IR1.8 The Jump Bag — Readiness Before the Incident

The Jump Bag — Readiness Before the Incident

Ready in 10 minutes — or scrambling for an hour

The alert fires at 2 AM. The CISO wants you on the investigation call in 15 minutes. You need KAPE, EZTools, Volatility 3, a write blocker, blank USB drives, and your standard operating procedures — and you need them now, not after 45 minutes of downloading and configuring. The jump bag is the difference between responding in 10 minutes and scrambling for an hour. Everything you need for the first 4 hours of any investigation, pre-configured and tested, ready to deploy.

The jump bag is the IR team's ready-to-deploy kit. In physical form, it is a USB drive (or a set of USB drives) containing every tool, script, and document needed to begin an investigation. In virtual form, it is a network share or cloud storage location that every team member can access. In practice, most teams maintain both: a USB for situations where network access is unavailable (isolated endpoint, compromised network) and a network share for normal operations.

Building the USB jump bag

# Build the IR jump bag on a USB drive
# Use a 64 GB or larger USB 3.0 drive for speed
# Label the drive: "IR TOOLKIT — DO NOT FORMAT"

$usbDrive = "E:"  # Change to your USB drive letter

# Create the jump bag folder structure
New-Item -ItemType Directory -Path "$usbDrive\IR-JumpBag" -Force
New-Item -ItemType Directory -Path "$usbDrive\IR-JumpBag\Tools" -Force
New-Item -ItemType Directory -Path "$usbDrive\IR-JumpBag\Scripts" -Force
New-Item -ItemType Directory -Path "$usbDrive\IR-JumpBag\Documents" -Force
New-Item -ItemType Directory -Path "$usbDrive\IR-JumpBag\Output" -Force

# Copy tools from the forensic workstation
Copy-Item "C:\IR\Tools\KAPE\*" "$usbDrive\IR-JumpBag\Tools\KAPE\" -Recurse
Copy-Item "C:\IR\Tools\EZTools\*" "$usbDrive\IR-JumpBag\Tools\EZTools\" -Recurse
Copy-Item "C:\IR\Tools\Volatility3\winpmem.exe" "$usbDrive\IR-JumpBag\Tools\"
Copy-Item "C:\IR\Tools\Velociraptor\collector.exe" "$usbDrive\IR-JumpBag\Tools\"

# Generate SHA256 hashes for all tool binaries
# This verifies tool integrity — if hashes change, the USB may be compromised
Get-ChildItem "$usbDrive\IR-JumpBag\Tools" -Recurse -Filter "*.exe" |
    ForEach-Object {
        $hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
        "$hash  $($_.Name)"
    } | Out-File "$usbDrive\IR-JumpBag\tool_hashes.txt"

Write-Host "Jump bag created at $usbDrive\IR-JumpBag\" -ForegroundColor Green
Write-Host "Tool hashes saved to tool_hashes.txt" -ForegroundColor Cyan

The KAPE quick-collection script

Create a batch file that runs a standard KAPE triage collection with a single double-click. This is the script the onsite contact runs when the IR team is remote — it requires no forensic knowledge to execute.

# Create the KAPE quick-collection batch file
$batchContent = @'
@echo off
echo ============================================
echo  RIDGELINE IR — KAPE TRIAGE COLLECTION
echo  DO NOT CLOSE THIS WINDOW
echo ============================================
echo.
echo Starting artifact collection...
echo This will take 2-5 minutes.
echo.

set CASEID=%COMPUTERNAME%_%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%_%TIME:~0,2%%TIME:~3,2%
set CASEID=%CASEID: =0%

"%~dp0Tools\KAPE\kape.exe" --tsource C: --tdest "%~dp0Output\%CASEID%" --target !SANS_Triage --vhdx %CASEID%

echo.
echo ============================================
echo  COLLECTION COMPLETE
echo  Output saved to: Output\%CASEID%
echo  Please transfer this folder to the IR team.
echo ============================================
echo.
pause
'@

$batchContent | Out-File "$usbDrive\IR-JumpBag\COLLECT.bat" -Encoding ASCII
Write-Host "Quick-collection script created: COLLECT.bat" -ForegroundColor Green

The COLLECT.bat script is designed for non-technical users. Insert the USB, run COLLECT.bat as Administrator, wait 2-5 minutes, and transfer the Output folder to the IR team. No decisions required. No configuration needed. The collection happens automatically with the standard SANS_Triage target.

