The router was fully monitored, including its processes, file system, and network activity. We created a setup to conduct remote live forensic analysis whenever something suspicious caught our attention. To do so a Raspberry Pi was connected to the router via UART, serving also as a network tap on the WAN interface, as illustrated in the diagram below. The UART access enabled us to receive alerts via our internal instant messaging application for any suspicious activity in the /tmp/ directory – as the rest of the filesystem is read-only – and at the running processes level.