This project is for gathering artifcacts on docker environment, mainly focused on docker container, but related docker hosts's artifcacts will be included.
- Whiteout: AUFS, Overlay/Overlay2.
- Binary and metadata of Process running within container, and aquisition for Executables
- Result of docker inspect command
- Specific files related to container: config.v2.json, hostconfig.json, hostname, resolv.conf, resolv.conf.hash
- Related logs of container: container_id.json
- Docker daemon related log (Journald only)
- Hidden Diretory
- Changed Files or Directories
- Open Port and Network Session (using nsenter)
- System datetime and uptime
- Acquisition for exectuable binary/script created on Container Layer
1. Download docker-forensics scripts using git client (git clone) or Web browser
2. Have to rename config.json.example to config.json
3. sudo run df.py -i Container_id using python3, such as sudo python3 df.py -i Container_id
*** df.py script should be run with root permission