Docker Images
Overview
Section titled “Overview”Evidence: Docker Images
Description: Collect Docker Images.
Category: Applications
Platform: linux
Short Name: dockimages
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Docker images are templates used to create containers, consisting of layered filesystems and metadata. Image inventories reveal deployed applications, base operating systems, vulnerabilities, and potentially malicious or unauthorized images in the environment.
Data Collected
Section titled “Data Collected”This collector gathers structured data about docker images.
Collection Method
Section titled “Collection Method”This collector queries the Docker daemon via Docker Engine API to list all images (tagged and untagged). It extracts image ID, repository tags, size, creation time, and layer information for each image stored locally.
Forensic Value
Section titled “Forensic Value”Image data helps identify vulnerable base images, unauthorized images pulled from untrusted registries, backdoored images, or bloated images that may hide malicious payloads. Tracking image provenance and tags assists in supply chain security investigations and compliance audits.