Overview
Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. And if you cannot find the items, or get them to the destination, it doesn't matter how great your tools are.
This kit, and the thoughts and processes behind it, attempt to address concerns I've encountered while doing collections all over the world. That said, it isn't perfect, even for my own needs. Treat this as a framework for building your own kit and if you can improve on this, please let me know how so I can improve my own processes.
Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst.
Kit Contents
Serial Numbered Items
The following table includes all the items that might be of interest to a customs agent. Everything on this list should accurately reflect the actual contents of the collection kit. It may seem odd to include the Brother labeler and the Targus external DVD-ROM drive, but I had these flagged by customs.
|
Item
|
Description
|
Serial Number
|
Quantity
|
Country of Origin
|
Internal Name
|
Unit Price ($USD)
|
|
Lenovo
ThinkPad T-60
|
Laptop
Computer
|
|
1
|
China
|
CK-01
|
$1,000.00
|
|
Wiebetech
Forensic UltraDock
|
Write
Block Hardware
|
|
5 pcs
|
China
|
UD-01
|
$1,000.00
|
|
Wiebetech
ADAv4-18-TOSH
|
Hard
Drive Adapter
|
|
USA
|
|
Wiebetech
ADAv4-10
|
Hard
Drive Adapter
|
|
USA
|
|
Wiebetech
ADAv4-25
|
Hard
Drive Adapter
|
|
USA
|
|
Wiebetech
ADAv4-PCCARD
|
Hard
Drive Adapter
|
|
USA
|
|
|
|
|
|
|
Nikon
COOLPIX L18
|
Digital
Camera
|
|
1
|
China
|
-
|
$100.00
|
|
Brother
PT-80
|
Electronic
Labeler
|
|
1
|
China
|
-
|
$30.00
|
|
Targus
PADVD010U
|
External
DVD-Rom Drive
|
|
1
|
Indonesia
|
-
|
$140.00
|
|
Western
Digital 1TB MyBook
|
External
hard drive
|
|
2
|
Thailand
|
-
|
$300.00
|
|
Western
Digital 320MB Passport
|
External
hard drive
|
|
2
|
Thailand
|
-
|
$120.00
|
|
eSATA
PCMCIA card
|
PCMCIA
interface card
|
|
1
|
Unknown
|
-
|
$80.00
|
Column descriptions:
Item – Name of the item, from the manufacturer's label.
Description – Self descriptive
Serial Number – Self descriptive
Quantity – Self descriptive
Country of Origin – Self descriptive
Internal Name – Either a name or a bar code number. Used to keep contents of the kit in line with inventory sheet.
Unit Price – Replacement value, what it would cost if you looked it up on the Internet.
Non-serial numbered items
The following list describes all the items in the kit that do not have serial numbers. This shouldn't be of interest to customs, though I'd still provide them with a copy. It is used to ensure that the kit is complete each time it goes out in the field.
|
Pelican Case
Pelican 1510 LOC
Pelican 1515 case organizer
Pelican TSA lock
Office Supplies
Small magnifying glass
Small stapler w/ extra staples
Small ruler
PostIt notes
Index cards
Ball point pen
Sharpie - extra fine point
Sharpie - fine point
Scissors
AA batteries
Pill boxes
Software
USB Thumbdrive Case (6 slots)
CD case
Helix 1.9 CD and USB
Helix 2 CD and USB
EnCase CD and USB
General purpose 2GB stick
Thumbdrive w/ assorted tools and documents
Dongles
X-Ways dongle
EnCase dongle
MIP dongle
Paraben dongle
|
Cables
Complete set of UltraDock cables
Cross over cables (2x)
Extra SATA and IDE cables
Electrical power strip
Network tap
Tools
Wiresnips
Set of precision screwdrivers
Flashlight
Needle nose pliers
Other
Powered USB hub
100Mb network hub
Media card reader - USB
Anti-static bags
Forensic evidence bags
Cable ties - velcro
Cable ties - plastic
Spare hard drive jumpers
Printed copies of forms
Spare battery and media for camera.
|
Explanation of items:
Pelican Case – This Pelican case will fit in the overhead compartment of domestic and international flights. The LOC designation means that it is designed to carry a laptop in the lid and clothes in an insert. Remove the insert and install the case organizer instead.