The memory collection script

Create a separate batch file for memory acquisition. Memory collection is run before KAPE triage because memory is more volatile — every minute of delay means more evidence is overwritten.

# Create the memory collection batch file
$memContent = @'
@echo off
echo ============================================
echo  RIDGELINE IR — MEMORY CAPTURE
echo  DO NOT CLOSE THIS WINDOW
echo  This takes 2-10 minutes depending on RAM
echo ============================================
echo.

set CASEID=%COMPUTERNAME%_%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%_%TIME:~0,2%%TIME:~3,2%
set CASEID=%CASEID: =0%

"%~dp0Tools\winpmem.exe" "%~dp0Output\%CASEID%_memory.raw"

echo.
echo ============================================
echo  MEMORY CAPTURE COMPLETE
echo  File: Output\%CASEID%_memory.raw
echo  NOW run COLLECT.bat for disk artifacts
echo ============================================
echo.
pause
'@

$memContent | Out-File "$usbDrive\IR-JumpBag\MEMORY.bat" -Encoding ASCII
Write-Host "Memory collection script created: MEMORY.bat" -ForegroundColor Green

The investigation sequence for the onsite contact: (1) run MEMORY.bat first (volatile evidence), (2) run COLLECT.bat second (disk artifacts), (3) transfer the entire Output folder to the IR team. This two-step process captures both volatile and persistent evidence in the correct order.

The contact sheet

IR Contact Sheet — adapt for your organization:

>

IR Team:

- IR Lead: [Name] — [Phone] — [Email]

- Primary Analyst: [Name] — [Phone] — [Email]

- Backup Analyst: [Name] — [Phone] — [Email]

>

Escalation:

- CISO: [Name] — [Phone] — [Email]

- Legal Counsel: [Name] — [Phone] — [Email]

- Privacy Officer (DPO): [Name] — [Phone] — [Email]

- Communications / PR: [Name] — [Phone] — [Email]

>

External:

- Managed SOC (if applicable): [Vendor] — [24/7 Phone] — [Email] — [Ticket Portal URL]

- Cyber Insurance Carrier: [Provider] — [Claims Phone] — [Policy Number]

- External IR Retainer (if applicable): [Vendor] — [Activation Phone]

- Law Enforcement: [Local Cyber Crime Unit] — [Phone] — [Case Reference Process]

- ICO (UK Data Protection): 0303 123 1113 — casework@ico.org.uk

>

Portal Access:

- Defender XDR: https://security.microsoft.com

- Purview: https://purview.microsoft.com

- Entra ID: https://entra.microsoft.com

- Azure Portal: https://portal.azure.com

- Sentinel: [Your workspace URL]

Print this contact sheet and include it in both the physical jump bag and the virtual network share. Update it immediately when people change roles — an outdated contact sheet during a real incident causes costly delays.

The virtual jump bag (network share)

The physical USB is for offline/isolated scenarios. For day-to-day investigations, maintain a virtual jump bag on a network share accessible to all IR team members.

# Create the virtual jump bag on a network share
$sharePath = "\\fileserver\IR-JumpBag"  # Change to your share path

# Mirror the USB structure
New-Item -ItemType Directory -Path "$sharePath\Tools" -Force
New-Item -ItemType Directory -Path "$sharePath\Scripts" -Force
New-Item -ItemType Directory -Path "$sharePath\Documents" -Force
New-Item -ItemType Directory -Path "$sharePath\Templates" -Force

# Copy tools from the forensic workstation
Copy-Item "C:\IR\Tools\KAPE\*" "$sharePath\Tools\KAPE\" -Recurse
Copy-Item "C:\IR\Tools\EZTools\*" "$sharePath\Tools\EZTools\" -Recurse
Copy-Item "C:\IR\Tools\Volatility3\winpmem.exe" "$sharePath\Tools\"

# Copy documents
# (Add IR playbooks, contact sheet, checklists as they are created)

# Set permissions: IR team read access, IR lead write access
# Restrict access — these tools and credentials should not be accessible
# to general staff

The virtual jump bag has two advantages over the USB: it is immediately accessible from any workstation on the network (no physical USB required), and it is updated centrally (one update propagates to all team members). The disadvantage: it is inaccessible if the network is compromised or unavailable. Maintain both.

