All forensic investigators need a travel forensics kit. This is a set of equipment you can grab at a short notice that should cover “most” eventualities when at an engagement.  Typical components are a forensic workstation with the relevant software, write blockers, network taps, external storage, and other tools.

At DFIR VN we are no exception, and over the years we have accumulated quite a lot of specific devices in our travel kit. We chose them for their size, features and value for money.

DFIR VN Travel forensics kit (as of April 2018)

  • Our travel forensic workstation is a laptop, with a mixture of internal SSD  and large 2TB SATA 7200rpm HDD (on a modified caddy on the DVD slot) for internal file system image processing without having to go out of the USB3 ports. At least 16 GB of RAM.
    • We run X-Ways forensics inside a VM (vmware workstation under Linux) with the X-Ways BYOD license. Using a 64-bit Windows VM is essential if we want the X-Ways indexes to behave well with large number of files.
    • NIST and other hash databases to remove files irrelevant to the investigations. These cover files that are known  part of the OS, or well known tools like Office.
  • We carry at least two portable Writeblockers (USB and Forensic Ultradock) from Cru-Inc (formerly Wiebetech)
  • Network Taps from Dualcomm. We have been Dualcomm customers since 2009, their products are great as portable network taps. Easy to install and fail-safe capabilities (passhtrough on power failure). We have repeatedly been asked to “leave behind” taps on engagements. We use both the ETAP-3105 and the ETAP-2306 (optical).
  • Software analysis VMs on a portable ESX server (based on a AsRack mini-itx platform, based on a Xeon low powered E3 processor). We run vmware ESXi 6.5 as it allows to distribute traffic from a network tap to multiple virtual machines (in our case running moloch, Security Onion, and Kali Linux). The setup and configuration for this server (bottom right on the picture) probably needs an article for itself.
  • 3 TB SATA disks (with cases), USB3 cradles and adapters  (how many depends on the customer in question). A lot of these are left behind with customers, so we tend to keep an eye when travelling for nearest electronics shops. In South East Asia, Low Yat in Kuala Lumpur is our preferred place.
  • A spare gigabit ethernet network switch to wire the server locally if required (our current model is a D-Link DGS-1008A)
  • Wifi long range usb adapters (Alfa) in order to run quick wireless audits if needed.
  • A 4G router to set-up an internet connection on an airgapped room (typical of forensic analysis).
  • A Raspberry Pi in order to quickly set  up a VPN server, a syslog server, a set of honeypots…etc.
  • And cables, lots and lots of cables…. (not pictured) and a list of large electronic shops near the customer site.

DFIR Forensic travel kit

Portability

Forensic kit weight

 

All in all, the total weight is slightly under 13 kilograms. We split this between a laptop backpack and foam padded, cabin trolley. These two items are unlikely to grab any attention when travelling around airports. However having the required documentation available will help fend off any problems at customs.

 

Leave a Reply