A Method of Docker Container Forensics Based on API
Jie Xiang
Institute of Computer Forensics, Chongqing University
of Posts and Telecommunications
Chongwen Road, Nan'an District, Chongqing, China
86+13618379301
1305154073@qq.com
ABSTRACT
As one of the main technologies supporting cloud computing
virtualization, Docker is featured in its fast and lightweight
virtualization which has been adopted by numerous
platform-as-a-service (PaaS) systems, but forensics research for
Docker has not been paid the corresponding attention yet. Docker
exists to store and distribute illegal information as a carrier for
initiating attacks like traditional cloud services.
The paper explains Docker service principles and structural
features, and analyzing the model and method of forensics in
related cloud environment, then proposes a Docker container
forensics solution based on the Docker API. In this paper, Docker
APIs realize the derivation of the Docker container instances,
copying and back-up of the container data volume, extraction of
the key evidence data, such as container log information,
configuration information and image information, thus conducts
localized fixed forensics to volatile evidence and data in the
Docker service container. Combined with digital signatures and
digital encryption technology to achieve the integrity of the
original evidence data protection.
CCS Concepts
Applied computing → Computer forensics
Keywords
Cloud Computing, Docker Forensics, Docker API, Integrity
1. INTRODUCTION
According to the definition of the National Institute of Standards
and Technology [1], cloud computing is a type of computing or
service model (such as network, server, storage, application, etc.)
that uses computer networks to realize a common-shared resource
pool derived from an abstract concept of convenient, anytime and
anywhere and on-demand access, which can quickly configure
and publish provider interactions with minimal management effort
or service. By using cloud computing, users can quickly adjust
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. Copyrights
for components of this work owned by others than ACM must be
honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior
specific permission and/or a fee. Request permissions from
Permissions@acm.org.
ICCSP 2018, March 16-18, 2018, Guiyang, China
© 2018 Association for Computing Machinery.
ACM ISBN 978-1-4503-6361-7/18/03…$15.00
DOI: https://doi.org/10.1145/3199478.3199506
159
Long Chen
Institute of Computer Forensics, Chongqing University
of Posts and Telecommunications
Chongwen Road, Nan'an District, Chongqing, China
chenlong@cqupt.edu.cn
their occupied resources according to their business load, pay for
the resources they consume on demand and improve service
quality while reducing operation and maintenance costs.
Classic cloud computing architectures include IaaS (Infrastructure
as a service), PaaS (Platform as a service), and SaaS (Software as
a service) three-tier service [2].
The IaaS layer serves as an infrastructure operation and
maintenance staff and provides computing, storage, networking
and other basic resources on which cloud platform users can
deploy and run any software, including operating systems and
applications, without the need to distract from infrastructure
management.
PaaS layer for application developers to provide services to
support applications running to provide the necessary software
operating environment, related tools and services such as database
services, log services, monitoring services, so that application
development can focus on the development of core business.
SaaS layer for the general user services, provides a complete set
of available software systems, so that users do not need to pay
attention to the technical details of general users, just through the
browser, application client, etc. can make applications deployed in
the cloud application services [3].
In recent years, with the development and maturation of container
virtualization technology [4], more and more cloud service
providers such as Google, Microsoft, Amazon, VMware and IBM
all support Docker's more flexible and efficient virtualization
technology. Because of its low cost, high efficiency to provide
convenient and reliable computing services, continue to attract a
large number of individual users and businesses through cloud
services for information computing, processing, storage, sharing
and so on. However, cloud platform to provide users with efficient
service at the same time, there are lawless elements in the cloud
platform for illegal activities above. Therefore, with closer
cooperation between virtualization and cloud computing
technologies [5], it is an important issue to realize the forensics
work under the cloud environment [6].
At this stage, Docker container forensics mainly faces the
following problems:
1) Evidence Volatility: The Docker container application service
is deployed on the cloud server. After the container is deleted, the
data in the container will also be deleted. And its virtualization
resources will be recycled, resulting in the complete loss of data
within the container, that is, the volatile data in the Docker
application service online will be lost and can’t be retrieved.
2) Evidence Integrity: The integrity of evidence needs to be
maintained during the current cloud forensic investigation, but this
is very difficult. Data integrity is a difficult part of the cloud
forensics process, the original data can’t be modified.
Additionally, Docker container forensics must be able to source
raw data from a running container based on the CSP without
affecting the service provided by the CSP, and because the host
that provides Docker application services may come from
different CSP, it is necessary to implement the authentication and
authorization of the forensics and the CSP.
3) Cross-platform, cross-host container forensics. As a lightweight
virtualization technology, Docker is widely used to build PaaS
platform. But unlike IaaS, PaaS can run on multiple independent
hosts, even if the hosts come from different service providers.
This requires that container forensics not only take data from a
host's container, but also manage the forensics process on multiple
hosts.
Therefore, in order to meet the forensic requirements in the above
Docker environment, to implement the forensic process for the
Docker container, the forensic investigation process needs to be
able to obtain the containers in the target Docker container data
information in the cloud platform conveniently, quickly, in
batches and in a legal manner based on the CSP.
2. Related Work Analysis
Cloud forensics is an emerging field that studies how to identify,
acquire, analyze and display digital evidence in the cloud
environment and implement the problem of finding evidence for
investigation [7]. It is an interdisciplinary subject of computer
forensics and cloud computing. The characteristics of cloud
computing make the traditional Computer forensics techniques,
tools, frameworks and models are difficult to use in a cloud
environment [8]. The research on cloud forensics is carried out
and the cloud forensics is defined as: the use of scientific theory,
technical practice, methods of verification to rebuild the incident
occurred in the cloud environment, the reconstruction process
with the help of evidence identification, collection, preservation,
inspection, Explain and report on the show.
Due to the characteristics of cloud environment such as
virtualization, distributed, multi-tenancy and high flexibility, the
traditional methods and tools of electronic forensics can’t be
directly applied to the cloud environment. Therefore, it is
particularly important to conduct forensic investigation in the
cloud environment. Like traditional cloud services, there are also
many forensics issues in Docker-based cloud environments.
However, the cloud service based on Docker container
environment lacks comprehensive and in-depth research and
discussion, and the evidence collection research for Docker
environment is still lagging behind at this stage.
S.Zawoad et al. proposed an open cloud forensics model OCF [9],
which improved some processes of cloud forensics and also
considered the importance of cloud service providers. Zhang Kun
developed and operated a forensic system [10] on Cloudfoundry,
an open source PaaS cloud platform. Forensic scientists can
extract and fix the evidence of the involved virtual machines, log
records and database files. Xie Yalong, Ding Liping and others
proposed the cloud forensics framework in IaaS mode [11]. By
installing an EC (Evidence Replicator) in a virtual machine
instance and installing a real-time process monitor in the
hypervisor, the ICFF can obtain the data of the virtual machine as
soon as any irregular process or log entry takes place. Wu Sheng
[12] proposed a PaaS evidence-based framework based on Docker
platform. This article will first research and analyze container
virtualization technology, system virtualization technology and
160
PaaS platform, compare and analyze container virtualization and
system virtualization technologies, research and analyze the
implementation and application of PaaS, according to container
virtualization technology And PaaS platform features, this paper
will propose a PaaS cloud computing forensics theoretical
framework, and based on this framework design and
implementation of PaaS cloud forensics prototype system. The
literature Zhou Gang [13] proposed in the literature a method for
the dynamic migration of virtual machines. This method saves the
volatile data such as the memory map and network connection of
the virtual machine instance during the virtual machine migration.
For a migrated virtual machine instance, the forensic investigator
can reload the virtual machine instance on the forensics server,
and then investigate and analyze the migrated virtual machine
instance on the premise of compliance with forensic specifications.
Huber et al. [14] are among the first to utilize the Cloud Services
API as part of the court process. However, their main goal is to
take a snapshot of the target social network through the Facebook
Graph API to provide a context for the investigation. About
Business Tools, Cloud Data Explorer from ElcomSoft [15]
provides the ability to retrieve (through service APIs) user
artifacts from Google Accounts, including profile information,
messages, contacts, and search history. However, there is no
facility for getting Drive data or for services other than Google.
3. API-based Docker Container Forensics
Program
3.1 Introduction to Docker
Docker is an open source PaaS platform for automating the
deployment of applications to quickly and easily package, publish
and run these applications at a lightweight software layer called a
container.
According to the official definition, Docker is a Docker container
as the basic unit for resource partitioning and scheduling.
Packaging the entire software runtime environment for developers
and system administrators designed to build, publish and run
distributed applications on the platform. It is a cross-platform,
portable and easy-to-use container solution. Docker quickly and
automatically deploys applications inside the container and
provides resource isolation and security for the container through
operating system kernel technologies (namespaces, cgroups, etc.).
Docker containers are created from Docker images. Docker
daemons can communicate directly with the host operating system
to allocate resources to individual Docker containers. It also
isolates the container from the main operating system and isolates
the containers from each other. Because of the bloated slave
operating system, Docker can save a lot of disk space and other
system resources. Figure 1 shows the architecture of docker
container.
Figure 1. Docker container architecture
3.1.1 Docker file directory analysis Docker service host itself contains the Docker client and Docker
Docker's default working directory is located at / var / lib / docker, backstage. Docker Docker service provided by the background,
which contains important directories and files for building the file the outside world through the socket way to access it. For security
system environment required for Docker containers, which is as reasons, Docker listens for local communication requests by
shown in figure 2 (based on ubuntu-16.04.1 host system default. Local clients can communicate directly with background
environment): sockets. Here are some of the APIs that can be used for forensics
work. Table 2 shows some APIs related to container and table 3
shows some APIs related to image.
Table 2. API related to container
Function method parameter
List containers GET/containers/json all、limit
Check the GET/containers(id)/j
information son
Figure 2. Docker root directory Running process GET/containers(id)/t
As can be seen in figure 2, in this host, the aufs file system is used. op
The following brief introduction of graph, containers, volume Get the log GET/containers(id)/l Follow、
directories. ogs stdout、stderr
1) The graph directory to store all the image's description file. For export GET/containers(id)/
each image layer, the graph directory has two files json and export
layersize, and json file records the corresponding Docker image
ID, dependencies, create time and configuration information, etc., Generate POST/containers(id)
layersize records the size of the Docker image, and the complete snapshot /commit
data of the image itself is stored in the/var/lib/docker/aufs/diff Copy the POST/containers(id)
directory. directory / file /copy
2) Containers stored in the container directory configuration
information, the configuration information contains all the
Table 3. API related to image
metadata of a container. As table 1 shows below:
Function method parameter
Table 1. Container configuration file and content
List image GET/images/json all、
file name file content
filters
[container-id]-jso container log information
Check the image GET/mages/(name)
n.log
information /json
hostconfig.json define the distribution of each resource
Get image history GET/images(name)
container
/history
hostname define the host name inside the container
Save image GET/images/save
hosts define the container's routing table
resolv.config define the container's DNS server
address Using the related APIs, we can Program using docker-py
libraries from Docker's official portals for listing containers,
resolv.config.hash the hash value of the resolv.config file viewing information, running processes, getting logs, exporting
containers, generating container snapshots, copying directories /
files from containers, Such as container data, container log
3) The Docker data volume is a mechanism introduced for the information, container configuration information, and container
sharing and persistence of files and folders between containers mounting data volume, etc. The system can obtain the information
and hosts, between containers and containers. When creating a of the object of the forensic object, such as container data,
volume from a folder in a container, the volume's ID directory is container log information, container configuration information,
included in the/var/lib/docker/volume path, which means any container mounted data volume, and the like.
changes in the container's mounted folder are reflected directly in
the host/var/lib/docker/[container-ID]/_data path, at the same time In the context of cloud forensics, APIs are officially supported by
this reflection is bidirectional. CSP and have well-defined semantics and detailed documentation.
