DFIR using Docker Containers by Deep Shankar Yadav
Transcript of DFIR using Docker Containers by Deep Shankar Yadav
DFIR using Docker Containers
Incident Management on the go - Deep Shankar Yadav
#root@charlie~:whoami
#root@charlie~:whoami
• DFIR Practitioner
• Red Team Penetration Tester
• Security Analyst by Day; Ninja by Night
• Disaster Recovery Manager at n|u OWASP Delhi
DISCLAIMERS
• Registered brands belong to their respective
owners.
• The information provided in this presentation is a
results of a proper internet search.
• No content in this presentation violates any
copyright or intellectual property.
• What I am Gonna do ?
Agenda
• What is DFIR?
• What is Docker?
• Why use Docker ?
• What can be used ?
• How to use
What is DFIR?
Yes Sweety it’s all about it
Recipe for Successful DFIR Practices
What is Docker?
What is Docker?
What is Docker?
VM vs Docker
Why Docker?
• Isolation
• Lightweight
• Simplicity
• Workflow
• Community Support
Docker Community
• 1500+ Contributors
• 100,000+ Dockerized Applications
• 3 to 4 Million Developers using Docker
• 300+ Million Downloads
• 35,000 Docker related projects
• 70% enterprises are using docker
DOCKER ENGINE
• DOCKER DAEMON
• DOCKER CLI
DOCKER DAEMON
• Builds Images
• Runs and Manages Containers
• RESTful API
Docker CLI
Docker Hub
What Applications can be used?
All of them (CLI and Web Interfaces)
What are we going to see today
How to run images?
1. FIR: docker run -it -p 8000:8000 fir
2. CyberChef: docker run -d -p 2142:80 remnux/cyberchef
3. COMODO: docker run --rm -v !/null:/malware:ro malice/comodo <filename>
4. Malcom: docker run -p 2215:8080 -d --name malcom tomchop/malcom-automatic
5. Evolve: docker run --rm -it -v ~/null:/home/nonroot/memdumps -p 1337:8080 wzod/evolve bash
6. Volatility: docker run --rm -it -v ~/null:/home/nonroot/memdumps remnux/volatility bash
7. Mastiff: docker run --rm -it -v ~/null:/home/nonroot/workdir remnux/mastiff
8. Maltrive: docker run --rm -it -v ~/null:/archive remnux/maltrieve
9. Jsdetox: docker run --rm -p 3000:3000 remnux/jsdetox
10. PEScanner: docker run --rm -it -v ~/null:/home/nonroot/workdir remnux/pescanner bash
Charlie, You
have been
awesome; can I
make sandwich
for you ?
Any Questions Except?
Need more details?
Keep an eye on my blog
https://www.deepshankaryadav.net
Contact Details
Twitter @TheDeepSYadav
E-mail : - [email protected]
Web: https://www.deepshankaryadav.com
References
• https://www.docker.com/
• https://www.google.com
• https://digital-forensics.sans.org/
• https://remnux.org/docs/containers/malwar
e-analysis/