Docker Changes
Overview
Section titled “Overview”Evidence: Docker Changes
Description: Collect Docker Changes
Category: Applications
Platform: macos
Short Name: dockchanges
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Docker filesystem changes track modifications made to container filesystems since container creation. These changes reveal files added, modified, or deleted, essential for detecting malware installation, data tampering, or unauthorized access.
Data Collected
Section titled “Data Collected”This collector gathers structured data about docker changes.
Collection Method
Section titled “Collection Method”This collector queries the Docker daemon via Docker Engine API to retrieve filesystem changes for each container. It lists file paths and change types (added, modified, deleted) since the container was created from its base image.
Forensic Value
Section titled “Forensic Value”Filesystem changes expose malware droppers, backdoor installations, log tampering, credential theft, or data exfiltration staging. Investigators can identify suspicious file modifications, detect persistence mechanisms, and trace attacker activities within compromised containers.