Home

Awesome

A Docker forensics toolkit

This repo contains a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.

<img alt="Logo" align="right" src="https://avatars2.githubusercontent.com/u/48415084">

Build Status

Features

See usage.md for a tour of the features.

Development

git-lfs is required to check out this repository. Use whatever editor you like.

Testing

Testing this tool in integration with a real Docker host image is complicated because:

Therefore there are two ways to test this tool: one with a real docker Host Image and one with a temporary folder containing select files from a Docker Host image (created by running the create_zipfile_from_testimage.py script. For local development it's recommended to use the first way while CI may use the latter.

Coverage

For a code coverage report run:

pytest --cov-report term-missing --cov=src tests/

Testing with a real Docker Host Image

  1. Mount the Docker Host image by running:

    sudo python src/dof/main.py mount-image testimages/alpine-host/output-virtualbox-iso/packer-virtualbox-iso-*-disk001.vmdk.raw

Note the mountpoint of the root Partition in the output:

Mounted volume 4.3 GiB 4:Ext4 / [Linux] on /tmp/test-4-root-2.

2. Run the pytest command as root with the image-mountpoint as parameter

sudo pytest --image-mountpoint=/tmp/test-4-root-2

Distribution

The toolkit is distributed as a runnable 'fat' binary, bundled with a Python interpreter. The binary is created by PyInstaller. To create such a binary run:

pyinstaller dof.spec