Docker Volumes

Overview

Evidence: Docker Volumes Description: Collect Docker Volumes Category: Applications Platform: macos Short Name: dockvolumes Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Docker volumes provide persistent storage for containers, allowing data to persist beyond container lifecycle. Volume metadata reveals mount paths, drivers, and which containers have access to shared data, critical for data exfiltration and persistence investigations.

Data Collected

This collector gathers structured data about docker volumes.

Collection Method

This collector queries the Docker daemon via Docker Engine API to list all volumes. It extracts volume name, driver, mount point, labels, and scope information for each volume in the system.

Forensic Value

Volume data exposes sensitive data storage locations, shared volumes between containers (lateral movement risk), and host path mounts that may grant container access to sensitive host files. Investigators can identify data staging locations, credential stores, or malicious persistence mechanisms using volumes.