Skip to content

K8s IR

Work in Progress

This section is a work in progress: It will probably drastically change in the upcoming days.

General Guides

Link Notes

How To: Build

Link Notes
Forensic container analysis in Kubernetes With the help of container checkpointing, it is possible to create a checkpoint of a running container without stopping the container and without the container knowing that it was checkpointed
Digital Forensics Basics: A Practical Guide for Kubernetes DFIR Article covering why DFIR for Kubernetes is so important and how to assess your container DFIR capabilities. It also explores a full scenario where we dig deep into the events that affected a Kubernetes pod, along with response steps to take
Container Forensics: When your cluster becomes a cluster Where to get information about what’s happening in your cluster, including logs and open source tools you can install, and how to tie this information together to get a better idea of what’s happening in your infrastructure

How To: Investigate

Link Notes

Investigations

Link Notes

Tools

Link Notes
kube-forensics kube-forensics allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis
stash Stash is a cloud native data backup and recovery solution for Kubernetes workloads
checkpointctl A tool for in-depth analysis of container checkpoints