The evidence handling kit

Beyond digital tools, the physical jump bag should include materials for evidence handling. When the investigation escalates to involve physical hardware — a laptop seized for imaging, a server disconnected for preservation, a USB drive recovered from a departing employee — proper evidence handling prevents chain of custody challenges.

Physical evidence bags: Anti-static bags for hard drives and USB devices. Label each bag with: case ID, date/time of seizure, item description, serial number (if visible), name of person who seized it, name of person who received it.

Write blockers: A hardware write blocker (such as Tableau T35es or WiebeTech USB WriteBlocker) prevents any write operations to evidence drives during imaging. Software write blockers exist but hardware blockers are considered more forensically defensible because they operate at the interface level and cannot be bypassed by software. For USB evidence, a USB write blocker is the most commonly needed device. For SATA drives removed from laptops/desktops, a SATA write blocker bridges the drive to your forensic workstation.

Labeling materials: Tamper-evident evidence tape, permanent markers, printed evidence labels with fields for case ID, item number, description, handler, and date. Proper labeling is not bureaucracy — it is the chain of custody mechanism that makes the evidence admissible if the investigation escalates to legal proceedings.

Documentation forms: Pre-printed chain of custody forms. Each form records every transfer of evidence: who had it, when they received it, when they transferred it, who received it next, and the purpose of the transfer. IR2 (Evidence Acquisition and Chain of Custody) provides the complete form templates used throughout the course.

Chain of Custody Record Template — include in the jump bag:

>

Case ID: _______________

Evidence Item #: _______________

Description: _______________

Serial Number / Hash: _______________

>

| Date/Time | Received By | Received From | Purpose | Signature |

|---|---|---|---|---|

| | | | Initial collection | |

| | | | Transfer to analysis | |

| | | | Return to storage | |

>

SHA256 Hash at Collection: _______________

SHA256 Hash at Analysis: _______________

Hashes Match: ☐ Yes ☐ No (if No, document discrepancy)

Incident severity classification

The jump bag should include a severity classification guide that standardizes how the team categorizes incidents. Severity drives resource allocation, escalation speed, and communication cadence.

Incident Severity Classification — adapt for your organization:

>

SEV-1 (Critical): Active ransomware encryption in progress. Confirmed data breach with regulatory notification requirement. Executive account compromise with evidence of financial fraud. Active attacker with domain admin access.

Response: All-hands IR. CISO notified within 15 minutes. Legal engaged within 1 hour. External IR retainer activated if needed. 24/7 investigation until contained. Evidence collection begins immediately — do not wait for approval.

>

SEV-2 (High): Confirmed credential compromise with mailbox access. Malware execution confirmed on multiple endpoints. Insider threat with confirmed data exfiltration. BEC attempt with financial transaction in progress.

Response: IR lead + primary analyst engaged. CISO notified within 2 hours. Evidence collection within 30 minutes. Containment within 4 hours. Twice-daily status updates.

>

SEV-3 (Medium): Single endpoint malware detection contained by EDR. Phishing email delivered but no evidence of credential compromise. Suspicious sign-in from unfamiliar location (unconfirmed compromise). Policy violation without data exposure.

Response: Primary analyst investigates. IR lead informed. Evidence collection within 2 hours. Daily status updates. Escalate to SEV-2 if scope expands.

>

SEV-4 (Low): Phishing email reported but not clicked. Vulnerability scan detection. False positive alert requiring investigation. Routine security event requiring documentation.

Response: Analyst investigates during business hours. Standard triage workflow. Document and close, or escalate if findings warrant.

