Investigation Requires Air-Gapped Network Access
The affected systems are on an isolated network segment with no connectivity to standard IR tooling (EDR management plane, SIEM, evidence-transfer channels). Acquisition and analysis must happen via physical media or through carefully-controlled trusted-transfer workflows that do not breach the air gap.
Signals
- •Target systems have no route to EDR, SIEM, or evidence-management infrastructure
- •Network segmentation rules explicitly block the target environment from central services
- •Standard remote-forensic tooling (Velociraptor, GRR, live EDR console) cannot reach the target
Pivot Actions
- 1.Use write-protected forensic boot media (Paladin, CAINE) and write-blockers for local acquisition; carry acquired images out on a dedicated evidence drive, not on commodity USB
- 2.Establish a trusted-transfer workflow with a data diode, physical media, or controlled one-way sneakernet; document every transfer with hashes on both sides
- 3.Perform offline triage with local tooling (KAPE, Volatility, Autopsy) inside the air-gapped environment rather than exfiltrating everything for central analysis
- 4.Coordinate with the air-gap operator on approved tooling and media; many air-gapped environments (OT, classified, SCIF) have specific approved-tool lists
- 5.Plan for extended analysis time -- offline analysis without cloud-assisted tooling is slower than the cloud-backed norm
Alternate Evidence Sources
- •Local forensic tooling approved for the air-gapped environment (KAPE, Autopsy, Volatility with offline symbol files)
- •Jump-server or terminal-server logs that capture interactive access to the air-gapped segment
- •Data-diode or approved trusted-transfer evidence flow with documented hash verification
- •Physical media (write-blocked USB, optical media) with chain-of-custody documentation