ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel
  • »
  • Technology»
  • Internet & the Web

Computer Security Jump Bag

Updated on November 21, 2015

Managing a Computer Security Jump Bag

A Jump Bag is the term used to describe the bag or container holding all of the tools you need to appropriately respond to a computer security incident. The hard part is ensuring that the jump bag is ready to deploy at a moment's notice and that it will contain all of the necessary tools and accessories.

SANS Incident Handling Course covers the topic of Incident Handling in-depth. It is a great course which I have taken.

Have a Security Policy - It should contain an Incident Response section.

A security policy will document the assets that are most important to a business and provide a foundation upon which an incident response plan will be based. The other important item to identify in the policy is to define expected behaviors and rules the response team must follow.

Get something to carry all of your tools. - Look for one with many pockets.

  • A Computer bag at a minimum with lots of pockets.
  • A Backpack is another option but it will depend upon the equipment you need to have.
  • Suitcase. A complete set of response equipment can get heavy, a rolling computer bag or suitcase with wheels is nice.

Tools to Document Your Response - Document Everything!

Some companies choose to prosecute people who attack, steal or exploit their resources. Detailed documentation can be submitted as evidence. Be aware that some institutions will prosecute their staff if they respond in a way which causes evidence to be lost. It is also useful to always have two people working on the response to validate the work being done and to reduce a defense argument that the evidence was tampered with.

  • Paper Notebooks. Be sure to keep track of time and actions taken. If this is a forensic investigation a special binding might be required for the notebook so the evidence is not questioned.
  • Pens, yes multiple pens and make sure they are not erasable.
  • Audio Recording Device. Tape or Digital but be sure you have enough space to record events. Depending on the purpose of the response, there is not always enough time to write everything down do being able to record audio notes, saves time. Remember to state the time when you make a voice note.
  • Digital Camera. Some models can validate their photos. The Nikon D2X can authenticate photos and know if they have been tampered with.
  • Time Keeping Device. Watch, cell phone etc.

Have a Laptop - Be sure you have a system to use to respond with.

Be sure your system has adequate capabilities (memory, CPU, etc.) to respond to an incident.

  • Power cord
  • Be sure you have and adequate network card, no less than 100MB. You might prefer a giga-bit card since many networks are adapting this technology. The idea is to be able to monitor the network with your laptop.
  • Have adequate memory for the tools you may be using.
  • Have a CDRW or preferrable a DVD-RW device.
  • Have USB ports to support USB media devices.
  • Have a wireless network card if you support wireless networks.

Backup Media - Make sure it is new media, not reused (defense tampering argument)

It is possible that you will need to move files or devices in order to investigate an issue.

  • Hard Drive. Minimum 250GB. At least one SCSI, IDE or USB device.
  • Pen Drive. Given the cheap prices, 4GB minimum.
  • CDROM Media
  • DVD Media

Wireless Attack Response - Wireless networks are everywhere.

Many companies have installed wireless networks to improve network access for their employees and allow them to be mobile. Wireless networks introduce many security issues so be sure to have appropriate hardware.

  • Wireless Network card with external antenna connector.
  • Directional Antenna. These can help you find rouge access points.
  • Wireless Auditing software. Kali Linux(etc.)

Communication Resources - Stay in Touch.

If your computer has been hacked, do not use it or the network to communicate with others about the incident.

  • Your Cell Phone, your charger and a spare battery.
  • Call list. Always have your site's call list in your bag. If this is an external site, get one immediately for the location.
  • GPG or other encryption software to support the transfer of information.
  • If a team is responding, you might want FRS radios to support your communication. If the attack is wireless, you might be managing a deployed response team. A reviewer has added a hint - FRS radios are not allowed in EU - they are ok for US use only. EU can use PMR and LPD radios which are almost the same, except PMR has 8 channels, LPD has 79 channels. For most real-life situations PMR solutions should work.

Network/Technical Tools - Be able to connect and monitor.

  • A hub, not a switch or even better a network tap. It might be possible to monitor the traffic to the exploited host by using a hub. Many advanced switches can mirror a port for you to tap into and many networks support ingress and egress VLANS. Remember interrupting an active attack may let the attacker know you are responding.
  • Cross-over cable. These are sometimes hard to find.
  • A few ethernet network cables, preferably long (25ft.).
  • An RJ45 cable extender. Sometimes a 25 foot cable is not enough.
  • RJ45-Serial adapter. Cables to communicate with network equipment via serial connections might be necessary.
  • Hardware Drive Write Blocker which will prevent an investigator from altering a drive under investigation
  • Any other cables which are popular, USB, Firewire, serial, IDE, SCSI, SATA/eSAT.
  • A 9 pin to rj45 serial adapter in case you need to connect via a terminal application. It is also useful to have 9 pin gender changers.

