K8s IR
Work in Progress
This section is a work in progress:
It will probably drastically change in the upcoming days.
General Guides
How To: Build
| Link |
Notes |
| Forensic container analysis in Kubernetes |
With the help of container checkpointing, it is possible to create a checkpoint of a running container without stopping the container and without the container knowing that it was checkpointed |
| Digital Forensics Basics: A Practical Guide for Kubernetes DFIR |
Article covering why DFIR for Kubernetes is so important and how to assess your container DFIR capabilities. It also explores a full scenario where we dig deep into the events that affected a Kubernetes pod, along with response steps to take |
| Container Forensics: When your cluster becomes a cluster |
Where to get information about what’s happening in your cluster, including logs and open source tools you can install, and how to tie this information together to get a better idea of what’s happening in your infrastructure |
How To: Investigate
Investigations
| Link |
Notes |
| kube-forensics |
kube-forensics allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis |
| stash |
Stash is a cloud native data backup and recovery solution for Kubernetes workloads |
| checkpointctl |
A tool for in-depth analysis of container checkpoints |