What’s in your DFIR Go-bag?


Published Date
December 24, 2021

At a BCERT course I attended, the class was given a mission to pack a go-kit of everything that we think we might need to collect data in a search warrant of a mock house.  The only guidance was that if we forgot something and needed it at the house, we would fail that portion of the test. I packed everything. Literally everything that the course issued was packed, except my desktop computer.

During this mock search warrant, there were probably a half dozen rooms, each with a different scenario of searching and seizing evidence and devices.  I lugged my kit to every room and needed only about 10% of what I brought.  Another student didn’t bring a few tools that were needed, and he failed those scenarios.  My lesson that day was to bring the kitchen sink if it fits.

One thing about that day of scenarios was that I didn’t learn the objective until after we were done. None of the acquisition problems were difficult. As soon as I hooked up the correct adaptors and drives, or entered the correct command line, I was told to pack up and move to the next room.  The objective was to see that I knew which tools to bring, which tools to use, and employ them correctly.  Nothing about actually completing any data collection task.

Your Lab in a Box

In a perfect world, you know exactly what you will encounter onsite and can bring just what you need. However, it is rarely as expected. In fact, if it is exactly as you expected, then you probably missed something.  If only we could bring our entire lab onsite…

The goal is to bring that what you know you will need plus things that you think that you might need, plus maybe a few things that you doubt you will need but will make or break a mission if you need it and don’t have it.

Today’s go-kit is different than yesterday’s go-kit

When working in a corporate environment, you generally know the landscape of what exists, have complete access to everything, and if you must travel, it may be either down the street or to another corporate office with all the support and tools that you need there.

For the consultant walking into a corporate environment or law enforcement walking into a crime scene, much of the time it is like preparing to parachute into a jungle. Sure, you are told what to expect, but you also know that much like jumping into a jungle, you are on your own and anything that you didn’t bring can cost you the mission. So, what do you pack for your go-kit?

Your mission determines what you pack.  Yesterday’s mission might have been copying a custodian’s files to an external hard drive but today’s mission might be searching hundreds of computers across a network while at the same time imaging a Surface Pro, two iPads, a dozen iPhones, and a box of small media.  The go-kit for these scenarios will be totally different.

Develop Your Go-Kit

Ask any military unit what they bring on a mission and the first question that you will get is “what is the mission?”  The DFIR Go-Kit is no different.  The needs of the mission determine the contents of the kit. 

First responders are pretty good at developing their go-kits in different levels of purpose. The patrol officer generally has a trunk packed of generic tools to handle the overall incidents that they encounter in most 911 calls.  They can’t carry everything, which is why when a 911 call develops into more, then specialized units are called in (detectives, SWAT, forensics, etc…).

Medical response is the same.  A fire department engine will carry what they think they will need for a medical emergency (plus a little more), but beyond that, they need the ER to handle.

Factors in kit building

  • The known mission
  • The changed mission
  • The known infrastructure
  • The unknown infrastructure
  • The no-fail items

The known mission is where you get the order or engagement to do “x”.  X might be a simple search and collect, a full forensic collection, or partial analysis. This is the easy part to pack because you know exactly what you are expected to do on the expected infrastructure.

The unknown mission is when you arrive on site and realize that things are not as expected.  It wasn’t one computer but rather a network of devices.  And instead of having all day, you only have 6 hours. And your partner/assistant/co-worker is late.

Unless you work in the environment that you are doing DFIR in, assume the infrastructure is not like what you have been told.  Assume it to always be unknown, otherwise, it will bite you for being unprepared.

If your mission is to capture a specific set of data, you know exactly that your go-kit needs to have the tools to do this and that if the tools fail, that you have a backup plan. These are the no-fail items. If you need a specific software to do the job, that specific software is a no-fail item.  These must be packed, or you may as well not even leave the office.

