Pensieve: Finding Malicious Artifacts in Container Environments

Yathi Naik


Containerized environments present new challenges for security and forensics investigations. As containers are orchestrated and deployed, there is a distributed attack surface, and the containers are rapidly being spun up or down. The key issue is tracking the relevant data from the attack. In such ephemeral environments, data can easily be erased by an intruder which makes forensics in such environments very hard.

In containerized environments, attackers can still utilize the traditional approaches of data exfiltration. Once the necessary data is copied out of the docker container, the attackers can close the connection or even remove the container in question. This erases all in-memory tcp connection data which makes tracking the intruders very difficult. The traditional forensic tools like Linux Memory Extractor (LiME), fmem (memory imaging), dd, dcfldd (disk imaging) cannot live up to the challenge of evidence gathering in such an ever changing environment. For one, these tools were designed to capture the memory of the entire system and not tailored for docker containers. Capturing the entire memory of the system will not be useful for docker containers as containers are just a process and the information gathered with host based tools gives a very high overview of the system in general. It’s like finding the needle in a haystack.

We’ll show how more specialized, process-focused memory capture can isolate specific container memory resources.

Yathi Naik