Awesome
A Docker forensics toolkit
This repo contains a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.
<img alt="Logo" align="right" src="https://avatars2.githubusercontent.com/u/48415084">
Features
mount-imageMounts the forensic image of the docker hoststatusPrints status information about the container runtimelist-imagesPrints images found on the computershow-image-historyDisplays the build history of an imageshow-image-configPretty prints the full config file of an imagelist-containersPrints containers found on the computershow-container-logDisplays the latest container logfilesshow-container-configPretty prints the combined container specific config files (config.v2.json and hostconfig.json).mount-containerMounts the file system of a given container at the given location (overlay2 only)macrobber-container-layerExtracts file system metadata from the container layer of the given container. Use the output with the 'mactime' tool to create a timeline.macrobber-volumesExtracts file system metadata from the volumes of the given container. Use the output with the 'mactime' tool to create a timeline.carve-for-deleted-docker-filesCarves the image for deleted Docker files, such as container configs,Dockerfiles and deleted log files. Requires 'scalpel' to be installed.
See usage.md for a tour of the features.
Development
git-lfs is required to check out this repository. Use whatever editor you like.
Testing
Testing this tool in integration with a real Docker host image is complicated because:
- Mounting images typically requires root permissions
- Tests need to be executed as root to be able to read files owned by root on the Docker Host file system
Therefore there are two ways to test this tool: one with a real docker Host
Image and one with a temporary folder containing select files from a Docker Host
image (created by running the create_zipfile_from_testimage.py script. For
local development it's recommended to use the first way while CI may use the
latter.
Coverage
For a code coverage report run:
pytest --cov-report term-missing --cov=src tests/
Testing with a real Docker Host Image
-
Mount the Docker Host image by running:
sudo python src/dof/main.py mount-image testimages/alpine-host/output-virtualbox-iso/packer-virtualbox-iso-*-disk001.vmdk.raw
Note the mountpoint of the root Partition in the output:
Mounted volume 4.3 GiB 4:Ext4 / [Linux] on /tmp/test-4-root-2.
2. Run the pytest command as root with the image-mountpoint as parameter
sudo pytest --image-mountpoint=/tmp/test-4-root-2
Distribution
The toolkit is distributed as a runnable 'fat' binary, bundled with a Python interpreter. The binary is created by PyInstaller. To create such a binary run:
pyinstaller dof.spec