In this article, we describe the impact of the increased use of Docker in corporate environments on forensic investigations and incident analysis. Even though Docker is being used more and more (Portworx, Inc., 2017), the implications of the changed runtime environment for forensic processes and tools have barely been considered. We describe the technological basics of Docker and, based on them, outline the differences that occur with respect to digital evidence and previously used methods for evidence acquisition. Specifically, we look at digital evidence within a Docker container which are lost or need to be acquired in different ways compared to a classical virtual machine, and what new traces and opportunities arise from Docker itself.
Authors: Dr.-Ing. Andreas Dewald, Matthias Luft, Julian Suleder
A signed digital copy of the full paper can be found here: https://static.ernw.de/whitepaper/ERNW_Whitepaper64_IncidentForensicDocker_signed.pdf
Sign-up for our upcoming TROOPERS18 Forensic Computing & Incident Analysis or Docker, DevOps & Security in Enterprise Environments to get some hands-on experience!