Day 4 - Preparation: What Goes Into a Response Kit
Last Updated: 2008-10-14 15:06:41 UTC
by Marcus Sachs (Version: 5)
For the fourth day of Cyber Security Awareness Month we will look at how to build a response kit. When you or your team get notified about an incident, what do you bring with you? In the preparation phase you want to think about putting together a physical and virtual kit that contains the tools you need when investigating an incident.
Jim Murray submitted a GIAC paper last year on incident handling and gave this advice:
Build your response kit - This can be a duffle bag or a small carry-on suitcase. Regardless of what it is, this is what you have with you whenever you work an incident. You want to make sure that you spend enough time putting this together, so that you are ready at a moment's notice. You should never steal from your response kit. Sometimes we are testing something or working on an issue and we need a network cable or installation software and know it is there in our response kit. We tell ourselves that we are just going to borrow it and put it back as soon as we are done. Don't do it because you know it will never make it back there. Here is a list of things that you should consider having in your response kit:
- Network cables—Include various sizes, both crossover and straight-through
- A small hub or tap
- USB jump drive or external hard drive
- Response laptop-This laptop should have everything you need on it, for instance, checklists, forms, response software
- Various peripheral cables—USB, Firewire, parallel, serial, console, and so on
- Clean binaries and diagnostic software
- Call list
- Notebooks, pens, pencils, and small audio recorder
- Plastic/anti-static bags for evidence
- Forensic software and imaging media
- Blank CDs for burning software from the response laptop
If you have built a response kit and have any anecdotes or ideas you can share please send them to us via our contact page. We will update this diary with your comments and thoughts throughout the day, so start sending them in.
Reader Vincent sent us this idea:
A useful ingredient for an incident response kit is a Linux live CD, such as Knoppix or the Knoppix-based distro BackTrack, which comes preloaded with security/forensic software.
Reader Oliver provided this addition to the above list:
- A (cheap) digital camera is a nice thing to have for documenting things or making "Screenshots" (Fresh replacement batteries shouldn't be forgotten. Also, periodically reload the repsonse-notebooks battery, it won't help if it has no power :-)
- A swiss army knife is always handy and doesn't cost much.
- A torch/flashlight. Rogue hardware tends to hide in dark places. (Batteries!)
- Examination gloves, so you don't leave/destroy fingerprints. You never know what your're touching ("dirty rogue hardware"), so protect yourself with these gloves.
Reader Pete said:
I would suggest somewhat less of the ~computing hardware~, and instead, a few other general-purpose 'recovery' tools:
1] A (networkable) Digital Camera or Webcam. Need not be anything complex, but it can be _very_ useful to be able to send near-real-time pictures of any physical damage to your hardware-provider, facilities-management people or 'up the chain' to your senior management. Great for evidence-collection too: digital cameras will in-picture-timestamp the images for you.
2] A company credit-card with a significant credit-limit. You and your team may be on-site for a long time - and you then need to pay for 'survival supplies' in a hurry. Simple things like Food/Hotel accomodation, hire-cars, train/plane tickets, Courier-services.
3] Walkie-talkies. 3 or 4 Motorola hand-held radios can be extremely useful to keep in touch with people if the site's phone system is part of the 'incident'. Remember that VoIP/PABX/POTS does not degrade gracefully if your core network infrastructure is no longer serviceable or there's no power.
Reader Tomasz sent us his thoughts:
Regarding digital camera - yes, if you want to spare your memory cards as an evidence. Let's assume you came across child pornography - if you take a photo of the screen it will become an evidence and you will have to give it away to the authorities. Surely I would discourage video-cameras. I used my digital cam only once, to document for myself what was on the screen when the system went belly-up. Whole screen of kernel messages and a stack dump - good luck taking notes :-)
I would strongly suggest digital voice recorder and spare batteries. I used myself Olympus WS-320M on numerous occasions and it does the job well. Whatever that is you are doing - installing servers, incident response or documenting steps when switching cables in the data center - voice notes are your best friend. Just train a bit before you go for that - I mean train yourself to say what you do, whatever you do and do it all the time!
HINT: Pausing recording to avoid quiet gaps doesn't help, too often you will forget to turn recording back on and loose important information. Use voice activated recording - most of DVRs have that function.
HINT 2: Timestamp messages - that will come with a bit of practice. Very useful with voice activated recording, also good to throw timestamp into voice log from time to time, let's say every 15-20 minutes.
HINT 3: train, train, train - taking voice notes is easy if you really take notes like 'cd /etc/ more passwd cd /var/log...' instead of 'hmmm, that's interesting'.
Using walkie-talkie type radios... be aware that radios available in USA and North America (GMRS/FMRS) are illegal in Europe. Use only legal equipment. For europe it would be PMR or LPD radios only. Also the power limits are significantly smaller for those.
It may look irrelevant, but in EU those frequencies are used in some countries by the police, military (spec ops) and other emergency services. Better not to get in their way :)
Simply make sure that the kit you take is legal where you will be using it.
According to reader Mike, here are some other he found handy for the incident response kit:
Evidence/tamper tape. If you have to lock up equipment in a closet or drawer (maybe it's too large to fit into your safe?) this stuff gives a bit of peace of mind.
NUMBERED notebooks. Usually in the accounting section.
I bought old school disposables for our jump-bag. While you can't easily review the images, it seems to me there could be less accusation of tampering or having to hand over a $300 camera for evidence.
Write blockers have gotten pretty reasonable now. Granted, we all know how to not write a file system in Linux, but it affords extra protection and the authorities seem to dig it.
Reader Carry said:
You should also add forensic software and kit for mobile phones to such kit. You never know when you need it.
Marcus H. Sachs
Director, SANS Internet Storm Center