Jump Bags – Incident Handling First Aid Kit

I was writing another post when I kind of went off on a “Jump Bag tangent”. I decided just to make it into it’s own post.

A Jump Bag is a set of tools set aside for IH incidents (like a Computer Security First Aid Kit). This thing will become your own personalized Batman Utility Belt! I first heard about Jump Bags while listening to a recording of SANS 504, and have always wanted to get my own. Here is the list as presented in “Netcat Is Your Friend”:

· Spare hard drives – useful for performing backups or replacing drives removed from the system as evidence
· MP3 audio recorder – useful for recording information about the incident
· Perforated notebook – used to take notes. Perforation provides solid evidence on whether pages have been removed. To aid in providing submissable evidence, perforated is preferred to spiral bound.
· USB drive – Sometimes it’s useful to store just a small amount of information. USB drives provide a method to mount a clean file system in order to capture data with minimal impact on the existing system. USB drives range in sized, but GIAC Enterprises has a 128 MB USB device.
· Pens – as opposed to pencils to write notes with. Once itgoes down on paper, it needs to stay there. Again for legalreasons.
· CDs – CDs provide known good tools used in forensicanalysis. Knoppix13 provides a good bootable Linuxdistribution. The coroner’s toolkit14 is also a good one tohave. Over time, it is expected that tools will be added to thehandlers list of resources. The CD’s that contain binaries forthe tools should be kept regularly updated. It is alwaysimportant to have tools that allow for direct file backups,such as DD, system operations analysis, such as lsof for*nix, network connectivity analysis, such as lsof for *nix andtcpview for Windows. Tcpdump/windump are also useful.
· Laptop – Often it’s useful to have an external system loaded with various tools such as netcat, tcpdump/windump, nessus, nmap, etc… to perform analysis. This should be a hardened system.
· Polaroid Camera – In some cases it may be difficult to reliably capture information from a computer electronically. A picture of what is displayed on the monitor could be useful. It is important to avoid using a digital camera as it is easy to modify digital images. A Polaroid can better withstand accusations of tampering with evidence.
· Spare hub – This is a hub as opposed to a switch. This facilitates getting a clear view of a specified portion of the network without having to modify switch configurations to setup a span port. It would be best to get a hub that supports various types of connections. Be sure to have cables to go along with it.
· List of phone numbers – This list should contain all contact information for every member of the incident response team. It should be regularly reviewed and updated.
· Network diagrams and configuration files – Contain the last known good configuration and network map diagrams in a hard copy version can be very valuable information. This can save an incident handler a lot of time getting a feel for the network and determining where choke-points might be for purposes of containment and what network resource tools are available for utilization.
· Backup tape drive and tapes – This is useful again for making backups. Sometimes a drive may be too big to write to another disk and tapes might be the only way to get a complete backup. Attention should be paid to the type of interface is available on the drive to ensure compatibility with the systems in the environment. A parallel and a SCSI compatible drives are typically all that is required.
· Flashlight – in case of power outage or working in dark places
· Computer tool kit – In case handling the incident involves removing or adding hardware to a system

The list included here is just a good basis. Ed Skoudis also recommends things like, non-liquid deodorant, and jumpers. This is a definite must for individuals going into IH.

for more information about jump bags you can check out this post at the Internet Storm Center.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: