This repo contains a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.
mount-image Mounts the forensic image of the docker hoststatus Prints status information about the container runtimelist-images Prints images found on the computershow-image-history Displays the build history of an imageshow-image-config Pretty prints the full config file of an imagelist-containers Prints containers found on the computershow-container-log Displays the latest container logfilesshow-container-config Pretty prints the combined container specific config files (config.v2.json and hostconfig.json).mount-container Mounts the file system of a given container at the given location (overlay2 only)macrobber-container-layer Extracts file system metadata from the container layer of the given container. Use the output with the ‘mactime’ tool to create a timeline.macrobber-volumes Extracts file system metadata from the volumes of the given container. Use the output with the ‘mactime’ tool to create a timeline.carve-for-deleted-docker-files Carves the image for deleted Docker files, such as container configs,Dockerfiles and deleted log files. Requires ‘scalpel’ to be installed.See usage.md for a tour of the features.
git-lfs is required to check out this repository. Use whatever editor you like.
Testing this tool in integration with a real Docker host image is complicated because:
Therefore there are two ways to test this tool: one with a real docker Host Image and one with a temporary folder containing select files from a Docker Host image (created by running the create_zipfile_from_testimage.py script. For local development it’s recommended to use the first way while CI may use the latter.
For a code coverage report run:
pytest --cov-report term-missing --cov=src tests/ Note the mountpoint of the root Partition in the output:
Mounted volume 4.3 GiB 4:Ext4 / [Linux] on /tmp/test-4-root-2. Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…
Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…