analyzing-docker-container-forensicslisted

# Analyzing Docker Container Forensics ## When to Use - When investigating a compromised Docker container or container host - For analyzing malicious Docker images pulled from registries - During incident response involving containerized application breaches - When examining container escape attempts or privilege escalation - For auditing container configurations and identifying misconfigurations ## Prerequisites - Docker CLI access on the forensic workstation - Access to the Docker host file system (forensic image or live) - Understanding of Docker layered file system (overlay2, aufs) - dive, docker-explorer, or container-diff for image analysis - Knowledge of Docker daemon configuration and socket security - Trivy or Grype for vulnerability scanning of container images ## Workflow ### Step 1: Preserve Container State and Evidence ```bash # List all containers (including stopped) docker ps -a --no-trunc > /cases/case-2024-001/docker/container_list.txt # Inspect the compromised container CONTAINER_ID="abc123def456" docker inspect $CONTAINER_ID > /cases/case-2024-001/docker/container_inspect.json # Export container filesystem as tarball (preserves current state) docker export $CONTAINER_ID > /cases/case-2024-001/docker/container_export.tar # Create an image from the container's current state docker commit $CONTAINER_ID forensic-evidence:case-2024-001 docker save forensic-evidence:case-2024-001 > /cases/case-2024-001/docker/container_image.tar # Capture container logs