in all cases: if starting something compromised: disconnect internet first
shared folder
Doesn’t apply to Qubes and could use links to existing documentation for virtualizer specific instructions.
Turn on your compromised machine
This shouldn’t be done or at least this should be considered a less secure option. With forensics and malware infections:
- don’t continue to power on the hardware again
- make an image and copy of that image before working with the image
Connect new external storage
I know what you mean but many users probably won’t. Needs to be clarified a bit what is considered new, i.e. not the ones connected to the infected host and why, to prevent BadUSB.
untrusted external USB or HDDs
Same as above. Untrusted probably meaning: no data stored on it that you care about or wiped beforehand, and knowing that this device can never be connected again to any non-compromised computer. Perhaps trusted/untrusted doesn’t describe it well? Perhaps better compromised/non-compromised or infected/uninfected? The previously uninfected HDD should be considered infected after being connected to a malicious machine?
Threat model: You know or highly suspect that the Workstation is compromised, but there was no VM breakout.
- Transfer your data out of the Workstation via shred folder.
If so: remove internet connection first.
But then still applies: It is easier but not the most secure option.
Threat model: You know or highly suspect that the Gateway is compromised, but there was no VM breakout.
A compromised Gateway has no access to the host resources. Only the Workstation should be considered compromised along with any data that it contains or is in shared folders it can access.
Why should the workstation be considered compromised? By mistake wrote workstation but meant gateway?