Docker Changes

Overview

Evidence: Docker Changes Description: Collect Docker Changes Category: Applications Platform: windows Short Name: dockchanges Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Docker filesystem changes track modifications made to container filesystems since container creation. These changes reveal files added, modified, or deleted, essential for detecting malware installation, data tampering, or unauthorized access.

Data Collected

This collector gathers structured data about docker changes.

Collection Method

This collector queries the Docker daemon via Docker Engine API to retrieve filesystem changes for each container. It lists file paths and change types (added, modified, deleted) since the container was created from its base image.

Forensic Value

Filesystem changes expose malware droppers, backdoor installations, log tampering, credential theft, or data exfiltration staging. Investigators can identify suspicious file modifications, detect persistence mechanisms, and trace attacker activities within compromised containers.