This provides a formal and accurate way to develop and test
3.1.2 Docker API forensic tools. The way to collect evidence data using API is
As an open cloud platform, Docker will open APIs to developers straightforward. Second, the process of forensics reduces the
to provide developers more freedom to use the features provided dependence on CSP and reduces the direct operation of the
by the platform and customize applications with specific functions. original evidence data by CSP, thus protecting the validity and
By using the Docker API in your application, your application can integrity of the original evidence data. In addition, a single file
communicate directly with the Docker backstage, the library, and typically includes a hash of its content, providing integrity
the Docker Hub platform. protection during retrieval.

161
3.2 System Implementation and Experimental
Analysis
In this article, API programming is done using the official
docker-py library provided by Docker, and Docker-py is the
official Docker Python version of the API interface library.
Among them, the compiler environment of docker-py includes
Python environment and the configuration of docker-py library,
and the host operating system environment is Centos. The running
Docker version is 1.12.6, and the related Docker version
information can be obtained using the docker info or docker
version command.
In this scheme, Docker API is used to implement Docker
container forensics without affecting the service provided by the
container, and users feedback the application usage of the
container, so as to extract the container operation data.
3.2.1 Forensics architecture
In the forensic thinking, through the access control and
management of Docker containers providing cloud services, we
can solve the problem of the way of obtaining evidence in the
cloud service environment. Forensics system framework modular
design is as follows in figure 3:
Figure 3. Forensics architecture
1) Forensic Agent (FA): The forensic agent receives the forensic
request information of the judiciary and then issues a forensic
request to the CSP and provides the relevant authentication
information. Secondly, the forensic agent receives the original
evidence information from the CSP, verifies, signs, and stores it
after the encryption is completed. Forensic agents to provide
forensic personnel interface for forensic personnel forensic
analysis.
2) Cloud service providers (CSP): CSPs have control over cloud
data and also control forensics tasks against object containers. The
CSP accepts the FA forensics request, and after completing the
authentication, authorizes the forensic server to perform the
forensics service.
3) FA side contains four modules, namely: FA forensics server,
FA data receiving module, data storage module, data integrity
protection module. The FA forensics server issues a forensic
request to the CSP, manages the evidence data, opens a forensic
analysis interface to forensics personnel, and conducts forensic
auditing records. The data receiving module uses a fixed port to
receive evidence data from the CSP. The data storage module
stores the evidence data securely. The data integrity protection
module decrypts and verifies the evidence data using the CSP
signature and the public key to ensure the validity and integrity of
the evidence data.
162
4) The CSP contains five modules: CSP forensics server, data
extraction module, data integrity protection module, forensic data
pool and CSP data transmission module. The CSP forensics server
is deployed on a CSP-based operating system, an operating
system running a Docker application, typically an Ubuntu
operating system. The CSP forensics server is used for
corresponding FA forensics requests and completes the
authentication, authorization, and forensics services. The data
extraction module extracts the raw evidence data using the
relevant APIs. The forensic data pool provides temporary storage
requirements for the extracted original evidence data and can be
stored in the / tmp path. After the forensic services are completed,
the original evidence data is deleted and the storage resources are
recovered. The data integrity protection module uses the digital
signature technology and AES encryption technology to sign and
encrypt the original evidence data using CSP's digital signature
and encrypted private key. The CSP data transfer module uses a
fixed port to securely transmit the original evidence data to the
FA.
3.2.2 Experimental Analysis
In this article, the experiment was conducted on a VMware
Workbench 10 virtual machine, with the Centos OS virtual
machine installed, with a kernel version of
3.10.0-514.21.1.el7.x86_64. The deployed Docker version is
1.12.6 and uses nginx images to create two containers that run
with container IDs 2fa91a010dda and 6ae774c3b954, shown in
figure 4.
Figure 4. Running container
The language is Python, and the Python version is Python 2.7.6.
