Docker Detection and Forensics, ‘Gotta catch them all’! (Workshop)

Cem Gurkok
Facebook

Nick Anderson
Facebook

Workshops

Adopting Docker containers works well for most fast moving orgs, due to flexibility, isolation, transient existence, ease of management and patching. On the other hand, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing digital forensics in case of an incident can easily become daunting tasks in such a volatile environment. In this talk I will discuss monitoring the Docker container pipeline with osquery, and performing memory forensics with the Volatility Framework within the context of detection and incident response cause ‘gotta catch them all’!

Requirements:

  • Laptop with the following minimum specifications:
    • >= 2.0 GHz, multi-core CPU
    • >= 4 GB of RAM
    • >= 20 GB of disk space
  • Access to a Linux or OSX installation either as a virtual machine or on the laptop directly.
  • Please install Vagrant and Docker as well.

Docker: https://www.docker.com/get-started

Cem Gurkok
Cem specializes in devops security, incident response, digital forensics, malware analysis, litigation consulting, R&D of security software. Prior to Facebook, he lead R&D, incident response and development teams in Salesforce, Terremark, Verizon, LinkedIn and various Fortune 500 companies. He has presented at conferences such as, DockerCon, RSA, Forum of Incident Response and Security Teams (FIRST.org), Hack In the Box, Open Source Memory Forensics Workshop (OMFW), EuroForensics and has written articles and chapters about cloud computing security and incident response for various publications. While not being paranoid about security, he enjoys life with friends and family. Mahalo!

Nick Anderson
Nick Anderson is a security engineer at Facebook, focused on building and scaling infrastructure for detecting compromise at Facebook. He is one of the core maintainers and developers for Facebook's osquery project, an open source tool used for intrusion detection, systems operations, and compliance. When Nick isn't focused on host based security telemetry problems he enjoys cooking, brewing beer, and lock picking.