Docker Containers

Overview

Evidence: Docker Containers Description: Collect Docker Containers. Category: Applications Platform: linux Short Name: dockcontainers Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Docker containers are isolated runtime environments that package applications and their dependencies. Container metadata reveals running services, exposed ports, mounted volumes, and runtime configurations, essential for identifying malicious containers, unauthorized deployments, and security misconfigurations.

Data Collected

This collector gathers structured data about docker containers.

Collection Method

This collector queries the Docker daemon via Docker Engine API to enumerate all containers (running and stopped). It extracts container ID, name, image, state, created time, ports, mounts, network settings, labels, and environment variables for forensic analysis.

Forensic Value

Container data helps investigators identify suspicious containers, detect cryptominers, backdoors, or data exfiltration tools running in containerized environments. Configuration details reveal privilege escalation, volume mounts to sensitive host paths, and network exposure that may indicate compromise or policy violations.