Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Safe isolation of device under forensics analysis

    Scheduled Pinned Locked Moved
    Firewalling
    3
    3
    125
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Terho
      last edited by

      Hi,

      any recommendations for safe isolation of a device under forensics analysis?

      I have one old router that might be infected or captured as a bot, and I want to study it. I guess the router might try to connect to external C2 servers or sniff my traffic. I was thinking what is safe method for connecting this possibly dangerous router to my examination laptop. At first, connecting this router to a pfSense interface and VLAN (with no other hosts in that subnet) and using the firewall rules to block all egress traffic from the router towards the firewall and WAN. Then test it by reconnaissance tools and figure out what it has eaten. Or, maybe use a VM for examination.

      Any other ideas anyone? How to keep danger for my examination laptop minimal?

      A D 2 Replies Last reply Reply Quote 0
      • A
        alexreynolds @Terho
        last edited by

        @Terho said in Safe isolation of device under forensics analysis quordle:

        Hi,

        any recommendations for safe isolation of a device under forensics analysis?

        I have one old router that might be infected or captured as a bot, and I want to study it. I guess the router might try to connect to external C2 servers or sniff my traffic. I was thinking what is safe method for connecting this possibly dangerous router to my examination laptop. At first, connecting this router to a pfSense interface and VLAN (with no other hosts in that subnet) and using the firewall rules to block all egress traffic from the router towards the firewall and WAN. Then test it by reconnaissance tools and figure out what it has eaten. Or, maybe use a VM for examination.

        Any other ideas anyone? How to keep danger for my examination laptop minimal?

        To safely isolate and analyze a potentially compromised router, your approach using pfSense and VLANs is a solid starting point. As you suggested, use VLANs to isolate the router. Ensure that the VLAN for the router has no routes to the WAN or other internal networks. This prevents any accidental communication with external servers.

        1 Reply Last reply Reply Quote 0
        • D
          darcey @Terho
          last edited by

          @Terho said in Safe isolation of device under forensics analysis:

          Any other ideas anyone? How to keep danger for my examination laptop minimal?

          Use a VM, snapshot it and connect that, rather than the host laptop, to the isolated VLAN. Probably easier to accomplish if you use the latops ethernet.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post