Digital Media Collections Kit

Digital Evidence Collection Kit

Overview

Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. – as well as the processes and procedures governing how they are applied. And if you cannot find the items, or get them to the destination, it doesn’t matter how great your tools are.

This kit, and the thoughts and processes behind it, attempts to address concerns I’ve encountered while doing collections all over the world. The novice investigator or experienced examiner can use this as a foundation for their own kit, or just find insight to fine tune their existing processes.

Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst.

Kit Contents

Collection Kit – items with serial numbers

The following table includes all the items that might be of interest to a customs agent. Everything on this list should accurately reflect the actual contents of the collection kit. It may seem odd to include the Brother labeler and the Targus external DVD-ROM drive, but I had these flagged by customs.

Item	Description	Serial Number	Quantity	Country of Origin	Internal Name	Unit Price ($USD)
Lenovo ThinkPad T-60	Laptop Computer		1	China	CK-01	$1,000.00
Wiebetech Forensic UltraDock	Write Block Hardware		5 pcs	China	UD-01	$1,000.00
Wiebetech ADAv4-18-TOSH	Hard Drive Adapter			USA
Wiebetech ADAv4-10	Hard Drive Adapter			USA
Wiebetech ADAv4-25	Hard Drive Adapter			USA
Wiebetech ADAv4-PCCARD	Hard Drive Adapter			USA
Nikon COOLPIX L18	Digital Camera		1	China	–	$100.00
Brother PT-80	Electronic Labeler		1	China	–	$30.00
Targus PADVD010U	External DVD-Rom Drive		1	Indonesia	–	$140.00
Western Digital 1TB MyBook	External hard drive		2	Thailand	–	$300.00
Western Digital 320MB Passport	External hard drive		2	Thailand	–	$120.00
eSATA PCMCIA card	PCMCIA interface card		1	Unknown	–	$80.00

Column descriptions:

Item – Name of the item, from the manufacturer’s label.
Description – Self descriptive
Serial Number – Self descriptive
Quantity – Self descriptive
Country of Origin – Self descriptive
Internal Name – Either a name or a bar code number. Used to keep contents of the kit in line with inventory sheet.
Unit Price – Replacement value, what it would cost if you looked it up on the Internet.

Collection Kit – items with without serial numbers

The following items lack serial numbers and generally are not of interest to customs though I’d still include all of these on the list I gave to customs. Customs issues aside, you still want to ensure that they are in the kit before heading out the door, of course.

Pelican Case			Cables
Pelican 1510 LOC			Complete set of UltraDock cables
Pelican 1515 case organizer			Cross over cables (2x)
Pelican TSA lock			Extra SATA and IDE cables
			Electrical power strip
Office Supplies			Network tap
Small magnifying glass
Small stapler w/ extra staples			Tools
Small ruler			Wiresnips
PostIt notes			Set of precision screwdrivers
Index cards			Flashlight
Ball point pen			Needle nose pliers
Sharpie – extra fine point
Sharpie – fine point
Scissors			Other
AA batteries			Powered USB hub
Pill boxes			100Mb network hub
			Media card reader – USB
			Anti-static bags
Software			Forensic evidence bags
USB Thumbdrive Case (6 slots)			Cable ties – velcro
CD case			Cable ties – plastic
Helix 1.9 – CD and USB
Helix 2 – CD and USB			Spare hard drive jumpers
EnCase – CD and USB			Printed copies of forms
General purpose 2GB stick			Spare battery and media for camera.
Dongles
X-Ways dongle
EnCase dongle
MIP dongle
Paraben dongle

Explanation of items:

Pelican Case – This Pelican case will fit in the overhead compartment of domestic and international flights. The “LOC” designation means that it is designed to carry a laptop in the lid and clothes in an insert. Remove the insert and install the case organizer instead.

