Home > Uncategorized > Importance of Preparedness

Importance of Preparedness

This is my first non-technical blog post but arguably on a topic of similar importance to technical ability namely the importance of being prepared in advance of a forensics engagement. Rather than write an essay I’m going to put this down in ten bullet points.

1. Firstly prepare a forensics jump bag. There are plenty of web sites that list the basics of a jump bag and in time you’ll customize your own. Don’t pilfer from the bag when not in use. Have it beside you at all times so you can pick it up and go at a moment’s notice. Include the following items at a minimum:

– Pens
– Paper
– Notepads where you can’t easily remove pages. No ring pads.
– Name cards
– LAN/cross cables (clearly marked as such)
– Forensics CDs (Helix, Backtrack, Linen)
– Thumb drives
– Screwdriver set
– IDE/SATA cables
– Evidence labels
– Cheap Digital camera

2. Have a forensics laptop separate from your production laptop. Install Encase, FTK, Sleuthkit, Tableau software and any other forensics tools you need. Avoid using it as your production laptop. i.e. No email, Microsoft Office, Web Browsing.

3. Bring documented procedures to double check your approach against. Also bring soft and hard copies of Chain of Custody and Acquisition Seizure Log documents. Have everything written down even for the most simple tasks. You’d be amazed at how much and how quickly you forget things even from a recent engagement.

4. Test carry your forensics field kit through airport customs in advance of any engagement to ensure you have anticipated questions or security/customs issues. The last thing you want is to arrive on site without your Tableau or Webetech hardware write blockers. If you are in a geographically dispersed region (as I am in Asia) it pays to understand how different customs practices differ between countries. You may be good-to-go in one country but hopelessly stymied in another. It’s not practical to test every location so some background research might be the only other option.

5. When imaging take two sets of images and send one set back via company internal mail or courier. Password-protect the other set of images and hand carry back with you to the office. This means that if customs take possession of your hand-carried set at least the couriered set should make it to the office within a couple of days. Also make allowances for the additional time needed for taking two sets instead of one.

6. Make sure you have IT support available on the other end especially if it’s over a weekend and you need access to machine rooms, other secure areas or information about other peculiarities of the IT setup at your destination.

7. Make sure there isn’t a building power down the weekend of your engagement. (yes this happened to me once). If there is then ensure you arrange for a UPS protected area to do your work.

8. There will be cases when you go on-site and are faced with a completely new set of circumstances. However try to test different scenarios in the lab as much as possible. It’s impossible to preempt all situations but have the basic stuff tested and documented and be comfortable with it.

9. Know your tools. Know their strengths and just as important – know their weaknesses. Stick with what you know works. A customer engagement isn’t the best time for experimenting.

10. Have an agreed means of contacting your other team members should the need arise. You can’t know everything about every scenario and some situations require group-think to resolve.

Note: Make sure you know where to buy snacks and drinks. If you need to work into the night get the phone number of a food delivery service from the local staff or stock up on sandwiches and chocolate before all the stores close for the day.

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: