Docker Images

Overview

Evidence: Docker Images Description: Collect Docker Images Category: Applications Platform: windows Short Name: dockimages Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Docker images are templates used to create containers, consisting of layered filesystems and metadata. Image inventories reveal deployed applications, base operating systems, vulnerabilities, and potentially malicious or unauthorized images in the environment.

Data Collected

This collector gathers structured data about docker images.

Collection Method

This collector queries the Docker daemon via Docker Engine API to list all images (tagged and untagged). It extracts image ID, repository tags, size, creation time, and layer information for each image stored locally.

Forensic Value

Image data helps identify vulnerable base images, unauthorized images pulled from untrusted registries, backdoored images, or bloated images that may hide malicious payloads. Tracking image provenance and tags assists in supply chain security investigations and compliance audits.