This repo contains a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.
mount-image
Mounts the forensic image of the docker hoststatus
Prints status information about the container runtimelist-images
Prints images found on the computershow-image-history
Displays the build history of an imageshow-image-config
Pretty prints the full config file of an imagelist-containers
Prints containers found on the computershow-container-log
Displays the latest container logfilesshow-container-config
Pretty prints the combined container specific config files (config.v2.json and hostconfig.json).mount-container
Mounts the file system of a given container at the given location (overlay2 only)macrobber-container-layer
Extracts file system metadata from the container layer of the given container. Use the output with the ‘mactime’ tool to create a timeline.macrobber-volumes
Extracts file system metadata from the volumes of the given container. Use the output with the ‘mactime’ tool to create a timeline.carve-for-deleted-docker-files
Carves the image for deleted Docker files, such as container configs,Dockerfiles and deleted log files. Requires ‘scalpel’ to be installed.See usage.md for a tour of the features.
git-lfs is required to check out this repository. Use whatever editor you like.
Testing this tool in integration with a real Docker host image is complicated because:
Therefore there are two ways to test this tool: one with a real docker Host Image and one with a temporary folder containing select files from a Docker Host image (created by running the create_zipfile_from_testimage.py
script. For local development it’s recommended to use the first way while CI may use the latter.
For a code coverage report run:
pytest --cov-report term-missing --cov=src tests/
Note the mountpoint of the root Partition in the output:
Mounted volume 4.3 GiB 4:Ext4 / [Linux] on /tmp/test-4-root-2.
Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…
While file extensions in Linux are optional and often misleading, the file command helps decode what a…
The touch command is one of the quickest ways to create new empty files or update timestamps…
Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…
Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…
Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…