Digital Forensics and Incident Response (DFIR) using Docker

Digital Forensics and Incident Response (DFIR) using Docker 1

With the increasing popularity of container virtualization technology Now it has become imperative for forensics professionals to implement “Docker” technology in Digital Forensics and Incident Response operations to reduce a headache reconfiguring set up every time for different cases and increase productivity,

One aspect of the using Docker for DFIR operations is providing Docker images of favourite tools, with the goal of allowing investigators and handlers to conveniently utilise difficult-to-install applications without having to take a headache to install and configuring them again and again. Such images could be compared to lightweight virtual machines; though they do not offer the same level of isolation as real VMs, they provide a container within which the application can be encapsulated along with its dependencies, so before starting the topic itself first let’s talk about what is Docker?

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. By doing so, thanks to the container, the developer can rest assured that the application will run on any other Linux machine regardless of any customised settings that machine might have that could differ from the machine used for writing and testing the code.

In a way, Docker is a bit like a virtual machine. However, unlike a virtual machine, rather than creating a whole virtual operating system, Docker allows applications to use the same Linux kernel as the system that they are running on and only requires applications be shipped with things not already running on the host computer. That gives a significant performance boost and reduces the size of the application, and importantly, Docker is open source so anyone can contribute to Docker and extend it to meet their needs if he or she need additional features that aren’t available out of the box.

Why we need Docker in DFIR?

Application distributed as a Docker image incorporates all the dependencies and configuration necessary for it to run, eliminating the need for end-users to install packages and troubleshoot dependencies

Investigators & Incident Handlers are required to rebuild their personal toolbox investigation after investigation for improved performance. There are plenty of tools that are developed and shared by the community to address specific cases. Most of those tools can be executed stand-alone, sometimes require dependencies with libraries or another software framework. These are perfect candidates to be implemented in a container so that investigators and incident handlers will not have to install and configures tools again and again; they can always reuse once created and correctly configured Docker Image without any wastage of time for installation configuration again and again.

Before using Docker application first, we must know that how to Install Docker in any system, Docker is a cross-platform application can be used on Linux and Windows; However, in this article, I will be covering that how one can install Docker on an Arch Linux Environment system.

We can easily install Docker by using the following command

$ sudo pacman -S docker is all that is needed.

Then there is a systemd service unit created for Docker. To start the Docker service, we can use the following command:

$ sudo systemctl start docker

To start Docker on system boot:

$ sudo systemctl enable docker

Now we are all set to use Docker on our Arch Linux System; Now We can make application and tools on Docker to carry out our operations; here I will be discussing few applications and tools commonly used by professionals around the world.

The following list contains standard applications that all investigators & incident handlers should already know. I am only concentrating on their “docker” version. For performance reasons, I recommend you to download all images using command “docker pull <imagename>“ to your local storage. This process will speed up the container startup and allows you to work offline. I also presume that files to be analysed are stored in /files directory path.

  1. PEScanner

PEScanner is a tool to perform static analysis of Microsoft Portable Executable files.

Command:

$ docker run --rm -it -v /files:/home/nonroot/workdir remnux/pescanner pescanner <malicious.exe>

  1. JSDetox

JSDetox is a JavaScript malware analysis tool. With the growing number of malicious .js files spread by phishing and ransomware campaign. This one is a must at the moment.

Command:

$ docker run --rm -p 3000:3000 remnux/jsdetox

Then point your browser to http://<docker-server>:3000

  1. SpiderMonkey

Another JavaScript analyser, SpiderMonkey, developed by Mozilla, helps to analyse malicious scripts.

Command:

$ docker run --rm -it -v /files:/source nacyot/javascript-spidermonkey:latest js <malicious.js>

  1. VirusTotal

Just a command line VirusTotal API client.

Command:

$ docker run --rm -it malice/virustotal --api <api_key> lookup <hash>

$ docker run --rm -it malice/virustotal --api <api_key> scan <malicious_file>

  1. Malcom

Malcom is a tool which analysis network communications using graphical representations of network traffic and cross-reference them with public IoC sources.

Command:

$ docker run -p 8080:8080 -d --name malcom tomchop/malcom-automatic

  1. FIR

FIR stands for “Fast Incident Response” and is developed by the Société Générale CERT. There is no public build, but a Docker file is available on the FIR GitHub repository.

Command:

$ wget https://github.com/certsocietegenerale/FIR/blob/master/docker/Dockerfile

$ docker build -t fir .

$ docker run -it -p 8000:8000 fir

Then point your browser to http://<docker-server>:8000

  1. ClamAV

Not the best antivirus but always nice to quickly scan a suspicious system.

Command:

$ docker run --name=clamav -v /files:/malware:ro malice/clamav update

$ docker restart clamav

$ docker exec -it clamav /malware/<suspicious_file>

  1. YARA

YARA is another must have application. It helps to classify files based on patterns.

Command:

$ docker run -it -v /evidences:/malware:ro \ -v /rules:/rules:ro blacktop/yara <suspicious_file>

  1. Dradis

Dradis is a tool that is focussing more on pen testers, but it can be useful to collect and exchange information between incident handlers working on the same case.

Command:

$ docker run -d -p 3000:3000 raesene/auto_docker_dradis bundle exec rails server

  1. Volatility

Last but not the least Volatility, everyone’s favourite memory forensics framework has a docker image which is created and maintained by SANS Remnux team.

Command:

docker run --rm -it -v ~/memdumps:/home/nonroot/memdumps remnux/volatility bash

Using Docker for DFIR reduces a headache for investigators and incident handlers to reinstalling or reconfiguring applications as per their need again and again for each system they can always create Docker images and reuse them to save time and energy. However, I accept from the security point of view of containers. They are not bullet-proof: Container evasion is always possible, and they share the same kernel.

Sources: Docker, Rootshell Blog, ISSA Toolsmith Research Paper.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × three =