One facet to incident response that can present a challenge to CSIRT team members is the possibility that they may have to respond to incidents outside their own location. Off-site response is quite common in larger enterprises and is even the norm in CSIRTs that consult for other organizations. As a result, CSIRTs may often have to perform the entire response at another location without the support of a digital forensics laboratory. With this challenge in mind, CSIRTs should prepare several Jump Kits. These kits are preconfigured and contain the hardware and software necessary to perform the necessary tasks a CSIRT would be called on to perform during an incident. These kits should be able to sustain an incident investigation throughout the process, with the CSIRT identifying secure areas at the incident location in which to store and analyze evidence.

Jump kits should be portable and can be configured to fit within a secure hard sided case and be prepared to be deployed at any time. CSIRTs should ensure that, after each incident, the jump kit is restocked with any items that were utilized in the last incident, and that hardware and software is properly configured so that, during an incident, analysts can be confident in their availability.

At a minimum, the jump kit should contain:

• Forensic laptop: This laptop should contain enough RAM (32GB) to image a hard drive in a reasonable amount of time. The laptop should also contain a forensic software platform that was previously discussed. If possible, the laptop should also contain at least one of the Linux forensic OS such as CAINE or SIFT.
• Networking cables: Having several CAT5 cables of varying lengths is useful in the event that the CSIRT team has to access a network or patch into any network hardware such as a router or a switch.
• Physical write blocker: Each kit should have a physical write blocker that can be used to image any hard drives that the CSIRT personnel would encounter.
• External USB hard drives: The jump kit should contain several 1TB or 2TB USB hard drives. These will be used for imaging hard drives on potentially compromised systems.
• External USB devices: It is bad practice to put the evidence collected from log sources or the RAM capture of a potentially compromised system. The jump kit should contain several large capacity (64GB) USBs for offloading log files, RAM captures, or other information obtained from command-line outputs.
• Bootable USB or CD/DVD: While not utilized in every case, having several bootable Linux distributions can be useful in the event that the forensic laptop is currently performing another task.
• Evidence bags or boxes: It may become necessary to seize a piece of evidence and transport it offsite while an incident is ongoing. There should be the capability to secure evidence onsite and not have to search around for a proper container.
• Anti-static bags: In the event that hard drives are seized as evidence, they should be transported in anti-static bags.
• Chain of custody forms: As was previously discussed, chain of custody for each piece of evidence is critical. Having a dozen blank forms available saves the trouble of trying to find a system and printer to print out new copies.
• Tool kit: A small toolkit that contains screwdrivers, pliers, and a flashlight comes in handy when hard drives have to be removed, connections cut, or if the analyst has to access a dark corner of the data center.
• Notepad and writing instrument: Proper documentation is critical; handwritten notes in pen may seem old fashioned, but they are the best way to reconstruct events as the incident continues to develop. Several steno notebooks and pens as part of the kit ensure that CSIRT personnel do not have to hunt down these items while a critical event has just occurred. Jump kits should be inventoried at least monthly so that they are fully stocked and prepared for deployment. They should also be secured and accessible by CSIRT personnel only. Left out, these kits are often raided by other personnel in search of a screwdriver, network cable, or flashlight. For CSIRTs that support geographically dispersed organizations, having several kits at key locations such as major office headquarters, data centers, or other offsite locations, it may be pertinent to have several of these jump kits pre-staged for use. This saves the trouble of having to cart the kit through an airport.