Office Supplies

• PostIts – For labeling drives and systems temporarily.
• Pillboxes – Hold screws from disassembled laptops. I had one laptop that required the removal of seven different sets of screws. The pillboxes kept them organized.
• Sharpies – For labeling evidence and for filling in the notecards.
• Notecards – The notecards get the following information on them:
  • Custodian
  • Date
  • System serial number

I then place the notecard for that system in each photograph taken of the system or its components. It allows me to sort a couple hundred photographs out later without too much difficulty.

Tools

• The best precision screwdriver set I’ve found is the Boxer 40 Piece 4mm Precision Screwdriver set, model PK-30.
• Wiresnips are for cutting cable ties.

Software

• I include a bootable version of each tool on both CD and USB thumb drive. I can clone either one in the field and run an essentially limitless number of collections in parallel. We tend to think about the speed of individual imaging solutions and forget about parallelization of processes..
• I maintain an SOP/Documents repository on my laptop and a Software Tools repository. The former contains forms, processes, articles, etc. The latter contains installers, source code, and stand alone apps for everything I need to build a new forensics analysis station. I periodically sync these repositories with the thumb drive in the collections kit as well as other systems.

Other notes:

• The tools included will pass TSA scrutiny for carryon items based on the TSA website and personal experience.
• You could bar code all the media before you go into the field. I often label mine when I wipe them, and set up a TrueCrypt volume up on them at the same time.
• TrueCrypt volumes – I can ship the disks, hand them to customs, or flat out lose them without worrying about data being exposed. It can take hours to wipe and encrypt a drive so you really want to do a number of them in the lab rather than in the field. This is another reason not to assume you can get enough drives while you’re running around a foreign country, or even domestically. More than once I had multiple laptops running in my hotel room overnight doing the wipe/encrypt cycle with an alarm set to wake me so I could change drives out every few hours.
• Each drive pair covers a single set of images. One is the primary, one is the backup. You can create both at the same time or use Robocopy to create the backup copy when you’re not imaging.
• There’s not enough room in the kit for a dedicated hardware imager plus the bare drives it would require. The laptop isn’t quite as fast but it is more flexible, a useful characteristic when in the field. I do try to include a dedicated imaging solution in other luggage.
• For long collection projects, I’ll carry a second case full of drives and/or ship drives to various locations. I’ve bought drives in the field, but it consumed a lot of shopping and prep time.
• If you need to expand this kit for a larger project, all your office supplies are in this kit and other kits can hold more equipment – laptops, hardware imaging solutions, etc.
• If multiple people are working on a project, each one gets a kit so they can split up if necessary without losing access to office supplies.
• Whenever possible, I prepare collections forms in advance with the common information included – matter, custodian, address, etc. In addition to these forms, I include blank copies of all the common forms.
• One copy of the inventory goes in the case, under the inserts. One goes in the case, on top of the inserts to give to Customs. One goes in my laptop bag.

Other items for consideration

There are a number of items missing from this kit that you might want to consider including. For example:

• It doesn’t include anything for collecting cell phones.
• It doesn’t contain a dedicated hardware imaging solution.
• There are no packing materials – pre-printed FedEx labels, packing tape, evidence tape, etc.
• Spares of many things.

Packaging

The entire kit fits into the Pelican 1510 LOC using the case organizer.

(Note: I bought mine through Amazon but this company will sell you all the pieces and will custom cut inserts for you as well – http://www.casesbypelican.com/app-1510.htm)

• There aren’t quite enough dividers for my taste.
• The power supplies for the write blocker and laptop go in the lid, side by side. I’m not certain that a Tableau power supply would fit.
• Pack the stuff you really need on top.
• I wish there was room for a clipboard with a forms storage compartment.
• Put a business card under the organizer and another one elsewhere in the kit.

Digital Media Collections Kit

• Laptop is in lid, left side.
• Power supplies are in lid, right side.
• UltraDock and adapters are in case, upper left.
• Labeler and some cables are next to adapters.

Advertisement