Docker / Container Runtime Artifacts

linuxExecution EvidenceDisk Image

Location

/var/lib/docker/ (containers/, image/, overlay2/, volumes/) and docker daemon logs

Description

Docker daemon artifacts including container configurations (config.v2.json), image layers and manifests, overlay2 filesystem diffs showing container modifications, volume mounts, network settings, and container execution logs.

Forensic Value

Container forensics is increasingly critical as attackers exploit containerized environments. Container config files reveal the image used, environment variables (potentially containing credentials), volume mounts to host directories, and privileged/capability settings. The overlay2 diff layers show files modified during container runtime, isolating attacker activity from the base image. Container logs capture application output including exploitation attempts and C2 communication. Host-mounted volumes may expose sensitive data accessible from the container.

Tools Required

docker inspectdocker logsdocker diffAutopsydivecontainer-explorer

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical