Incident Response Thumb Drive
A Note About USB Drives
This is simply a list of recommended tools to keep on a USB drive. The intent is to have this USB Drive in your “Go Bag” for use during an incident. It will contain the tools you intend to use for evidence collection and triage. Keep these tools update and practice with them prior to an incident. The USB drive should be large enough to contain the tools, memory images, and disk images. This is a tall order considering the size of workstation drives are increasing. As of this writing 2 TB USB drives can be found easily on Amazon. This doesn’t mean you need a 2TB drive. Do not rush out and buy one because you read it here. This is merely pointing out that they exist. I use a 256 GB for personal use. I have also used a 2 TB SSD external drive during real incident responses in the past and they worked great. Regardless of the drive selected the process and intent is the same.
The List
- cmd.exe for Windows 10, Windows Server 2012, 2016, 2019
- System Internals
- Separate out
autorunscandautorunsc64
- Separate out
- Red Line Collection Tool
- FTK Imager Lite
This is merely a suggested list. This should get any incident responder started easily. Feel free to modify as needed (obviously).
Happy Hunting!