That time I was on an oil tanker…

An attorney hired me to capture the computers on the bridge of an oil tanker that was only reachable by small boat to the tanker. Boarding the tanker would be by a ladder on the side of the tanker. The attorney had been calling around to find someone for this engagement and by the time came to me, was asking me questions like, “Are you sure that you have no problems with a small boat and climbing a ladder to board the tanker?”  Of course, I took this case!

Here was the issue: electrical power.  The attorney said that although the tanker was a foreign vessel, the bridge had power that I could use. No converters or adaptors needed.   I still brought everything I might have needed for power connections and converters.

Once on the bridge, I was the only person who spoke English.  Skipping some details, let’s just say that the entire power system on the bridge shorted out. There I was, on an oil tanker, floating in the middle of somewhere, with only hours to image three computers with no power.

“Luckily”, I brought every spare laptop battery that I had, and it was more enough power to image the hard drives. Had the hard drives been much larger tho, it would not have turned out as good. This was one of those one chance captures and the red flag of “power outlets” being called out by the client was enough to make me pack a little extra, just in case.

The things that went through my mind were:

  • I have one shot to get this done
  • There are no Best Buys or delivery services
  • No one speaks English
  • I’ll probably have no communication with my client while onsite
  • I will be on my own
  • I must carry my kit on my back and up a ladder to board a tanker floating in the middle of nowhere

The point is that this engagement’s kit was totally different than the engagement the day before.  It would be nice to have a standard kit to have sitting in a big ol’ Pelican case, but in the real world, there are things that will be completely unnecessary to bring on some engagements. This equates to excess weight and less space available to bring more important tools. 


  • Mission – what do I need to do?
  • Location – is there any supply source nearby (Fry’s, Office Depot, etc…)
  • Time – how much time do I have and are these business hours
  • Known infrastructure – what I am told that exists
  • Unknown infrastructure – what am I not being told
  • Space for gear– will I be on a Zodiac or 747 for travel?
  • Worst case scenario, what can I use to accomplish the mission?

Worst case scenario

Using the most simple scenario of having to image one hard drive (no RAM, no encryption, etc…).  Simply hook it up to a write blocker and use your favorite software. But…what is your kit was lost in transit? What if your write blocker suddenly failed to connect? Or anything. 

If you are creative, you will think of another solution, such as booting the evidence machine to a forensic boot OS and image. Or even boot your forensic laptop to a forensic OS and image.  

I use this as an example because I have seen it happen and other than call me in total panic, the examiner didn’t know what to do. My solution was to boot to a forensic OS.  A few minutes downloading a live CD from the company’s server and the issue was solved.

List of gear to choose from

I have a spreadsheet of every tool and software on hand, including those hard-to-find adaptors. I find that it is a good idea to have a list of items in front of me when I pack. I go through each item and give it  yes, no, or maybe to pack.  It is so easy to overlook an important item if you don’t have it listed or sitting in front of you.

  • Software
    • Suites (name-your-suite)
    • Small tools (the ‘only-does-imaging’ type of software)
    • Dongles
    • OS specific tools
    • Live CDs and USBs
  • Hardware
    • Forensic workstation (laptops, etc…)
    • Write blockers
    • Adaptors and wires
    • Toolset (screwdrivers, etc…)
    • Camera
    • Extra batteries
  • Storage drives
    • Various media
  • Paperwork (forms, notes, etc…)
  • Map (nearest sources of gear)


If you are driving to the location and can fit everything you need and don’t need in your car, then bringing tools you may not need does not cause a space concern. 

If you are flying, consider overnight shipping of gear to the location to reduce chance of your gear going to the wrong place. Put the no-fail gear in your carry-on.

Make a friend before arriving in a faraway land. A “friend” being perhaps a friendly competitor organization that may loan or rent you gear that you may unexpectedly need.

If told there are two computers, expect six.  If you are told it is just Windows, expect MacOS as well.  If told no mobile devices, expect a dozen.

The most important thing to remember is that the tools allow you to do the work. You must be a problem solver, otherwise the tools are useless.

*aka: jump bag, jump kit, go bag, go kit, response kit, response bag, etc..


User comments

There are no user comments for this listing.