For the installation of the docker-py library, just pull its tarball
from Github, decompress it locally and install it from a Python
script. After the development environment is set up, you can enter
the programming session. Figure 5 shows code files of forensics
tool and formatting commands.
Figure 5. Formatting command for evidence extraction
From Figure 5, we can execute the relevant commands to obtain
the corresponding forensic object container information. The
following will be ID 2fa91a010dda containers as forensics
evidence.
In Figure 6, both the code for the implementation of the program
and the evidential files extracted are stored temporarily in the
/wenjun directory. Among them, the DockerApiForensic.py is
evidence extraction procedures, KeyGeneration.py achieve
evidence encryption, versfy.py achieve evidence signature,
private.pem and public.pem content for the private key and public
key, in the face of CSP forensics, evidence Stage public keys and
private keys are managed by the CSP. In addition, the / data
directory is the storage directory of the extracted container data
volume, and ForensicsInFo_containers_json_all_2017-12-21 (in
this document, the corresponding forensic object container ID is
2fa91a010dda) is the evidence data in the json format whose
content The corresponding data is the container content checked
by the docker inspect command. The Docker inspect command
can view the details of the image and the container, including the
container name, environment variables, run commands, host
configuration, network configuration and data volume
configuration. The usage is as follows: docker inspect
CONTAINER | IMAGE CONTAINER | IMAGE ...]).
ForenSicSInfo_contaIners_json_all_sign_2017-12-21 Encrypts
the signature of FoRensicsInfo_containers_json_all_2017-12-21.
As shown in figure 7 and figure 8:
Figure 6. Forensics program directory
Figure 7. File content
Figure 8. Signed / Encrypted file
Using Json's validation formatting tool BeJson to format the
FoRensicsInfo_containers_json_all_2017-12-21 file, you can find
the following fields in the output:
Figure 9. Container status information
Figure 9 shows the container ID, creation time, running status,
mounted data volumes and other information.
Figure 10. Image information
163
Figure 10 shows the container image ID, mirror name, image file
path, file system devicemapper and other information.
Figure 11. Networks
Figure 12. PortBindings
For Docker container forensics, forensics personnel can focus on
the two fields "Network" and "PortBindings" in the figure above.
As can be seen in figure 11 and figure 12, the virtual gateway of
this docker environment is 172.17.0.1, the internal address of this
container is 172.17.0.3, and the container exposes its own 80 port
corresponding to the 808/0 port of the host.
Similarly, executing other forensic commands can copy the data
volume corresponding to the backup, obtain the snapshot of the
container, extract the container log, and extract the related
information of the image. Through the above forensic methods
outlined, Docker API Docker container forensics work is feasible
and effective. By integrating the forensic system package, it can
be safely deployed on the CSP side, and call the appropriate API
to extract the relevant evidence data. And, the forensics process
does not affect the operation of the container, it will not extract
other irrelevant data. Applying to the cloud environment, the
forensic method realizes the requirements of online forensics and
the privacy protection of user data of non-forensics objects.
Similarly, this method can also promote other cloud service
platforms to adapt to more forensics requirements in the cloud
environment so as to realize the forensics process in the cloud
environment.
4. CONCLUSION AND FUTURE WORK
The field of computer forensics has had continuous expansion,
and any device that has some level of data storage and
communication capabilities will be gradually incorporated into the
sight of computer forensics personnel. As the hottest container
virtualization technology, Docker will be increasingly used in
PaaS such as continuous integration, development and web
applications, which deserves more attention from computer
forensics personnel. At present, in view of the cloud service
implemented by Docker and other container technologies, there
has been no systemic forensics standards and operating
procedures in China yet. The investigation and evidence collection
in the cloud environment depends mainly on CSP and its own
experience and technology, the legitimacy of evidence, integrity
and other issues. In addition, many CSP weak security awareness
also brings considerable difficulties in the preservation and
analysis of evidence information.