Miscellaneous tools, equipment and resources

  • If it is possible, have a private room set up for coordinating the response team and reviewing collected evidence. The investigation should be kept private and the team protected from unnecessary interruptions. The private room is especially necessary if you are responding to an internal incident which might lead to the forensic investigation of an employee's system.
  • Zip Lock Bags for Evidence.
  • LED Flash Light.
  • Computer Tool Kit. Some agencies require that hardware (drives) impacted by an intrusion be removed, secured and sent to higher level security officials for further analysis or to be placed within better controlled environments.
  • Business Cards (Your Credentials). It is possible for those responding to intrusion to be available as witnesses if a company pursues prosecution of computer crimes. Not all intrusions or compromises are done by external entities.
  • Permanent Markers to mark evidence.
  • A Leatherman multi-tool is very handy.
  • A Power strip, you will have a lot of electronic equipment with you.
  • Cable ties to organize cables in case you had to remove some.
  • Anti-Static Bags for storage of electronic devices or drives.

The Most Important Thing to Remember When Responding to An Incident

Relax.

Take your time and do not damage or invalidate evidence. What is the reason for your response, to return the system to an operational status or to collect evidence? What actions are you allowed to take? What actions can you take that will not alert the attacker to your response? Do you have proper authorization to proceed, is the authorization in writing and signed?

Protect and Control the Evidence.

Your procedures and collection processes may be questioned in court. If evidence is encountered you should have two people with the evidence at all times to avoid defense arguments of the possibility evidence was tampered with.

  • Make sure you keep evidence under lock and key and only access it when two people are present. Be sure to record the date and time of each access to evidence.
  • Police or Flagging Tape. Mark off the area or systems under investigation so no one accidentally tampers with the system under investigation.
  • Post signs to inform users what not to touch and who to contact for further information.
  • Document all access to the safe or cabinet where evidence is kept.
  • Mark all evidence with a date and time. (zip lock bag idea).

Jump Bag Rules - As was re-enforced by the SANS class, do NOT borrow from the bag.

Under no circumstance, borrow from your jump bag.

  1. Never take anything from the jump bag.
  2. Audit the jump bag every quarter to be sure your tools are up to date.
  3. Refresh your jump back after it is used.

Amazon USB Pen Drives

Be able to move data around if possible and be sure to encrypt your data. Sometime forensic auditors want all of their tools on a USB device to keep from needing to use tools or applications on a compromised system.

Portable Hard Drives

Lacie has released new drives with multiple connections types on each.

Digital Cameras on Amazon

Some cameras can authenticate their photos which is a critical feature for digital evidence. Check the specs on the model you choose.

Find an Appropriate Bag - Save your back and get one with wheels.

Lots of pockets are also useful.

Conclusions

This lens is another in my list of lenses covering computer security. Stop by my Computer Security and War Driving lenses if you get a chance

Reader feedback is a good way to share your experience.

Reader Feedback Please - Please submit any additional ideas you have.

    0 of 8192 characters used
    Post Comment

    • profile image

      webguru_india 5 years ago

      It's a great lens. Keep sharing such nice information with us. Also don't forget to check my blog here at http://www.squidoo.com/lensmasters/webguru_india

    • profile image

      anonymous 5 years ago

      Interesting post! I didn't realize that there was really something like this out there. I am assuming that computer security companies in Toronto would have one of these.

    • profile image

      PhyllisCOliver 6 years ago

      This is a very good and reliable information, i wouldn't know this if it weren't for you.

      online computer support

    • profile image

      roberts580 7 years ago

      interesting lens. even if we use different computer security policies to handle the incident management, there are possible attacks through online. to tackle these problems we need to upgrade our computer with updated antivirus software. i invite you to visit our website for clamxav os x for a best anti virus.

    • profile image

      huvalbd 7 years ago

      Good lens with excellent attention to detail.

    • profile image

      tilakahuja 7 years ago

      When you work with our private uniformed security guards, you are working with professional, dedicated, specially trained individuals who take pride in keeping you safe and secure. We are committed to provide you such services. We are one of the top security companies in Toronto. http://www.guardsecurity.ca/

    • profile image

      BlackLeatherBriefcases 7 years ago

      This is exactly what I was looking for. Thanks for sharing this great lens! That is very interesting Smile I love reading and I am always searching for informative information like this!

      black leather briefcase

    • profile image

      SpyCamsSite 7 years ago

      nice lens lots of good information

      Spy Cams Site

    • profile image

      projectobserve 8 years ago

      Nice idea for security issue of computer. Though I have not suffering too much security issue but I think I have all the tool to overcome any security issue.

      Thanks for nice lens.

    • profile image

      TheUncleJacks 8 years ago

      Good lens! Thanks for information. I hope, this is also good information about ziplock bags.

    • profile image

      VerticalJumpProject 9 years ago

      Learn something new everyday! 5* ...From the vertical jump project top secret fat loss

    • profile image

      anonymous 9 years ago

      wow!

      This is wonderful lens about computer security methods. I really appreciate with your lens, I think this lens is more useful to the people.

      I have created one more important lens that focuses on private investigator directory,

      thanks for giving such a great information.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: "https://hubpages.com/privacy-policy#gdpr"

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)