Incident Response Travel Kit 

My incident response (IR) travel kit stays in the corner of my office. It began as a single carry-on bag and grew into several; I take it when responding to a cyber incident/digital forensics investigation on-site or in an unfamiliar environment. My kit includes the tools and resources to investigate, contain, and recover from a cybersecurity incident or investigation. Every situation is different. What works for me might not work for you. The following is many of my major items that I use. I hope they give you some ideas or food for thought.

Laptop

As an incident responder, I rely on my MacBook Pro for its speed, reliability, and ability to handle resource-intensive tools. While macOS is my go-to operating system for scripting, network analysis, and file triage, I also use a virtual machine and boot into Windows 11 when dealing with platform-specific tools or artifacts. Windows 11 offers compatibility with software like EnCase, FTK, or certain enterprise management utilities that aren't natively supported on macOS. This dual-setup approach lets me leverage the strengths of both operating systems, ensuring I can adapt to our mission requirements. Several colleagues carry two laptops, but I prefer to move as lite as possible.

External Hard Drives:

I have a trusty collection of USB thumb drives and external hard drives that serve as my collection devices, transport sensitive data and handle forensic imaging like champs. I usually carry five or six USB-A 64GB thumb drives, preloaded with my go-to data collection tools—because nothing says "I'm ready for action" like a pocket full of tech. With these little heroes, I can jump straight into data collection with my scripts, without fumbling or downloading, just pure plug-and-play efficiency. It's like having a digital first-aid kit minus the bandages.

Encrypted USB Drives:

When it's time to start sending data back to the office, I don't mess around—I trust my precious bits and bytes to the Fort Knox of hard drives: the Apricorn 2TB Aegis Padlock. This bad boy packs 256-bit AES XTS hardware encryption and ensures that when the data leaves my hands, it's locked up tighter than a drum. Each IR kit comes with its encryption codes, and the lab has the master codes because I don't want to be the weak link in this chain. I've found that dumping 1TB of data daily keeps the lab busy and everyone off my back—because nothing screams "I'm on top of things" like overwhelming them with files!

Network storage

For every IR incident, my trusty sidekick, the Synology DiskStation® DS224+, takes center stage. I load it up with dual 16TB hard drives in RAID 1 because redundancy is my love language. This beauty is cable-locked to a desk in our incident room. Its auto-download feature keeps data flowing like a caffeine-fueled barista, and at 8 p.m. sharp, Hyper Backup kicks in, sending everything to a 20TB external hard drive for extra peace of mind. In our most sensitive cases, we even connect two wireless cameras without audio to the DiskStation, recording the command center 24/7 and streaming live data back to the lab. This handy setup lets us know precisely when a nosy client starts poking around, so we can keep them out of trouble and our workspace drama-free. It's not bulletproof, but it's been rock-solid and reliable.

Routing

When connecting the blue team IR network, I rely on the Ubiquiti EdgeRouter. This little powerhouse is perfect for the job. Its gigabit throughput ensures that I can move data around quickly, which is crucial when time is of the essence. The SFP+ ports give me flexibility with fiber connections, which is excellent for high-speed data transfers across isolated networks. Plus, it's got advanced routing capabilities, so I can segment the network as needed to keep everything secure and organized. It's compact, reliable, and easy to configure, which I need when setting up a safe, isolated environment on the fly. The device makes me feel like I'm running a top-tier operation—without all the headaches.

Read More.