DFIR using Docker Containers by Deep Shankar Yadav
1 like355 views
This document discusses using Docker containers for digital forensics and incident response (DFIR). It provides an overview of DFIR, Docker, and why Docker is useful for DFIR workflows. The author then demonstrates how to run several popular DFIR tools as Docker containers, including Volatility, CyberChef, and COMODO malware analysis tools. Contact details and references are provided at the end.
DFIR using Docker Containers by Deep Shankar Yadav
- 1. DFIR using Docker Containers Incident Management on the go - Deep Shankar Yadav
- 3. #root@charlie~:whoami • DFIR Practitioner • Red Team Penetration Tester • Security Analyst by Day; Ninja by Night • Disaster Recovery Manager at n|u OWASP Delhi
- 4. DISCLAIMERS • Registered brands belong to their respective owners. • The information provided in this presentation is a results of a proper internet search. • No content in this presentation violates any copyright or intellectual property.
- 5. • What I am Gonna do ?
- 6. Agenda • What is DFIR? • What is Docker? • Why use Docker ? • What can be used ? • How to use
- 13. Yes Sweety it’s all about it
- 14. Recipe for Successful DFIR Practices
- 15. What is Docker?
- 16. What is Docker?
- 17. What is Docker?
- 18. VM vs Docker
- 19. Why Docker? • Isolation • Lightweight • Simplicity • Workflow • Community Support
- 20. Docker Community • 1500+ Contributors • 100,000+ Dockerized Applications • 3 to 4 Million Developers using Docker • 300+ Million Downloads • 35,000 Docker related projects • 70% enterprises are using docker
- 22. DOCKER ENGINE • DOCKER DAEMON • DOCKER CLI
- 23. DOCKER DAEMON • Builds Images • Runs and Manages Containers • RESTful API
- 24. Docker CLI
- 25. Docker Hub
- 26. What Applications can be used? All of them (CLI and Web Interfaces)
- 27. What are we going to see today
- 29. How to run images? 1. FIR: docker run -it -p 8000:8000 fir 2. CyberChef: docker run -d -p 2142:80 remnux/cyberchef 3. COMODO: docker run --rm -v !/null:/malware:ro malice/comodo <filename> 4. Malcom: docker run -p 2215:8080 -d --name malcom tomchop/malcom-automatic 5. Evolve: docker run --rm -it -v ~/null:/home/nonroot/memdumps -p 1337:8080 wzod/evolve bash 6. Volatility: docker run --rm -it -v ~/null:/home/nonroot/memdumps remnux/volatility bash 7. Mastiff: docker run --rm -it -v ~/null:/home/nonroot/workdir remnux/mastiff 8. Maltrive: docker run --rm -it -v ~/null:/archive remnux/maltrieve 9. Jsdetox: docker run --rm -p 3000:3000 remnux/jsdetox 10. PEScanner: docker run --rm -it -v ~/null:/home/nonroot/workdir remnux/pescanner bash
- 30. Charlie, You have been awesome; can I make sandwich for you ?
- 32. Need more details? Keep an eye on my blog https://www.deepshankaryadav.net
- 33. Contact Details Twitter @TheDeepSYadav E-mail : - [email protected] Web: https://www.deepshankaryadav.com
- 35. References • https://www.docker.com/ • https://www.google.com • https://digital-forensics.sans.org/ • https://remnux.org/docs/containers/malwar e-analysis/