Docker for Forensic Analysts | Hack42 Labs - Expert Forensics Research

Docker for Forensic Analysts

By Andrew Hoog | January 5, 2020

Docker Intro

Docker is a software platform that enables forensic analysts to isolate and run applications or services in a single container. The platform is open source and widely adopted in the development and operations communuity.

Check out Hack42 Lab’s Private Docker Registry for forensic analysts.

Why use Docker for forensics?

While initially popular with development and operations teams, Docker can be a powerful tools for forensic analysts. Some of the key enterprise benefits are actually hughly beneficial for forensic analysis, including:

1. Immutable

Docker images are immutable, meaning they are unchanged over time. With a single configuration file, your analysis tools are is consistenly configured. This allow high confidence in the tool results and simplifies documenting the exact analysis tools used for court or reproducibility.

2. Portable

Docker images run on Windows, macOS, Linux or on servers/in the cloud. This means forensic analysts can consistently run poewerful tools regardless of their operating system or deployment.

3. Isolated

Docker has built in security, isolating the running containers from the underlying operating system and from each other. The containers can, though, be easily configured to share data where appropriate.

4. Traceable

Docker provides a simple mechanism to understand the exact version of software you are running and how the Docker image is composed. This traceability simplifies documentation, reporting and consistency.

5. Scalable

Docker has built in mechanisms to scale. With technologies such as Docker Swarm and Kubernetes (K8s), containers can be deployed, managed and scaled easily. These techniques can dramatically reduce the time needed for complex forensic analysis.

6. Lightweight

Unlike traditional virtual machines, containers leverage the underlying operating system and are far more efficient using system resources. A forensic analysis can very quickly run a Docker containers while continuing to use their workstation.

Example forensic use cases for Docker

There are many uses where Docker can assist a forensic analsys for the following are just a few:

  1. Test a new version of a tool without affecting your base operating system
  2. Use a tool that requires a version of Java or Python that you don’t have installed or conflicts with your system
  3. Run a tool that leverages nodejs but without installing and maintaining a nodejs environment
  4. Run a enterprise database server (e.g. mysql, postgres) and isolate for each case
  5. Run powerful Linux commands on Windows

We will periodically update this list of use cases. If you currently or in the future use Docker and can share your use case or experience, please drop us a line and let us know!

Try it out

If you’d like to try it out, here’s a quick overview (see the full tutorial for a more detailed walk through):

  1. Install Docker and take a quick look at their Getting Started Guide
  2. Run the docker run hello-world to verify your setup
  3. Register for a Hack42 Labs account
  4. Login to our private docker registry for forensic analysts
  5. Experiment with prebuilt forensic tools!

Docker Tutorials

There are many excellent tutorials online for Docker. Over time, we will develop a tutorial specifically for forensic analysts. In the meantime, here are some excellent tutorials you can check out online now:

  1. Official Docker - Get Started
  2. Docker Tutorial: Get Going From Scratch
  3. A fast and easy Docker tutorial for beginners (video series)
  4. Docker Images for Malware Analysis