Office Supplies
1. PostIts - For labeling drives and systems temporarily.
2. Pillboxes - Hold screws from disassembled laptops. I had one laptop that required the removal of seven different sets of screws. The pillboxes kept them organized.
3. Sharpies – For labeling evidence and for filling in the notecards.
4. Notecards - The notecards get the following information on them:
a. Custodian
b. Date
c. System serial number
I then place the notecard for that system in each photograph taken of the system or its components. It allows me to sort a couple hundred photographs out later without too much difficulty.
Tools
1. The best precision screwdriver set I've found is the Boxer 40 Piece 4mm Precision Screwdriver set, model PK-30.
2. Wiresnips are for cutting cable ties.
Software
1. I include a bootable version of each tool on both CD and USB thumb drive. I can clone either one in the field and run an essentially limitless number of collections in parallel. We tend to think about the speed of individual imaging solutions and forget about parallelization of processes.
2. I maintain an SOP/Documents repository on my laptop and a Software Tools repository. The former contains forms, processes, articles, etc. The latter contains installers, source code, and stand alone apps for everything I need to build a new forensics analysis station. I periodically sync these repositories with the thumb drive in the collections kit as well as other systems.
Other notes:
1. The tools included will pass TSA scrutiny for carryon items based on the TSA website and personal experience.
2. You could bar code all the media before you go into the field. I often label mine when I wipe them, and set up a TrueCrypt volume up on them at the same time.
3. TrueCrypt volumes – I can ship the disks, hand them to customs, or flat out lose them without worrying about data being exposed. It can take hours to wipe and encrypt a drive so you really want to do a number of them in the lab rather than in the field. This is another reason not to assume you can get enough drives while you're running around a foreign country, or even domestically. More than once I had multiple laptops running in my hotel room overnight doing the wipe/encrypt cycle with an alarm set to wake me so I could change drives out every few hours.
4. Each drive pair covers a single set of images. One is the primary, one is the backup. You can create both at the same time or use Robocopy to create the backup copy when you're not imaging.
5. There's not enough room in the kit for a dedicated hardware imager plus the bare drives it would require. The laptop isn't quite as fast but it is more flexible, a useful characteristic when in the field. I do try to include a dedicated imaging solution in other luggage.
6. For long collection projects, I'll carry a second case full of drives and/or ship drives to various locations. I've bought drives in the field, but it consumed a lot of shopping and prep time.
7. If you need to expand this kit for a larger project, all your office supplies are in this kit and other kits can hold more equipment – laptops, hardware imaging solutions, etc.
8. If multiple people are working on a project, each one gets a kit so they can split up if necessary without losing access to office supplies.
9. Whenever possible, I prepare collections forms in advance with the common information included – matter, custodian, address, etc. In addition to these forms, I include blank copies of all the common forms.
Other items for consideration
There are a number of items missing from this kit that you might want to consider including. For example:
1. It doesn't include anything for collecting cell phones.
2. There are no packing materials – pre-printed FedEx labels, packing tape, evidence tape, etc.
3. Spares of many things.
Packaging
The entire kit fits into the Pelican 1510 LOC using the case organizer.
1. There aren't quite enough dividers for my taste.
2. The power supplies for the write blocker and laptop go in the lid, side by side. I'm not certain that a Tableau power supply would fit.
3. Pack the stuff you really need on top.
4. I wish there was room for a clipboard with a forms storage compartment.
5. Put a business card under the organizer and another one elsewhere in the kit.
1. Laptop is in lid, left side.
2. Power supplies are in lid, right side.
3. UltraDock and adapters are in case, upper left.
4. Labeler and some cables are next to adapters.
5. Black bag in upper right contains all write blocker cables.
6. Lower right has all office supplies, eSATA interface card, and tools.
7. Lower middle has camera, WD drive power supplies.
8. Lower right has two WD 1TB drives and one WD 320GB Passport.
Forensic Focus note: David is very keen to receive feedback from other members about this article - please feel free to leave comments or ask questions in this forum thread or contact David directly, thank you.
Membership:
Latest: 
New Today: 0
New Yesterday: 13
Overall: 20808
Members: 1
Visitors: 13
Staff: 0
Forensic Technology Preview Day 2011 - Germany