Every incident response team should have with it a “fly-away kit” capability. It’s been our experience that a fly-away kit should be tailored to the individual team’s needs, of course, and that the configuration is going to change over time as attacks, networks, and tools change. The kit must be ready on a moment’s notice and have the necessary equipment to support the team’s needs when it is sent to handle an incident. Of course, the notion of “being sent” will vary depending on each team’s responsibilities, but whether it is down the hall or to a far away continent, it is safe to say that the team will need tools to support its mission.

We’ve learned a lot of valuable lessons over the years about what should and shouldn’t go into a fly-away kit. One frighteningly consistent theme is that things go wrong at the worst possible times -- the infamous Murphy is credited with saying this first. It doesn’t seem possible that this could be more true. In fact, we believe that Murphy is a permanent member of every incident response team. Tools fail when you need them most -- disk drives crash before you save critical data; cables and connectors break as you’re about to connect a critical piece of equipment. None of this happens during the day when stores are open or when customer support personnel are on duty at your tool vendors. Here are the most important criteria to follow when putting your kit together.

Maintain your library of tools, systems, gadgets, etc., in an ...