containerd Runtime State and Snapshots

LinuxExecution EvidencecontainerdDisk Image

Location

/var/lib/containerd/, /run/containerd/, /etc/containerd/config.toml, and ctr/crictl metadata

Description

containerd runtime artifacts including namespaces, containers, tasks, snapshots, content-store metadata, runtime sockets, and configuration. Common on Kubernetes nodes and modern container hosts even when Docker is not installed.

Forensic Value

containerd state is essential on current Kubernetes nodes because it records which images, snapshots, and tasks existed even when attacker workloads were short-lived. It helps prove which containers ran, what image digests were used, whether privileged workloads executed, and where writable snapshot data may still hold attacker tooling or exfiltration traces.

Tools Required

ctrcrictlcptar

Collection Commands

ctr

ctr -n k8s.io containers ls > /forensics/output/containerd_containers.txt

ctr

ctr -n k8s.io snapshots ls > /forensics/output/containerd_snapshots.txt

cp /etc/containerd/config.toml /forensics/output/containerd_config.toml 2>/dev/null

tar

tar czf /forensics/output/containerd_state.tar.gz /var/lib/containerd /run/containerd 2>/dev/null

Collection Constraints

•containerd state is technically dense and can be truncated quickly by garbage collection or node reboots.
•Runtime state alone should be paired with audit, kubelet, or workload logs to reconstruct operator actions clearly.

MITRE ATT&CK Techniques

T1610T1611T1525

References

containerd documentation

Used in Procedures

Detect and Analyze Web Shells on Compromised Servers

analyze

Acquisition Methods

containerd State and Snapshot Export

linux — container

tar Logical Collection

linux — logical