Home > Collections, Computer forensics, Equipment > Digital Media Collections Kit

Digital Media Collections Kit

Digital Evidence Collection Kit

Overview

Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. – as well as the processes and procedures governing how they are applied. And if you cannot find the items, or get them to the destination, it doesn’t matter how great your tools are.

This kit, and the thoughts and processes behind it, attempts to address concerns I’ve encountered while doing collections all over the world. The novice investigator or experienced examiner can use this as a foundation for their own kit, or just find insight to fine tune their existing processes.

Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst.

Kit Contents

Collection Kit – items with serial numbers

The following table includes all the items that might be of interest to a customs agent. Everything on this list should accurately reflect the actual contents of the collection kit. It may seem odd to include the Brother labeler and the Targus external DVD-ROM drive, but I had these flagged by customs.

Item Description Serial Number Quantity Country of Origin Internal Name Unit Price ($USD)
Lenovo ThinkPad T-60 Laptop Computer 1 China CK-01 $1,000.00
Wiebetech Forensic UltraDock Write Block Hardware 5 pcs China UD-01 $1,000.00
Wiebetech ADAv4-18-TOSH Hard Drive Adapter USA
Wiebetech ADAv4-10 Hard Drive Adapter USA
Wiebetech ADAv4-25 Hard Drive Adapter USA
Wiebetech ADAv4-PCCARD Hard Drive Adapter USA
Nikon COOLPIX L18 Digital Camera 1 China - $100.00
Brother PT-80 Electronic Labeler 1 China - $30.00
Targus PADVD010U External DVD-Rom Drive 1 Indonesia - $140.00
Western Digital 1TB MyBook External hard drive 2 Thailand - $300.00
Western Digital 320MB Passport External hard drive 2 Thailand - $120.00
eSATA PCMCIA card PCMCIA interface card 1 Unknown - $80.00

Column descriptions:

Item – Name of the item, from the manufacturer’s label.
Description – Self descriptive
Serial Number – Self descriptive
Quantity – Self descriptive
Country of Origin – Self descriptive
Internal Name – Either a name or a bar code number. Used to keep contents of the kit in line with inventory sheet.
Unit Price – Replacement value, what it would cost if you looked it up on the Internet.

Collection Kit – items with without serial numbers

The following items lack serial numbers and generally are not of interest to customs though I’d still include all of these on the list I gave to customs. Customs issues aside, you still want to ensure that they are in the kit before heading out the door, of course.

Pelican Case Cables
Pelican 1510 LOC Complete set of UltraDock cables
Pelican 1515 case organizer Cross over cables (2x)
Pelican TSA lock Extra SATA and IDE cables
Electrical power strip
Office Supplies Network tap
Small magnifying glass
Small stapler w/ extra staples Tools
Small ruler Wiresnips
PostIt notes Set of precision screwdrivers
Index cards Flashlight
Ball point pen Needle nose pliers
Sharpie – extra fine point
Sharpie – fine point
Scissors Other
AA batteries Powered USB hub
Pill boxes 100Mb network hub
Media card reader – USB
Anti-static bags
Software Forensic evidence bags
USB Thumbdrive Case (6 slots) Cable ties – velcro
CD case Cable ties – plastic
Helix 1.9 – CD and USB
Helix 2 – CD and USB Spare hard drive jumpers
EnCase – CD and USB Printed copies of forms
General purpose 2GB stick Spare battery and media for camera.
Dongles
X-Ways dongle
EnCase dongle
MIP dongle
Paraben dongle

Explanation of items:

Pelican Case – This Pelican case will fit in the overhead compartment of domestic and international flights. The “LOC” designation means that it is designed to carry a laptop in the lid and clothes in an insert. Remove the insert and install the case organizer instead.

Office Supplies

  • PostIts – For labeling drives and systems temporarily.
  • Pillboxes – Hold screws from disassembled laptops. I had one laptop that required the removal of seven different sets of screws. The pillboxes kept them organized.
  • Sharpies – For labeling evidence and for filling in the notecards.
  • Notecards – The notecards get the following information on them:
    • Custodian
    • Date
    • System serial number

I then place the notecard for that system in each photograph taken of the system or its components. It allows me to sort a couple hundred photographs out later without too much difficulty.

Tools

  • The best precision screwdriver set I’ve found is the Boxer 40 Piece 4mm Precision Screwdriver set, model PK-30.
  • Wiresnips are for cutting cable ties.

