Velociraptor-Dockers-OfflineCollector

91 views
Skip to first unread message

Shlomi Musseri

unread,
Oct 6, 2022, 2:40:00 PM10/6/22
to velocirapt...@googlegroups.com
Hi everyone,

I want to know what artifacts can I collect with velociraptor (offline collector)  to investigate dockers? I would like to see processes that run, command history, outbound connections and more.

I would like to understand how the data can be collected with velociraptor.

Thanks.

Mike Cohen

unread,
Oct 6, 2022, 2:51:11 PM10/6/22
to Shlomi Musseri, velocirapt...@googlegroups.com
Docker is just a container so all processes will show up in a simple pslist (pstree etc) for any queries running on the host itself.

There are some specific docker artifacts (e.g. https://docs.velociraptor.app/artifact_references/pages/linux.applications.docker.info/) these just collect data from the docker service by connecting to it and issuing API calls.

The other cool thing about docker is that the container  filesystem consists of an overlay which is mapped on top of the image - so if you search files (e.g. use the file finder artifact) in the docker directory (on linux this is /var/lib/docker/volumes ) you can see additional files that were added on top of the image. If the container is popped this will just show the new files (it is a diff basically from the current container state and the image). So this makes it really easy to focus on the new files and triage few files instead of an entire OS).

The directory structure is the /var/lib/docker is pretty interesting as well and you can figure out how the containers and layer relate to each other pretty easily.

So in the end it is all just files and processes - so use file finder, pstree etc 

Thanks
Mike




Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
mi...@velocidex.com 


--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/FC3A2C64-C683-4099-BEE8-D6F765EAF60B%40gmail.com.

Shlomi Musseri

unread,
Oct 6, 2022, 7:16:52 PM10/6/22
to Mike Cohen, velocirapt...@googlegroups.com
Hi Mike,

Thanks a lot for the answer!
I'll check it out and dive deeper.


On 6 Oct 2022, at 21:51, Mike Cohen <mi...@velocidex.com> wrote:


Reply all
Reply to author
Forward
0 new messages