Container Runtime State and Events
Location
containerd or Docker daemon log (journalctl -u containerd / journalctl -u docker), runtime state directory (/var/lib/containerd, /var/lib/docker)Description
Container runtime logs and on-disk state including active container metadata, image layer references, networking configuration, and OCI runtime events. Persists even after a container is terminated and can recover information about short-lived workloads.
Forensic Value
When a compromised container has been evicted or replaced, the runtime state directory may still hold the container configuration (CRI-O/containerd JSON files), recent log tail, and layer references. Combined with the image registry, these reconstruct what actually ran and for how long.
Tools Required
Collection Commands
crictl
crictl ps -a --output json > containers.json; crictl images --output json > images.json
containerd (ctr)
ctr --namespace k8s.io containers list; ctr --namespace k8s.io tasks list
docker
docker inspect $(docker ps -aq) > docker_containers.json; journalctl -u docker > dockerd.log
Collection Constraints
- •Managed nodes may restrict SSH; use `kubectl debug node` or cloud-provider SSH proxies
- •Garbage collection of stopped containers happens periodically; preserve as early as possible after incident
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Compromised Image Pulled from Untracked Registry
The running container image cannot be traced to a specific, approved build: it was pulled from an external or unapproved registry, built outside standard CI/CD, or has a non-deterministic tag like `:latest`. Provenance is missing, SBOM is unavailable, and the malicious content cannot be distinguished from a legitimate base.
Ephemeral Container Terminated Before Evidence Capture
The compromised container was terminated, evicted, or replaced (pod restart, autoscaling event, deployment rollout) before forensic evidence could be collected. The container filesystem and local state are gone; response must pivot to control-plane audit, node-level artifacts, and image-registry provenance.