Someone deployed their application as a Docker container. Then another someone came along and hacked it. Now everyone is looking at you asking, "How did this happen? What did the attacker do? How do we stop this from happening again!?" If this were a normal physical server or VM, it'd be no problem: you'd just crack open traditional forensic tools and start building a forensic history from the disk image. But this is a Docker container... and your tools don't know what Docker containers are. So now what? In this talk, we'll go over what a Docker container looks like from a forensic viewpoint. We'll dig into how you can get access to the underlying disk/filesystem data of a compromised container and which existing forensic tools that you may already use can still apply. We'll also cover what new forensic opportunities Docker provides and new metadata that can be extracted that wouldn't be available on a conventional system. When we're done, you'll know how to tear apart a Docker container and get all those people turning to you the answers they need.

Joel Lathrop spent his childhood developing computer software, a path which eventually led him into the field of cybersecurity. Beginning with work in developing distributed systems for ensuring privacy and anonymity, he picked up an interest in cryptography which led to an M.S. focused on cryptanalysis. Delving deeper into the subfield of threat intelligence, Joel has applied his occasionally unorthodox approach to reverse engineering and forensic analysis toward research into topics such as malware counter-exploitation, malware obfuscation evolution, and botnet neutralization. In what spare time he has, he enjoys keeping up with advances in programming language theory, cryptography, and distributed systems design as well as attending the occasional opera.

Back to Derbycon 2018 video list