Docker Containers
Overview
Section titled “Overview”Evidence: Docker Containers
Description: Collect Docker Containers
Category: Applications
Platform: macos
Short Name: dockcontainers
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Docker containers are isolated runtime environments that package applications and their dependencies. Container metadata reveals running services, exposed ports, mounted volumes, and runtime configurations, essential for identifying malicious containers, unauthorized deployments, and security misconfigurations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about docker containers.
Collection Method
Section titled “Collection Method”This collector queries the Docker daemon via Docker Engine API to enumerate all containers (running and stopped). It extracts container ID, name, image, state, created time, ports, mounts, network settings, labels, and environment variables for forensic analysis.
Forensic Value
Section titled “Forensic Value”Container data helps investigators identify suspicious containers, detect cryptominers, backdoors, or data exfiltration tools running in containerized environments. Configuration details reveal privilege escalation, volume mounts to sensitive host paths, and network exposure that may indicate compromise or policy violations.