Docker Image History

Overview

Evidence: Docker Image History Description: Collect Docker Image History Category: Applications Platform: windows Short Name: dockimagehist Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Docker image history shows the layered build steps and commands used to construct an image. This forensic data reveals how an image was built, what software was installed, files added, and configuration changes made during image creation.

Data Collected

This collector gathers structured data about docker image history.

Collection Method

This collector queries the Docker daemon via Docker Engine API to retrieve the build history of each image. It extracts layer ID, created time, created by command, size, and tags for each layer in the image's history.

Forensic Value

Image history exposes malicious commands embedded in image layers, such as backdoor installations, credential theft scripts, or cryptominer deployments. Investigators can identify suspicious layers, trace image lineage, and detect tampering or supply chain attacks in containerized environments.