Forensic Grab Bags

Posted on April 22, 2010


The other day I was asked to go out to a mega-important urgent job, saving the world from the forces of evil. As I hurdled over the desks and swept up my grab-bag from its hook by the door, I thought to myself “I bet some people don’t have a grab bag. I bet they’d still be tipping out their drawers, shouting ‘Where the shitting crikey is all my stuff?”. I then thought “Monkey, you must write a blog post about grab-bags. Then you might finally get that ‘Public service’ badge to sew onto the sleeve of your shirt”. So here we are (as it turned out I was stood down as I was stepping out of the door, just in case you were wondering).

This is the bag itself. As you can see, it’s a bit special – Monkeytown Police seized a few hundred of them in a job once and we’ve got to use them for budgetary reasons. It’s the Firearms people I feel sorry for – they look really silly carrying their guns around in them.

The next photo (you might want to open it in a new window) shows some of the contents:

Here’s what’s in it, in no particular order:

1. Assortment of USB sticks. The fat silver one is included as a conversation piece to break the ice with sysadmins – it’s too wide to fit into about 75% of USB slots, and is very handy for initiating a bonding session about how everything’s a bit crap and we’re both just a couple of good ol’ geeks now I’m going to seize your servers kthanxbye. The others contains FTK Imager and Winen and an assortment of Sysinternals tools, portable apps and other bits and bobs.

2. Boot CDs – Helix and a special LE/Security Services-only one that I probably shouldn’t really show on here.

3. Exhibit labels, bits of string to tie them with, numeric seals, exhibit bags. I often leave these in the car as it’s much better if the bobbies on the scene seize the stuff, with me just advising. That way I have to write fewer statements and waste less time in court. If you’ve got all the bags and exhibit paraphernalia then they expect you to use it.

4. A torch. Useful for shining into dark crevices, but I also like to use it to play a mind-game with suspects: at the beginning of the search I wander around the room, shining the torch into corners even though the lighting’s fine. When the suspect asks me what I’m doing, I fix him with a piercing gaze and announce that I’m ‘Shining the light of justice into the DARKNESS of your SOUL!’. They seldom speak to me again during the day, which is how I like it. Looks a bit funny in the search log, though.

5. Pickled onion flavour Monster Munch. You can be out for a long time, so it’s important to keep yourself fed. Some practitioners take baby wipes to get the smell off their hands but I don’t usually bother.

6. A wooden imitation firearm. This one fires elastic bands, but not with any great force. You can get these from the gift shop in most UK prisons.

7. Paper and a pen. I tend to take copious notes when I’m out, and they’ve always come in handy later.

8. Some storage. Not too much – anything over a hundred GB and it’s either coming back to the office or you can get someone to bring you a bigger disk out.

9. A phone with interwebs on it for looking stuff up/mucking about while imaging.

10. (Not shown) Toolkit

11. (Not shown)Β Deodorant, aftershave, hair gel. <leer>You never know who you’re going to meet at some business premises!</leer>

This is a general kit that’s meant as a broad selection of stuff that you can have out of circulation without missing too much. It isn’t meant to cover all situations and naturally there’ll be special circumstances where you’ll need special kit. I’d be interested to know what’s in your grab bags though.

That was going to be it for today’s post, but I’ve just listened to the latest Cyberspeak, which has an excellent interview with Nick Furneaux. This needs to be listened to by anyone involved in LE computer forensics – what he says makes a hell of a lot of sense, and he’s also very entertaining. And I’m not just saying that because he gave me a shout. Honest. It’s about working smarter and not getting stuck in the old ways of doing things simply because change is scary.

A couple of reader announcements now follow:

  • To the guy who got to this blog by Googling ‘women wearing buttplugs in supermarkets’ – please don’t come back. Seriously dude, wtf is wrong with you?
  • In a cynical attempt to get free stuff, I’ve now got a wishlist at Amazon. My expectations are low.
Posted in: Uncategorized