The severity classification connects to the go/no-go checklist: the initial assessment determines the severity, and the severity determines the response tempo, the escalation path, and the resources committed.

Playbook reference cards

Include one-page reference cards for the five most common incident types. These are not the full investigation playbooks (those are taught in Phase 4) — they are laminated quick-reference cards that remind the responder of the first 30 minutes of actions for each incident type.

Quick Reference: AiTM Credential Phishing (first 30 minutes)

>

1. Identify the phishing URL from the report/alert

2. KQL: query EmailUrlInfo for all recipients who received the URL

3. KQL: query SigninLogs for each recipient — did any authenticate from a new IP after receiving the email?

4. For confirmed compromises: Revoke-MgUserSignInSession (break stolen tokens)

5. For confirmed compromises: Check Get-InboxRule for attacker-created forwarding rules

6. Preserve: Export Purview audit logs for compromised users (before retention expires)

7. Scope: How many accounts are compromised? Run the sign-in analysis for every recipient

8. Document: Case log entry with timeline, affected accounts, containment actions taken

Quick Reference: Ransomware Detection (first 30 minutes)

>

1. DO NOT power off affected systems — memory evidence will be lost

2. Network isolate affected endpoints (Velociraptor quarantine or switch port disable)

3. Capture memory from affected systems IMMEDIATELY (WinPMem via jump bag USB)

4. Run KAPE triage on the first identified system while scoping others

5. KQL: query DeviceFileEvents for mass file rename/encryption patterns

6. Velociraptor hunt: check for the ransomware binary/scheduled task across all endpoints

7. Identify the initial access vector (phishing? RDP? VPN compromise?)

8. Document: Case log entry with first detection time, affected systems, containment actions

Quick Reference: BEC / Financial Fraud (first 30 minutes)

>

1. Determine: has a fraudulent payment been initiated?

2. If yes: contact the bank/payment provider IMMEDIATELY to attempt recall

3. Identify the compromised account from the fraudulent email

4. Revoke sessions: Revoke-MgUserSignInSession

5. Check inbox rules: Get-InboxRule — remove any attacker-created forwarding

6. Check sent items: has the attacker sent emails impersonating the user?

7. Purview audit: MailItemsAccessed — what did the attacker read?

8. Scope: are other accounts compromised? Check for the same sign-in pattern

These reference cards are the bridge between "alert fires" and "investigation begins." They prevent the responder from freezing at 02:00 when the cognitive load of remembering the correct first steps competes with the urgency of the situation. Print them, laminate them, and store them in the physical jump bag alongside the USB drive.

Jump bag maintenance schedule

Beyond monthly testing, the jump bag requires periodic maintenance to remain current with tool updates, personnel changes, and organizational changes.

Monthly (15 minutes): Run the hash verification script. Run each tool's --help command to confirm it executes. Verify the USB drive is not corrupted (check for read errors). Test the COLLECT.bat and MEMORY.bat scripts on the forensic workstation.

Quarterly (30 minutes): Update KAPE targets and modules (kape.exe --sync). Update EZTools (Get-ZimmermanTools.ps1). Update the Velociraptor standalone collector to the latest release. Re-generate tool hashes after updates. Sync the physical USB and virtual network share to ensure they contain identical tool versions.

After every personnel change: Update the contact sheet immediately. When the CISO changes, when a team member leaves, when the legal contact changes — the contact sheet must reflect the current organization. An outdated contact sheet during a SEV-1 incident wastes critical time.

After every investigation: Review the jump bag contents based on lessons learned. Did you need a tool that was not in the bag? Add it. Did a script fail in a way that the test did not catch? Fix it. Did the go/no-go checklist miss a decision point that you encountered? Update it. The jump bag improves through operational use — each investigation makes it more complete.

The go/no-go decision checklist

IR Go/No-Go Decision Checklist — adapt for your organization:

>

Initial Assessment (first 15 minutes):

- What triggered the investigation? (Alert, user report, third-party notification, threat intel)

- Is the threat active right now? (Active = contain immediately. Historical = preserve evidence first.)

- How many systems/users appear affected? (1 = targeted response. Multiple = enterprise scope.)

