Computer Forensics Toolkit Contents and Equipment
In previous sections of this site we have described how most computer forensic examinations are conducted off-site in a laboratory setting. That is the optimal setting. Sometimes, however, examiners must travel to various locations to respond to incidents or seize evidence. And sometimes, the examiner must perform some or all of the examination on-site. Oftentimes these sites can be hostile in nature, including the homes or businesses of suspects. What an examiner requires is a computer forensics toolkit. The best practices for this type of incident response are constantly under review as the technology changes.
For example, there was once a time that examiners would pull the plug on most systems to preserve the evidence in the state in which it was found. All data in memory would be lost, however, the original evidence on the hard drive would be preserved so the lost data, 128, 256 or even 512 megabytes, was sacrificed. Now, the technology has changed and computers often have one or more gigabytes of memory which is a tremendous amount of data. Examiners must adapt, and find ways to preserve this evidence before it is lost when the power to the computer is cut.
To conduct an examination on-site, the examiner needs to have essentially the same technical capacity they would have in the laboratory environment. Predicting what is behind the suspect’s door is oftentimes impossible, so many examiners have response kits. The following is a partial list of what may be contained in an incident response kit. Oh yeah, don’t forget the corporate credit card, because no matter what, you will be missing something!
Incident Response Kit Contents
- Forensic laptops and power supplies
- Tool sets
- Digital Camera
- Case Folder
- Blank forms
- Evidence collection and packaging supplies
- Air card for Internet access
- Cables for data transfer (network, crossover, USB, etc.)
- Blank hard drives and other media
- Hardware write blockers