Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Day 4 - Preparation: What Goes Into a Response Kit - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Day 4 - Preparation: What Goes Into a Response Kit

For the fourth day of Cyber Security Awareness Month we will look at how to build a response kit.  When you or your team get notified about an incident, what do you bring with you?  In the preparation phase you want to think about putting together a physical and virtual kit that contains the tools you need when investigating an incident.  

Jim Murray submitted a GIAC paper last year on incident handling and gave this advice:

Build your response kit - This can be a duffle bag or a small carry-on suitcase. Regardless of what it is, this is what you have with you whenever you work an incident. You want to make sure that you spend enough time putting this together, so that you are ready at a moment's notice. You should never steal from your response kit. Sometimes we are testing something or working on an issue and we need a network cable or installation software and know it is there in our response kit. We tell ourselves that we are just going to borrow it and put it back as soon as we are done. Don't do it because you know it will never make it back there. Here is a list of things that you should consider having in your response kit:

  • Network cables—Include various sizes, both crossover and straight-through
  • A small hub or tap
  • USB jump drive or external hard drive
  • Response laptop-This laptop should have everything you need on it, for instance, checklists, forms, response software
  • Various peripheral cables—USB, Firewire, parallel, serial, console, and so on
  • Clean binaries and diagnostic software
  • Call list
  • Notebooks, pens, pencils, and small audio recorder
  • Plastic/anti-static bags for evidence
  • Forensic software and imaging media
  • Blank CDs for burning software from the response laptop

If you have built a response kit and have any anecdotes or ideas you can share please send them to us via our contact page.  We will update this diary with your comments and thoughts throughout the day, so start sending them in.

Marcus H. Sachs
Director, SANS Internet Storm Center


301 Posts
ISC Handler
Oct 4th 2008

Sign Up for Free or Log In to start participating in the conversation!