# Asset Isolation

Asset Isolation enables you to completely isolate an asset from all network communication **except** its connection to the AIR Console. This allows your investigation to proceed with full AIR capabilities while preventing threat actors from accessing the asset or external parties from interfering with the investigation.

{% hint style="warning" %}
**Key Point:** An isolated asset can only communicate with the AIR Console. All other network connections—inbound and outbound—are blocked.
{% endhint %}

## Why Use Asset Isolation?

When you suspect an asset has been compromised, you face a dilemma:

* **Leave it connected** → Risk the threat actor maintaining access, exfiltrating data, or destroying evidence
* **Disconnect it completely** → Lose the ability to perform remote forensic collection

Asset Isolation solves this by **cutting off the threat actor while preserving your investigative access**. The asset remains fully manageable through AIR, enabling you to collect evidence, run queries, and interact with the system—all while the asset is protected from external interference.

## How It Works

When you isolate an asset:

1. **All existing network connections are terminated** — Any active connections to other systems are immediately dropped
2. **New network connections are blocked** — The asset cannot establish connections to any external system
3. **AIR Console communication is preserved** — The Responder maintains its connection to the Console
4. **Full AIR capabilities remain available** — Acquisition, Hunt/Triage, interACT, and Time-lining all continue to function

### Technical Implementation

This feature uses a **Kernel Mode Driver** for performing the isolation. It operates independently of Windows Firewall, ensuring reliable isolation regardless of firewall configuration or state.

{% hint style="success" %}
**Persistence:** Asset Isolation survives reboots. If you restart an isolated asset from the AIR Console, it will remain isolated after the reboot until you explicitly un-isolate it from the Asset Details page.
{% endhint %}

{% hint style="info" %}
**Connection Reliability:** The Responder uses advanced connection verification routines—including DNS cache persistence, fallback DNS mechanisms, and extended retry durations—to ensure isolated assets maintain reliable Console connectivity even in complex network environments.
{% endhint %}

## What Remains Available

During isolation, all AIR capabilities continue to function:

| Action                      | Status      | Purpose                             |
| --------------------------- | ----------- | ----------------------------------- |
| **Acquisition**             | ✅ Available | Collect forensic evidence           |
| **Hunt/Triage**             | ✅ Available | Search for indicators of compromise |
| **interACT**                | ✅ Available | Live interaction with the asset     |
| **Time-lining**             | ✅ Available | Build activity timelines            |
| **Scheduled Tasks**         | ✅ Available | Automated task execution continues  |
| **External Network Access** | ❌ Blocked   | Threat actor access denied          |

## Use Cases

### Incident Response Containment

When you identify a potentially compromised asset, immediately isolate it to prevent:

* Threat actors from maintaining command and control access
* Data exfiltration to external servers
* Lateral movement to other assets on the network
* Remote destruction of evidence

### Active Investigation

Isolation allows you to investigate a live system without interference. The threat actor cannot detect your investigation activities or take countermeasures while the asset is isolated.

### Evidence Preservation

By isolating the asset, you ensure that evidence remains intact during collection. No external process can modify, encrypt, or delete files while you're acquiring them.

{% hint style="success" %}
**Best Practice:** When responding to a suspected compromise, isolate the asset first, then begin your forensic acquisition. This ensures you capture evidence in its current state without risk of tampering.
{% endhint %}

## Isolating and Un-isolating Assets

### To Isolate an Asset

1. Navigate to the asset in the AIR Console
2. Open the **More Actions** menu
3. Select **Isolate Asset**

The asset will immediately be isolated from all network communication except the AIR Console.

### To Un-isolate an Asset

1. Navigate to the isolated asset's **Asset Details** page
2. Select **Un-isolate Asset**

Network connectivity will be restored and the asset can resume normal operations.

## Comparison with Maintenance Mode

Both features control asset behaviour, but serve different purposes:

| Feature             | Asset Isolation            | Maintenance Mode      |
| ------------------- | -------------------------- | --------------------- |
| **Primary Purpose** | Network containment        | Prevent task creation |
| **Network Access**  | ❌ Blocked (except Console) | ✅ Normal              |
| **Task Creation**   | ✅ Allowed                  | ❌ Blocked             |
| **Acquisition**     | ✅ Available                | ❌ Blocked             |
| **Hunt/Triage**     | ✅ Available                | ❌ Blocked             |
| **interACT**        | ✅ Available                | ✅ Available           |

{% hint style="info" %}
**When to use which?**

* Use **Asset Isolation** when you need to contain a potentially compromised asset—cut off threat actor access while continuing your investigation
* Use **Maintenance Mode** when you need to prevent task creation for an asset during planned maintenance or diagnostics
  {% endhint %}