Software

  • I include a bootable version of each tool on both CD and USB thumb drive. I can clone either one in the field and run an essentially limitless number of collections in parallel. We tend to think about the speed of individual imaging solutions and forget about parallelization of processes..
  • I maintain an SOP/Documents repository on my laptop and a Software Tools repository. The former contains forms, processes, articles, etc. The latter contains installers, source code, and stand alone apps for everything I need to build a new forensics analysis station. I periodically sync these repositories with the thumb drive in the collections kit as well as other systems.

Other notes:

  • The tools included will pass TSA scrutiny for carryon items based on the TSA website and personal experience.
  • You could bar code all the media before you go into the field. I often label mine when I wipe them, and set up a TrueCrypt volume up on them at the same time.
  • TrueCrypt volumes – I can ship the disks, hand them to customs, or flat out lose them without worrying about data being exposed. It can take hours to wipe and encrypt a drive so you really want to do a number of them in the lab rather than in the field. This is another reason not to assume you can get enough drives while you’re running around a foreign country, or even domestically. More than once I had multiple laptops running in my hotel room overnight doing the wipe/encrypt cycle with an alarm set to wake me so I could change drives out every few hours.
  • Each drive pair covers a single set of images. One is the primary, one is the backup. You can create both at the same time or use Robocopy to create the backup copy when you’re not imaging.
  • There’s not enough room in the kit for a dedicated hardware imager plus the bare drives it would require. The laptop isn’t quite as fast but it is more flexible, a useful characteristic when in the field. I do try to include a dedicated imaging solution in other luggage.
  • For long collection projects, I’ll carry a second case full of drives and/or ship drives to various locations. I’ve bought drives in the field, but it consumed a lot of shopping and prep time.
  • If you need to expand this kit for a larger project, all your office supplies are in this kit and other kits can hold more equipment – laptops, hardware imaging solutions, etc.
  • If multiple people are working on a project, each one gets a kit so they can split up if necessary without losing access to office supplies.
  • Whenever possible, I prepare collections forms in advance with the common information included – matter, custodian, address, etc. In addition to these forms, I include blank copies of all the common forms.
  • One copy of the inventory goes in the case, under the inserts. One goes in the case, on top of the inserts to give to Customs. One goes in my laptop bag.

Other items for consideration

There are a number of items missing from this kit that you might want to consider including. For example:

  • It doesn’t include anything for collecting cell phones.
  • It doesn’t contain a dedicated hardware imaging solution.
  • There are no packing materials – pre-printed FedEx labels, packing tape, evidence tape, etc.
  • Spares of many things.

Packaging

The entire kit fits into the Pelican 1510 LOC using the case organizer.

(Note: I bought mine through Amazon but this company will sell you all the pieces and will custom cut inserts for you as well – http://www.casesbypelican.com/app-1510.htm)

  • There aren’t quite enough dividers for my taste.
  • The power supplies for the write blocker and laptop go in the lid, side by side. I’m not certain that a Tableau power supply would fit.
  • Pack the stuff you really need on top.
  • I wish there was room for a clipboard with a forms storage compartment.
  • Put a business card under the organizer and another one elsewhere in the kit.
Digital Media Collections Kit

Digital Media Collections Kit

  • Laptop is in lid, left side.
  • Power supplies are in lid, right side.
  • UltraDock and adapters are in case, upper left.
  • Labeler and some cables are next to adapters.
About these ads
  1. April 6, 2010 at 8:44 pm

    Dear David,

    I read your article with great interest. In particular the statement on parallizing imaging tasks.

    Kind Regards,

    Jürgen

  2. Julian
    July 31, 2010 at 8:56 pm

    very interesting. With reference to the analysis tool, we use PTK Forensics from DFlabs. It is a very interesting framework based upon the sleuthkit. It is free for non professional use, and it cost a loot cheaper than encase and ftk for professional use.

  3. Mike
    August 1, 2010 at 1:55 am

    Great article! I wanted to point you to what may be one step up from the Boxer 40 Piece 4mm Precision Screwdriver set, model PK-30, albeit slightly more expensive, but well within reason at $19.95

    http://www.ifixit.com/Tools/54-Piece-Bit-Driver-Kit/IF145-022

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 41 other followers

%d bloggers like this: