Forensic container checkpointing was recently introduced as an alpha feature in Kubernetes. This feature allows to transparently save the state of running a container as a collection of image files to persistent storage that can be used to reconstruct the processes inside a container and the data they have used at the time when the checkpoint was created. In this talk we will focus on exploring a set of tools and methods that can be used to analyze container checkpoints and extract useful information, such as application's memory, metadata, timestamps, open files, network sockets, and to recover deleted (ghost) files. These tools can be used to examine the captured runtime state of all processes running in a container and to uncover evidence of malicious activity.
Create a custom schedule.
Take it with you on mobile.
Get listed in the directory.
