Docker Volumes
Overview
Section titled “Overview”Evidence: Docker Volumes
Description: Collect Docker Volumes
Category: Applications
Platform: windows
Short Name: dockvolumes
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Docker volumes provide persistent storage for containers, allowing data to persist beyond container lifecycle. Volume metadata reveals mount paths, drivers, and which containers have access to shared data, critical for data exfiltration and persistence investigations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about docker volumes.
Collection Method
Section titled “Collection Method”This collector queries the Docker daemon via Docker Engine API to list all volumes. It extracts volume name, driver, mount point, labels, and scope information for each volume in the system.
Forensic Value
Section titled “Forensic Value”Volume data exposes sensitive data storage locations, shared volumes between containers (lateral movement risk), and host path mounts that may grant container access to sensitive host files. Investigators can identify data staging locations, credential stores, or malicious persistence mechanisms using volumes.