Forensics

The Docker Forensics Toolkit : A Comprehensive Guide For Post-Mortem Analysis

This repo contains a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.

Features

  • mount-image Mounts the forensic image of the docker host
  • status Prints status information about the container runtime
  • list-images Prints images found on the computer
  • show-image-history Displays the build history of an image
  • show-image-config Pretty prints the full config file of an image
  • list-containers Prints containers found on the computer
  • show-container-log Displays the latest container logfiles
  • show-container-config Pretty prints the combined container specific config files (config.v2.json and hostconfig.json).
  • mount-container Mounts the file system of a given container at the given location (overlay2 only)
  • macrobber-container-layer Extracts file system metadata from the container layer of the given container. Use the output with the ‘mactime’ tool to create a timeline.
  • macrobber-volumes Extracts file system metadata from the volumes of the given container. Use the output with the ‘mactime’ tool to create a timeline.
  • carve-for-deleted-docker-files Carves the image for deleted Docker files, such as container configs,Dockerfiles and deleted log files. Requires ‘scalpel’ to be installed.

See usage.md for a tour of the features.

Development

git-lfs is required to check out this repository. Use whatever editor you like.

Testing

Testing this tool in integration with a real Docker host image is complicated because:

  • Mounting images typically requires root permissions
  • Tests need to be executed as root to be able to read files owned by root on the Docker Host file system

Therefore there are two ways to test this tool: one with a real docker Host Image and one with a temporary folder containing select files from a Docker Host image (created by running the create_zipfile_from_testimage.py script. For local development it’s recommended to use the first way while CI may use the latter.

Coverage

For a code coverage report run:

pytest --cov-report term-missing --cov=src tests/

Testing with a real Docker Host Image

  1. Mount the Docker Host image by running:sudo python src/dof/main.py mount-image testimages/alpine-host/output-virtualbox-iso/packer-virtualbox-iso-*-disk001.vmdk.raw

Note the mountpoint of the root Partition in the output:

Mounted volume 4.3 GiB 4:Ext4 / [Linux] on /tmp/test-4-root-2.
  1. Run the pytest command as root with the image-mountpoint as parametersudo pytest –image-mountpoint=/tmp/test-4-root-2

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

3 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

3 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

3 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

3 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

3 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

3 weeks ago