On modern networks, a network sniffer can collect a vast amount of data in very short order. However, hard drives aren’t always as transportable as removable storage media. And, as with most things that we’ve discussed so far, there’s a range of removable media types available; each type has its own strengths and weaknesses. One of the basic credos of incident response is that there is no such thing as a large enough hard drive.
We’ve found that maximum flexibility is the key to success, although there are always trade-offs. Some of the most important issues when selecting a type of removable storage to use include:
The choice of removable storage is often chosen before you ever arrive on-site to work on an incident. This is true in situations when you need, for example, to do some form of forensic analysis on a specific system. It’s also true when you need to pull information off a specific server or a desktop host in general.
This relates closely to availability. You are often forced to copy data so that no signs are left behind on the system. That is, no device drivers are loaded or unloaded, and so on. In that case, you are pretty much stuck with whatever is in the system when you arrive.
Naturally, whatever storage devices you choose need to be compatible with the system that you are working on as well as the system on which you’re going to be analyzing the data. Care should be taken, for example, to ensure ...