Docker / Container Runtime Artifacts

Location

Description

Docker daemon artifacts including container configurations (config.v2.json), image layers and manifests, overlay2 filesystem diffs showing container modifications, volume mounts, network settings, and container execution logs.

Forensic Value

Container forensics is increasingly critical as attackers exploit containerized environments. Container config files reveal the image used, environment variables (potentially containing credentials), volume mounts to host directories, and privileged/capability settings. The overlay2 diff layers show files modified during container runtime, isolating attacker activity from the base image. Container logs capture application output including exploitation attempts and C2 communication. Host-mounted volumes may expose sensitive data accessible from the container.

Tools Required

Collection Commands

tar czf /forensics/output/docker_configs.tar.gz /var/lib/docker/containers/

docker ps -a --no-trunc --format "{{.ID}}|{{.Image}}|{{.Command}}|{{.Status}}|{{.Ports}}" > /forensics/output/docker_containers.txt

for cid in $(docker ps -aq); do docker inspect "$cid" > "/forensics/output/docker_inspect_${cid}.json"; done

for cid in $(docker ps -aq); do docker logs "$cid" > "/forensics/output/docker_logs_${cid}.txt" 2>&1; done

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Container runtime state changes quickly; collect host-side Docker artifacts before garbage collection, restart, or image cleanup removes them.
• •Overlay and log evidence explains runtime behavior but still needs correlation with orchestrator or cloud-control-plane events in clustered environments.

MITRE ATT&CK Techniques

References