First published June 2009
by David Kovar, NetCerto, Inc.
Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. And if you cannot find the items, or get them to the destination, it doesn’t matter how great your tools are.
This kit, and the thoughts and processes behind it, attempt to address concerns I’ve encountered while doing collections all over the world. That said, it isn’t perfect, even for my own needs. Treat this as a framework for building your own kit and if you can improve on this, please let me know how so I can improve my own processes.
Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst.
Serial Numbered Items
The following table includes all the items that might be of interest to a customs agent. Everything on this list should accurately reflect the actual contents of the collection kit. It may seem odd to include the Brother labeler and the Targus external DVD-ROM drive, but I had these flagged by customs.
Country of Origin
Unit Price ($USD)
|Lenovo ThinkPad T-60||Laptop Computer||
|Wiebetech Forensic UltraDock||Write Block Hardware||
|Wiebetech ADAv4-18-TOSH||Hard Drive Adapter||USA|
|Wiebetech ADAv4-10||Hard Drive Adapter||USA|
|Wiebetech ADAv4-25||Hard Drive Adapter||USA|
|Wiebetech ADAv4-PCCARD||Hard Drive Adapter||USA|
|Nikon COOLPIX L18||Digital Camera||
|Brother PT-80||Electronic Labeler||
|Targus PADVD010U||External DVD-Rom Drive||
|Western Digital 1TB MyBook||External hard drive||
|Western Digital 320MB Passport||External hard drive||
|eSATA PCMCIA card||PCMCIA interface card||
Item – Name of the item, from the manufacturer’s label.
Description – Self descriptive
Serial Number – Self descriptive
Quantity – Self descriptive
Country of Origin – Self descriptive
Internal Name – Either a name or a bar code number. Used to keep contents of the kit in line with inventory sheet.
Unit Price – Replacement value, what it would cost if you looked it up on the Internet.
Non-serial numbered items
The following list describes all the items in the kit that do not have serial numbers. This shouldn’t be of interest to customs, though I’d still provide them with a copy. It is used to ensure that the kit is complete each time it goes out in the field.
|Pelican CasePelican 1510 LOC
Pelican 1515 case organizer
Pelican TSA lock
Small magnifying glass
USB Thumbdrive Case (6 slots)
|CablesComplete set of UltraDock cables
Cross over cables (2x)
Extra SATA and IDE cables
Electrical power strip Network tap
Powered USB hub
Explanation of items:
Pelican Case – This Pelican case will fit in the overhead compartment of domestic and international flights. The LOC designation means that it is designed to carry a laptop in the lid and clothes in an insert. Remove the insert and install the case organizer instead.
1. PostIts – For labeling drives and systems temporarily.
2. Pillboxes – Hold screws from disassembled laptops. I had one laptop that required the removal of seven different sets of screws. The pillboxes kept them organized.
3. Sharpies – For labeling evidence and for filling in the notecards.
4. Notecards – The notecards get the following information on them:
c. System serial number
I then place the notecard for that system in each photograph taken of the system or its components. It allows me to sort a couple hundred photographs out later without too much difficulty.
1. The best precision screwdriver set I’ve found is the Boxer 40 Piece 4mm Precision Screwdriver set, model PK-30.
2. Wiresnips are for cutting cable ties.
1. I include a bootable version of each tool on both CD and USB thumb drive. I can clone either one in the field and run an essentially limitless number of collections in parallel. We tend to think about the speed of individual imaging solutions and forget about parallelization of processes.
2. I maintain an SOP/Documents repository on my laptop and a Software Tools repository. The former contains forms, processes, articles, etc. The latter contains installers, source code, and stand alone apps for everything I need to build a new forensics analysis station. I periodically sync these repositories with the thumb drive in the collections kit as well as other systems.
1. The tools included will pass TSA scrutiny for carryon items based on the TSA website and personal experience.
2. You could bar code all the media before you go into the field. I often label mine when I wipe them, and set up a TrueCrypt volume up on them at the same time.
3. TrueCrypt volumes – I can ship the disks, hand them to customs, or flat out lose them without worrying about data being exposed. It can take hours to wipe and encrypt a drive so you really want to do a number of them in the lab rather than in the field. This is another reason not to assume you can get enough drives while you’re running around a foreign country, or even domestically. More than once I had multiple laptops running in my hotel room overnight doing the wipe/encrypt cycle with an alarm set to wake me so I could change drives out every few hours.
4. Each drive pair covers a single set of images. One is the primary, one is the backup. You can create both at the same time or use Robocopy to create the backup copy when you’re not imaging.
5. There’s not enough room in the kit for a dedicated hardware imager plus the bare drives it would require. The laptop isn’t quite as fast but it is more flexible, a useful characteristic when in the field. I do try to include a dedicated imaging solution in other luggage.
6. For long collection projects, I’ll carry a second case full of drives and/or ship drives to various locations. I’ve bought drives in the field, but it consumed a lot of shopping and prep time.
7. If you need to expand this kit for a larger project, all your office supplies are in this kit and other kits can hold more equipment – laptops, hardware imaging solutions, etc.
8. If multiple people are working on a project, each one gets a kit so they can split up if necessary without losing access to office supplies.
9. Whenever possible, I prepare collections forms in advance with the common information included – matter, custodian, address, etc. In addition to these forms, I include blank copies of all the common forms.
Other items for consideration
There are a number of items missing from this kit that you might want to consider including. For example:
1. It doesn’t include anything for collecting cell phones.
2. There are no packing materials – pre-printed FedEx labels, packing tape, evidence tape, etc.
3. Spares of many things.
The entire kit fits into the Pelican 1510 LOC using the case organizer.
1. There aren’t quite enough dividers for my taste.
2. The power supplies for the write blocker and laptop go in the lid, side by side. I’m not certain that a Tableau power supply would fit.
3. Pack the stuff you really need on top.
4. I wish there was room for a clipboard with a forms storage compartment.
5. Put a business card under the organizer and another one elsewhere in the kit.
1. Laptop is in lid, left side.
2. Power supplies are in lid, right side.
3. UltraDock and adapters are in case, upper left.
4. Labeler and some cables are next to adapters.
5. Black bag in upper right contains all write blocker cables.
6. Lower right has all office supplies, eSATA interface card, and tools.
7. Lower middle has camera, WD drive power supplies.
8. Lower right has two WD 1TB drives and one WD 320GB Passport.
Forensic Focus note: David is very keen to receive feedback from other members about this article – please feel free to leave comments or ask questions in this forum thread or contact David directly, thank you.
David Kovar is the founder and principal investigator for NetCerto, Inc. (www.netcerto.com). He has been involved with software engineering, IT consulting, and computer forensics since the late 70’s, focusing primarily on computer forensics since 2006. He has conducted acquisitions in hostile environments, run three week acquisition tours through Asia, investigated IP theft cases for several Silicon Valley high tech firms, and is currently providing computer forensics analysis, ediscovery support, and forensics computing environment development consulting support through NetCerto.
Founder – NetCerto, Inc.
555 Bryant Street, Suite 246
Palo Alto, CA 94301
CISSP, CCE, CA Private Investigator License No: 00025048