Pensieve - Finding Malicious Artifacts in Container Environments

Explore techniques for forensic investigation in container environments through this conference talk from BSidesSF 2018. Discover how traditional forensic tools fall short in ephemeral and immutable infrastructure, and learn about innovative approaches using Checkpoint and Restore in UserSpace (CRIU), Docker techniques, and other specialized tools. Gain insights into evidence retention and artifact gathering from known malicious containers, enabling security operators to better understand adversarial activities. Delve into topics such as namespaces, C Groups, layered and overlay file systems, memory layout, disk forensics, live analysis, and container metadata. Watch a demonstration of the Cryo Image Tool and understand how these methods can enhance security investigations in containerized environments.

Introduction
Pensieve
What are containers
Namespaces
C Groups
Layered File System
Overlay File System
Memory Layout
Disk forensics
Live analysis
Container metadata
Traditional tools
Cryo Image Tool
Demo
Summary