With the increasing popularity of container virtualization technology Now it has become imperative for forensics professionals to implement “Docker” technology in Digital Forensics and Incident Response operations to reduce a headache reconfiguring set up every time for different cases and increase productivity,
One aspect of the using Docker for DFIR operations is providing Docker images of favourite tools, with the goal of allowing investigators and handlers to conveniently utilise difficult-to-install applications without having to take a headache to install and configuring them again and again. Such images could be compared to lightweight virtual machines; though they do not offer the same level of isolation as real VMs, they provide a container within which the application can be encapsulated along with its dependencies, so before starting the topic itself first let’s talk about what is Docker?
Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package. By doing so, thanks to the container, the developer can rest assured that the application will run on any other Linux machine regardless of any customised settings that machine might have that could differ from the machine used for writing and testing the code.
In a way, Docker is a bit like a virtual machine. However, unlike a virtual machine, rather than creating a whole virtual operating system, Docker allows applications to use the same Linux kernel as the system that they are running on and only requires applications be shipped with things not already running on the host computer. That gives a significant performance boost and reduces the size of the application, and importantly, Docker is open source so anyone can contribute to Docker and extend it to meet their needs if he or she need additional features that aren’t available out of the box.
Why we need Docker in DFIR?
Application distributed as a Docker image incorporates all the dependencies and configuration necessary for it to run, eliminating the need for end-users to install packages and troubleshoot dependencies
Investigators & Incident Handlers are required to rebuild their personal toolbox investigation after investigation for improved performance. There are plenty of tools that are developed and shared by the community to address specific cases. Most of those tools can be executed stand-alone, sometimes require dependencies with libraries or another software framework. These are perfect candidates to be implemented in a container so that investigators and incident handlers will not have to install and configures tools again and again; they can always reuse once created and correctly configured Docker Image without any wastage of time for installation configuration again and again.
Before using Docker application first, we must know that how to Install Docker in any system, Docker is a cross-platform application can be used on Linux and Windows; However, in this article, I will be covering that how one can install Docker on an Arch Linux Environment system.
We can easily install Docker by using the following command
$ sudo pacman -S docker is all that is needed.
Then there is a systemd service unit created for Docker. To start the Docker service, we can use the following command:
$ sudo systemctl start docker
To start Docker on system boot:
$ sudo systemctl enable docker
Now we are all set to use Docker on our Arch Linux System; Now We can make application and tools on Docker to carry out our operations; here I will be discussing few applications and tools commonly used by professionals around the world.
The following list contains standard applications that all investigators & incident handlers should already know. I am only concentrating on their “docker” version. For performance reasons, I recommend you to download all images using command “docker pull <imagename>“ to your local storage. This process will speed up the container startup and allows you to work offline. I also presume that files to be analysed are stored in /files directory path.
PEScanner is a tool to perform static analysis of Microsoft Portable Executable files.
$ docker run --rm -it -v /files:/home/nonroot/workdir remnux/pescanner pescanner <malicious.exe>
$ docker run --rm -p 3000:3000 remnux/jsdetox
Then point your browser to http://<docker-server>:3000
Just a command line VirusTotal API client.
$ docker run --rm -it malice/virustotal --api <api_key> lookup <hash>
$ docker run --rm -it malice/virustotal --api <api_key> scan <malicious_file>
Malcom is a tool which analysis network communications using graphical representations of network traffic and cross-reference them with public IoC sources.
$ docker run -p 8080:8080 -d --name malcom tomchop/malcom-automatic
FIR stands for “Fast Incident Response” and is developed by the Société Générale CERT. There is no public build, but a Docker file is available on the FIR GitHub repository.
$ wget https://github.com/certsocietegenerale/FIR/blob/master/docker/Dockerfile
$ docker build -t fir .
$ docker run -it -p 8000:8000 fir
Then point your browser to http://<docker-server>:8000
Not the best antivirus but always nice to quickly scan a suspicious system.
$ docker run --name=clamav -v /files:/malware:ro malice/clamav update
$ docker restart clamav
$ docker exec -it clamav /malware/<suspicious_file>
YARA is another must have application. It helps to classify files based on patterns.
$ docker run -it -v /evidences:/malware:ro \ -v /rules:/rules:ro blacktop/yara <suspicious_file>
Dradis is a tool that is focussing more on pen testers, but it can be useful to collect and exchange information between incident handlers working on the same case.
$ docker run -d -p 3000:3000 raesene/auto_docker_dradis bundle exec rails server
Last but not the least Volatility, everyone’s favourite memory forensics framework has a docker image which is created and maintained by SANS Remnux team.
docker run --rm -it -v ~/memdumps:/home/nonroot/memdumps remnux/volatility bash
Using Docker for DFIR reduces a headache for investigators and incident handlers to reinstalling or reconfiguring applications as per their need again and again for each system they can always create Docker images and reuse them to save time and energy. However, I accept from the security point of view of containers. They are not bullet-proof: Container evasion is always possible, and they share the same kernel.
Sources: Docker, Rootshell Blog, ISSA Toolsmith Research Paper.