perform some testing or analysis in an OS not your own, it pays to have some VMs ready to go. Always make sure to have a snapshot to revert to before beginning working in your VM and you’ll go far. I’d recommend having at least a Linux VM, SIFT workstation, and maybe Windows 7/8/10 as well

Ideally, a forensic analyst will have in their bag some storage for images which may be taken whilst on site. Typically, 2x 2TB external hard drives is a good start, and should allow two copies of evidence images to be kept. One consideration which should be made is whether or not to encrypt these drives, and this decision will depend on a lot of factors, such as company policy, data sensitivity/criticality, and performance concerns.

Bootable USBs

Anything which allows an analyst to conduct an incident response investigation in a forensically sound manner (i.e. without disturbing the original evidence) is a tool worth having. While tools such as FTK Imager Lite and others allow for ‘live’ forensic images of devices to be taken (which is valuable in cases where volatile data such as memory or network connections will help the investigation), this is sometimes less desirable because of the risk of altering evidence on disk.

Forensic Linux distributions such as Paladin allow the user to boot a device into a safe environment where no changes to the internal disk are made, unless the forensicator specifically mounts a disk as read/write. This is by far one of the safest methods of creating a forensic image of a device. As mentioned previously, Deft, Paladin/Paladin Edge and Helix are recommended for this purpose.

Hardware

Various other pieces of hardware are nice to have in case you find yourself in a situation where these might be necessary:

  1. Write blocker(s): a hardware write blocker is an alternative to a boot USB, in that it allows the analyst to safely create an image of a device in a forensically sound manner. The drawback of this type of imaging is that the internal hard drive of a device will need to be removed in most cases and physically connected to the write blocker. My favourite write blocker is a Wiebetech Ultradock because it has a digital read-out to quickly and easily collect disk information, such as number of boot cycles completed, serial numbers, etc. Alternatively, a Tableau write blocker is also a good choice
  2. Adapters: USB to USB-C, USB-C to Ethernet, and maybe one or two others as necessary
  3. Power board(s): quite often a forensicator will need to connect more devices to power than there are power outlets available. A power board/strip (or two) can help mitigate this issue
  4. Screw drivers: regularly necessary when removing internal components to plug into write blockers
  5. Scissors: known to be useful for opening boxes and other similar containers. Also good for freeing cables from cable ties and other such tasks
  6. Blank USBs: don’t be caught without blank USBs which can be used for all sorts of tasks, primarily for creating new boot USBs when the ones you’ve pre-made don’t work on a particular device (for no reason whatsoever…)
  7. Label maker/sticky labels/post-its: particularly important for labelling evidence devices or target drives containing evidence images or data. I wouldn’t recommend post-it notes simply because they have a tendency to come unstuck and fall off, sticky labels or (even better) label maker labels are much more robust and reliable
  8. Card reader: in my experience this has been less and less of a necessity, but if the device from which evidence needs to be captured happens to be a digital camera, a card reader would be very useful to have
  9. Camera: this one is actually fairly important, and helps a forensicator to more accurately document the site, the evidence, and the state in which both were found upon arrival. Digital still cameras and photographs are recommended over video; video cameras are notorious for capturing additional information that can later be damaging to a case
  10. Dongles: if an analyst has with them forensic software to assist with an investigation, it’s useful to have the relevant dongles for that software (X-Ways, Encase, and FTK all require dongles and are useless without them)
  11. Faraday bags: if an investigation requires mobile device acquisition, faraday bags are a necessity because they keep the device disconnected from mobile and wifi networks, reducing the chance they will be remotely wiped, destroying any evidence contained within

Miscellany

To round out a forensic kit, there are a few other items which may or may not be needed depending on the nature of the case, but should be considered in any event:

  1. Hard copy documents: while soft copy documents are mentioned above, it’s a good idea to have a few hard copies already printed and ready to go. I’ve found ±10 copies of each (chain of custody and device examination forms) to be a reasonable number
  2. Evidence tags: some organisations require these more often than others, but if an investigation is likely to end up in court it’s worth having evidence tags to more easily identify evidence
  3. Evidence seals: as above, these may or may not be necessary based on the type of investigation, but why not have some, just in case. Also worth noting that anything going into a sealed evidence container is worth hashing before sealing
  4. Portable CD drive: less and less frequently CDs are required to either collect evidence or to be used to boot devices into a forensic environment. In most cases, USBs will do the trick
  5. Blank writable CDs: to go with the portable CD drive, in case evidence or Linux distributions need to be written to CD
  6. Hub: every so often it’s necessary to connect a forensic laptop to a network, or to a few other devices. A hub is useful in these scenarios
  7. Ethernet cables: to go with the hub above, or to connect to network devices such as routers in order to administer them and gather information about a network
  8. USB accessories: sometimes the drivers for touchpads or built-in keyboards just aren’t available in your forensic environment of choice, so it’s best to keep a separate USB keyboard and/or mouse with you in case this happens. Don’t forget to include a powered USB hub as well, which is particularly useful when imaging mobile devices with only a single USB port (I’m looking at you, Microsoft Surface…)
  9. Other: Pens, notepads, clips, clipboard (for holding documents); just things which might come in handy

The items listed above are in no particular order, except that those at the top of the page I typically have in my bag because they’re small and easy to transport. As we move down the page the amount of hardware necessitates an upgrade from an everyday backpack to something more substantial.

In most incident response or digital forensics cases I’ve worked, the go-bag of choice has been a Pelican 1610 Protector Case with foam dividers and lid organiser. All of this equipment (including forensic laptop) will fit quite nicely into said case, if the foam dividers are organised into sections correctly. The lid organiser is a nice-to-have feature which allows neat storage of things like dongles and other small bits and pieces (pens, notepads, etc). One thing not mentioned above is a solution for imaging mobile devices, but if a Cellebrite kit is added that would round it out nicely and occupy any remaining available space.

The adage “two is one and one is none” is worth keeping in mind, meaning that if you have one of any item and it breaks, then you have none of that item, so it’s always best to have a backup. I expect to add more to this as time goes on, but for now this is a reasonably comprehensive list of the gear I have in my go-bag. Let me know if you think I’ve missed anything critical, or even something that is just nice to have when responding to an incident.

2 thoughts on “Build Your Own Forensics Go-Bag9 min read

Leave a Reply

Your e-mail address will not be published. Required fields are marked *