The Docker API-based forensics solution proposed in this paper
considers the case of multiple CSPs and multiple hosts, which
means that it can’t only perform forensics on a single CSP host
but also apply to multi-CSP and multi-host forensics scenarios. In
this scenario, data is extracted from a running Docker container
without affecting its external provisioning of application services
and sending raw evidence data to a forensic data center at a low
cost.
Secondly, the original evidence data is extracted based on API,
which not only reduces the dependence on CSP, but also avoids
the direct contact between CSP and the original evidence data and
provides more effective protection for the data integrity protection
of the original evidence. Such a forensics solution is also very
convenient for investigators and CSPs because investigators can
operate on FAs and CSPs do not need to do any unnecessary work
after migrating them to forensic agents by adding relevant data
items to the original evidence data.
5. ACKNOWLEDGMENT
The authors would like to thank anonymous reviewer for their
helpful comments and suggestions. This work was supported by
the National Social Science fund of China (No. 14BFX156) and
partially sponsored by New Direction Cultivation Program of
Chongqing University of Posts and Telecommunications (No.
A2015-45).
6. REFERENCES
[1] MELL P, GRANCE T, The NIST Definition of Cloud
Computing[R]. National Institute of Standards and
Technology, 2011.
[2] SEL Laboratory of Zhejiang University, Docker-container
and container clouding[M]. Posts & Telecom Press, 2015.
[3] Rimal B P, Choi E，Lumb I．A Taxonomy and Survey of
Cloud Computing Systems[C]//2009 Fifth International Joint
Conference on INC, IMS and IDC. IEEE Computer Sociaty,
2009:44-51.
[4] Dua Rajdeep, Raja A Reddy, Kakadia Dharmesh,
Virtualization vs containerization to support PaaS[C], IEEE
International Conference on Cloud Engineering, 2014, pp
610-614.
164
[5] Ding, Weimin, Ghansah Benjamin, Wu Yanyan, Research on
the Virtualization technology in Cloud computing
environment[J], International Journal of Engineering
Research in Africa, 2016, vol. 2, pp 191-196.
[6] Keyun Ruan, Joe Carthy, Tahar Kechadi, Mark Crosbie.
Cloud Forensics[J]. IFIP Advances in Information and
Communication Technology, 2011, vol. 361, pp 35-46.
[7] Ruan K, Carthy J, Kechadi T, et al. Cloud forensics
definitions and critical criteria for cloud forensic capability:
An overview of survey results[J]. Digital Investigation, 2013,
10(1): 34-43.
[8] MATHEW A R, AL ZAHLI J A. Cloud Technology and the
Challenges for Forensics Investigators[J]. DEStech
Transactions on Computer Science and Engineering, 2017
(cnsce).
[9] Zawoad S, Dutta A K, Hasan R. SecLaaS: secure
logging-as-a-service for cloud forensics[C]//Proceedings of
the 8th ACM SIGSAC symposium on Information, computer
and communications security. ACM, 2013: 219-230.
[10] Kun Zhang. Research and Implementation of Digital
Forensics under Cloud Computing Environment[D].
University of Electronic Science and Technology, 2014.
[11] Xie Y L, Ding L P, Lin Y Q, et al. ICFF IaaS[J]. Journal on
Communications, 2013, 34: 5.
[12] Wu S, Du J. DCFF: a container forensics framework based
on Docker[C]//2016 3rd International Conference on
Materials Engineering, Manufacturing Technology and
Control. Atlantis Press, 2016.
[13] Gang Zhou. Research on Scene Migration of Computer
Forensics in Cloud Computing Environment[J]. Huazhong
University of Science and Technology, 2011, 9.
[14] M. Huber, M. Mulazzani, M. Leithner, S. Schrittwieser, G.
Wondracek and E. Weippl, Social snapshots: Digital
forensics for online social networks, Proceedings of the
Twenty-Seventh Annual Computer Security Applications
Conference, pp. 113–122, 2011.
[15] ElcomSoft, ElcomSoft Cloud Explorer, Moscow, Russia,
2016.