This repo contains a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.
mount-image
Mounts the forensic image of the docker hoststatus
Prints status information about the container runtimelist-images
Prints images found on the computershow-image-history
Displays the build history of an imageshow-image-config
Pretty prints the full config file of an imagelist-containers
Prints containers found on the computershow-container-log
Displays the latest container logfilesshow-container-config
Pretty prints the combined container specific config files (config.v2.json and hostconfig.json).mount-container
Mounts the file system of a given container at the given location (overlay2 only)macrobber-container-layer
Extracts file system metadata from the container layer of the given container. Use the output with the ‘mactime’ tool to create a timeline.macrobber-volumes
Extracts file system metadata from the volumes of the given container. Use the output with the ‘mactime’ tool to create a timeline.carve-for-deleted-docker-files
Carves the image for deleted Docker files, such as container configs,Dockerfiles and deleted log files. Requires ‘scalpel’ to be installed.See usage.md for a tour of the features.
git-lfs is required to check out this repository. Use whatever editor you like.
Testing this tool in integration with a real Docker host image is complicated because:
Therefore there are two ways to test this tool: one with a real docker Host Image and one with a temporary folder containing select files from a Docker Host image (created by running the create_zipfile_from_testimage.py
script. For local development it’s recommended to use the first way while CI may use the latter.
For a code coverage report run:
pytest --cov-report term-missing --cov=src tests/
Note the mountpoint of the root Partition in the output:
Mounted volume 4.3 GiB 4:Ext4 / [Linux] on /tmp/test-4-root-2.
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…
MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…
"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…
CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…
The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…
The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…