- Is data at risk of destruction or exfiltration? (Yes = prioritize containment. No = prioritize evidence.)

>

Escalation Criteria:

- Ransomware indicators detected → Escalate to IR lead immediately.

- Executive account compromised → Escalate to IR lead + Legal.

- Data exfiltration confirmed → Escalate to IR lead + Legal + Privacy Officer.

- More than 10 systems affected → Escalate to IR lead + CISO.

- Regulatory notification may be required → Escalate to IR lead + Legal + Compliance.

>

Evidence Priority (collect in this order):

1. Memory capture (volatile — lost on reboot)

2. Network connections (volatile — change constantly)

3. KAPE triage collection (persistent but time-sensitive)

4. M365 audit log export (persistent but retention-limited)

5. Full disk image (persistent — collect last if needed)

>

Containment Decision:

- Active destruction (encryption, wiping) → Isolate immediately.

- Active exfiltration → Isolate immediately.

- Credential theft (no active damage) → Preserve evidence, then contain.

- Historical compromise (attacker no longer active) → Full evidence collection, then contain.

This checklist is the starting point. IR18 (Building IR Readiness) teaches how to develop a complete IR plan with organization-specific escalation paths, contact trees, and decision frameworks. For now, print this checklist, laminate it, and put it in the jump bag.

Jump bag deployment scenarios

The jump bag is not a single tool — it is a deployment strategy that adapts to the investigation context. Three common scenarios demonstrate how the bag's contents are used differently depending on the situation.

Scenario 1: Remote worker compromise (most common). A user reports a suspicious email and clicked a link. The user works from home, 200 miles from the nearest IT staff. The jump bag virtual share is accessible. The IR analyst connects to the user's workstation via PowerShell remoting, deploys KAPE from the virtual jump bag share, runs a triage collection remotely, and retrieves the results — all without requiring the user to do anything beyond keeping their laptop powered on. The Contain-Identity.ps1 script (IR1.7) runs simultaneously to revoke the user's sessions and disable the account. Total time from alert to containment: 15-20 minutes. Without the pre-staged tools and scripts, the same process takes 45-60 minutes of ad hoc tool downloading, credential lookup, and manual portal navigation.

Scenario 2: Onsite server compromise. A monitoring alert indicates suspicious process execution on a production database server. Physical access is available but the server cannot be taken offline. The physical USB jump bag is inserted. MEMORY.bat runs first (memory capture — volatile evidence). COLLECT.bat runs second (KAPE triage collection — persistent evidence). The analyst transfers both to the forensic workstation for analysis. The server remains online for the business. The collection produces the evidence needed to determine what happened without impacting production operations.

Scenario 3: Multi-endpoint ransomware (worst case). Ransomware encryption detected on 3 endpoints. Unknown scope — how many more are affected? The Velociraptor standalone collector from the jump bag is deployed via PsExec or SCCM to all endpoints in the affected network segment. A fleet-wide hunt queries for the known indicators (specific file names, scheduled task names, registry keys identified from the first 3 endpoints). Within 30 minutes, the scope is determined: 3 encrypted, 7 with pre-encryption indicators (persistence installed but encryption not yet triggered), 490 clean. Containment targets the 7 pre-encryption endpoints immediately, preventing further encryption. The jump bag's pre-staged tools made the difference between 3 encrypted endpoints and 10.

Complete jump bag inventory

The following is the complete contents list for both the physical USB jump bag and the virtual network share. Print this inventory and include it in the Documents folder — during a crisis, a checklist is faster than memory.

