toolkit

No description is available yet
toolkit logo

A Docker Forensics Toolkit

This toolkit is designed for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the Docker host system.


Features

  • mount-image: Mounts the forensic image of the Docker host
  • status: Prints status information about the container runtime
  • list-images: Prints images found on the computer
  • show-image-history: Displays the build history of an image
  • show-image-config: Pretty prints the full config file of an image
  • list-containers: Prints containers found on the computer
  • show-container-log: Displays the latest container logfiles
  • show-container-config: Pretty prints the combined container specific config files (config.v2.json and hostconfig.json)
  • mount-container: Mounts the file system of a given container at the given location (overlay2 only)
  • macrobber-container-layer: Extracts file system metadata from the container layer of the given container. Use the output with the 'mactime' tool to create a timeline.
  • macrobber-volumes: Extracts file system metadata from the volumes of the given container. Use the output with the 'mactime' tool to create a timeline.
  • carve-for-deleted-docker-files: Carves the image for deleted Docker files, such as container configs, Dockerfiles and deleted log files. Requires 'scalpel' to be installed.

Development

git- lfs is required to check out this repository. Use whatever editor you like.


Testing

Testing this tool in integration with a real Docker host image is complicated because:

  • Mounting images typically requires root permissions
  • Tests need to be executed as root to be able to read files owned by root on the Docker Host file system

Therefore, there are two ways to test this tool: one with a real Docker Host Image and one with a temporary folder containing select files from a Docker Host image (created by running the create_ zipfile_from_testimage.py script. For local development it's recommended to use the first way while CI may use the latter.


Coverage

For a code coverage report run:

pytest  --cov-report term-missing  --cov=src tests/

Distribution

The toolkit is distributed as a runnable 'fat' binary, bundled with a Python interpreter. The binary is created by PyInstaller. To create such a binary run:

pyinstaller dof.spec




> Visit toolkit Website <
Best Search
Popular Tags