Don't, Stop, Drop, Pause: Forensics of CONtainer CheckPOINTs (ConPoint)
Document Type
Conference Proceeding
Publication Date
7-30-2024
Abstract
In the rapidly evolving landscape of cloud computing, containerization technologies such as Docker and Kubernetes have become instrumental in deploying, scaling, and managing applications. However, these containers pose unique challenges for memory forensics due to their ephemeral nature. As memory forensics is a crucial aspect of incident response, our work combats these challenges by developing a deeper understanding of the containers, leading to the development of a novel, scalable tool for container memory forensics. Through experimental and computational analyses, our work investigates the forensic capabilities of container checkpoints, which capture a container's state at a specific moment in time. We introduce ConPoint, a tool created for the collection of these checkpoints. We focused on three primary research questions: What is the most forensically sound approach for checkpointing a container's memory and filesystem?, How long does the volatile memory evidence reside in memory?, and How long does the checkpoint process take on average to complete? Our approach successfully captured checkpoints and retrieved artifacts generated at runtime from container checkpoints. We found that digital evidence in a container's volatile memory can persist during idle states, yet gradually diminishes over time and is entirely lost when the container shuts down. Our experiments determined the average time for checkpointing a container to be 0.537 seconds by acquiring a total of (n = 45) checkpoints from containers running different databases. The proposed work demonstrates the pragmatic feasibility of implementing checkpointing as an overarching strategy for container memory forensics and incident response.
Publication Source (Journal or Book title)
ACM International Conference Proceeding Series
Recommended Citation
Gharaibeh, T., Seiden, S., Abouelsaoud, M., Bou-Harb, E., & Baggili, I. (2024). Don't, Stop, Drop, Pause: Forensics of CONtainer CheckPOINTs (ConPoint). ACM International Conference Proceeding Series https://doi.org/10.1145/3664476.3670895