Jump Bag Inventory — Physical USB (64+ GB, USB 3.0)

>

Tools\KAPE\ — complete KAPE installation with updated targets and modules

Tools\EZTools\ — complete EZTools suite (all parsers)

Tools\winpmem.exe — memory acquisition tool

Tools\collector.exe — Velociraptor standalone collector (pre-configured)

Tools\DumpIt.exe — single-click memory dumper (backup acquisition)

Tools\PsExec.exe — remote execution utility

>

Scripts\COLLECT.bat — automated KAPE triage collection

Scripts\MEMORY.bat — automated memory capture

Scripts\Contain-Identity.ps1 — complete M365 identity containment

Scripts\Parse-All.ps1 — automated EZTools processing pipeline

Scripts\Scope-Check.ps1 — batch IOC check across multiple endpoints

>

Documents\go-no-go-checklist.pdf — printed, laminated

Documents\contact-sheet.pdf — printed, laminated, updated monthly

Documents\evidence-custody-form.pdf — blank forms (10 copies)

Documents\chain-of-custody-log.pdf — blank log sheets (10 copies)

Documents\ir-playbook-aitm.pdf — AiTM/credential phishing playbook

Documents\ir-playbook-bec.pdf — BEC/financial fraud playbook

Documents\ir-playbook-ransomware.pdf — Ransomware playbook

>

Output\ — empty folder for collection output (on the USB itself)

tool_hashes.txt — SHA256 hashes of all tool binaries

Monthly testing

An untested jump bag is an unreliable jump bag. Monthly testing takes 15 minutes and prevents the situation where the USB fails, the tool is outdated, or the credentials have expired when you need them.

# Monthly jump bag test script
# Run on the first Monday of each month

$usbDrive = "E:"  # USB drive letter

# 1. Verify tool hashes (detect tampering or corruption)
$storedHashes = Get-Content "$usbDrive\IR-JumpBag\tool_hashes.txt"
$currentHashes = Get-ChildItem "$usbDrive\IR-JumpBag\Tools" -Recurse -Filter "*.exe" |
    ForEach-Object {
        $hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
        "$hash  $($_.Name)"
    }
$mismatches = Compare-Object $storedHashes $currentHashes
if ($mismatches) {
    Write-Host "HASH MISMATCH DETECTED — investigate before using this kit" -ForegroundColor Red
    $mismatches | ForEach-Object { Write-Host $_.InputObject -ForegroundColor Yellow }
} else {
    Write-Host "All tool hashes verified — no tampering detected" -ForegroundColor Green
}

# 2. Run KAPE help to verify it executes
& "$usbDrive\IR-JumpBag\Tools\KAPE\kape.exe" --help | Select-Object -First 1

# 3. Test the COLLECT.bat script (dry run — verify it starts)
Write-Host "`nManual check: verify COLLECT.bat starts KAPE with correct parameters" -ForegroundColor Cyan

# 4. Test PowerShell module connections
try {
    Connect-ExchangeOnline -ShowBanner:$false
    Write-Host "Exchange Online: CONNECTED" -ForegroundColor Green
    Disconnect-ExchangeOnline -Confirm:$false
} catch {
    Write-Host "Exchange Online: FAILED — check credentials" -ForegroundColor Red
}

# 5. Verify USB drive health
$diskInfo = Get-CimInstance Win32_DiskDrive | Where-Object { $_.MediaType -like "*Removable*" }
if ($diskInfo) {
    Write-Host "USB drive: $($diskInfo.Model) — $([math]::Round($diskInfo.Size/1GB))GB — OK" -ForegroundColor Green
} else {
    Write-Host "USB drive: NOT DETECTED — check connection" -ForegroundColor Red
}

# 6. Check tool versions against latest
Write-Host "`nManual checks:" -ForegroundColor Cyan
Write-Host "  - Visit ericzimmerman.github.io — check for EZTools updates" -ForegroundColor White
Write-Host "  - Visit kroll.com/kape — check for KAPE updates" -ForegroundColor White
Write-Host "  - Visit github.com/Velocidex/velociraptor — check for Velociraptor updates" -ForegroundColor White
Write-Host "  - Verify contact sheet is current — call each number" -ForegroundColor White
Write-Host "  - Update quarterly: sync KAPE, re-download EZTools, rebuild collector" -ForegroundColor White

The monthly test takes 15 minutes. Run it on the first Monday of each month. If any step fails, fix it immediately — the next incident will not wait for you to troubleshoot the jump bag. The quarterly update cycle (every 3 months) syncs KAPE targets and modules, updates EZTools to the latest versions, rebuilds the Velociraptor standalone collector with the latest release, and re-hashes all binaries.