Linux Containers Forensics

Digital Forensics

LCF

Active

Cyber Funded Research (CFR)

January 2026 December 2029

49 months

Thibault Debatty

Docker Linux

Container-based applications, powered by technologies such as Docker and orchestrated by platforms like Kubernetes, have become foundational to modern software deployment due to their efficiency, scalability, and portability.

However, these advantages come with new security challenges. Containers are not immune to security breaches - threats such as container escapes, image tampering, and misconfigured orchestration layers can compromise entire environments. Investigating such incidents is particularly complex due to the dynamic and ephemeral nature of containers, the distributed nature of orchestrated deployments, and the sheer volume of logs and artifacts generated across nodes and layers.

While several studies have explored the domain of container forensics (e.g., Alqahtany et al., 2020; Martins et al., 2021; Alharbi et al., 2022), current solutions often struggle with performance, completeness, and automation in real-world environments.

This research project aims to advance the state of container forensics by developing more efficient evidence collection and analysis techniques that are orchestration-aware, scalable, and suitable for real-time or near-real-time investigations.

  • Alqahtany, S., et al. (2020). Docker Forensics: An Analysis of Container Persistence and Data Recovery.
  • Martins, R., et al. (2021). Forensics in Container-Based Environments: Docker and Kubernetes Case Studies.
  • Alharbi, S., et al. (2022). Challenges in Kubernetes Forensics: A Survey and Future Directions.
Setting up Elasticsearch and Kibana with Docker and PHP

PHP Docker

Elasticsearch is a powerful database for storing and querying textual logs or time series. In this tutorial, we will show you how to set up Elasticsearch and Kibana with Docker and PHP. We will use a Docker Compose file to define the services and environment variables, and a PHP script to configure the Elasticsearch API keys.

Read
Apr 15, 2026 | 296 views
Continuous Deploy with GitLab, Docker and Portainer

DevOps Docker GitLab

In a previous blog post I presented Portainer, a simple Docker stacks management interface. One of the nice features of Portainer is the possibility to create webhooks to automatically update existing stacks. In this post I’ll show how to combine this feature with GitLab pipelines to implement continuous deployment of Docker stacks.

Read
Aug 27, 2025 | 5316 views
Simplify Your Docker Management with Portainer

Docker Sysadmin

Docker and containers have revolutionized the way we build, ship, and run applications! However, managing multiple containers and services can become increasingly complex. That’s where Portainer comes in! This powerful and intuitive container management web application makes it easy to deploy, manage, and monitor your Docker environments.

Read
Aug 22, 2025 | 8940 views
GHOSTS v8.0 Implementation: Orchestrating Realistic Traffic for PoC Attack Simulation and Log Monitoring

Python Windows Docker Network analysis and visualization Virtualization Offensive Security

In red-blue team attack scenarios, testing threats and attacks on isolated machines can make detection overly simplistic. This is because the attacks are the only activity on the network, which does not accurately reflect real-world conditions. In reality, cyberattacks often occur during working hours and blend seamlessly with normal user activities. The larger the organization, the more extensive the network, making it increasingly challenging t...

Read
Mar 10, 2025 | 5190 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept