{"id":13511133,"url":"https://github.com/amir9339/volatility-docker","last_synced_at":"2025-03-30T20:32:37.214Z","repository":{"id":44627380,"uuid":"412464287","full_name":"amir9339/volatility-docker","owner":"amir9339","description":"A suite of Volatility 3 plugins for memory forensics of Docker containers","archived":false,"fork":false,"pushed_at":"2024-01-10T18:39:48.000Z","size":14559,"stargazers_count":17,"open_issues_count":19,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-11-01T13:33:56.733Z","etag":null,"topics":["containers","dfir","docker","memory-forensics","volatility-plugins","volatility3"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/amir9339.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-10-01T12:49:20.000Z","updated_at":"2024-08-21T08:25:04.000Z","dependencies_parsed_at":"2024-01-13T19:22:25.474Z","dependency_job_id":"94ef5bd5-7262-4f64-bc40-890cb1c17cf8","html_url":"https://github.com/amir9339/volatility-docker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amir9339%2Fvolatility-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amir9339%2Fvolatility-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amir9339%2Fvolatility-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/amir9339%2Fvolatility-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/amir9339","download_url":"https://codeload.github.com/amir9339/volatility-docker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246379366,"owners_count":20767694,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","dfir","docker","memory-forensics","volatility-plugins","volatility3"],"created_at":"2024-08-01T03:00:35.260Z","updated_at":"2025-03-30T20:32:36.929Z","avatar_url":"https://github.com/amir9339.png","language":"Python","readme":"## volatility-docker\n\u003cbr /\u003e\n\n[![DeepSource](https://deepsource.io/gh/amir9339/volatility-docker.svg/?label=active+issues\u0026show_trend=true\u0026token=rispzL5PcBGqIqQ6VWX2FWRL)](https://deepsource.io/gh/amir9339/volatility-docker/?ref=repository-badge)\n\n### ✨ Project Description\n\nThe objective of this project is to create a suite of [Volatility 3](https://github.com/volatilityfoundation/volatility3) plugins for memory forensics of Docker containers. \n\nTo achieve this, we developed improved versions of some of Volatility’s core plugins, intending to make them aware of Linux namespaces. Most of these plugins were never ported from Volatility 2, so they were remade to some extent.\n\nAfter improving said core plugins, we used the additional namespace-related information they provide and developed the main plugin for this submission - the Docker plugin.\n\n[A full (but readable) explanation of plugin details can be found in the contest submission document](docs/contest_submission.md)\n\n\n\n### 🎯 Plugin options\nThe Docker plugin has a few options:\n\n- **detector** - When choosing this option the plugin will give the investigator a quick indication about the presence of Docker / Docker containers running on the machine.\n\n- **ps** - When choosing this option the plugin will display a table, similar to docker ps command output, that shows the following details about running containers on the machine: container creation time, running command, container-id, is privileged, container process PID.\n\n- **inspect-caps** - When choosing this option a list of running containers will be displayed and the plugin will enumerate the containers’ capabilities.\n\n- **inspect-mounts** - When choosing this option a list of non-default mounts will be displayed with information about the associated container, mount paths, and mount options.\n\n- **inspect-networks** - When choosing this option a list of Docker networks will be displayed by their IP segments and the containers that are related to them.\n\n### ✔️ Prerequisites:\n\n- Python 3\n- Volatility 3\n\nInstall on Linux (Debian) using these commands:\n\n```bash\napt install python3\n\n# clone from repo\ngit clone https://github.com/volatilityfoundation/volatility3.git\n\n# or install as a module\npip3 install volatility3\n```\n\n### ⚙ Installation\n\nAll plugins are located in the `plugins` folder. Copy them to your Volatility 3 directory under `volatility3/volatility3/framework/plugins/linux`.\n\nSome other framework extensions are required. They are located under `volatility3 changes`, and are organized in the same directory structure as their location within Volatility 3. Simply copy them to the same location (overwrite existing files if needed).\n\n### ✍️ Contributors\n\n- [**Ofek Shaked**](https://github.com/oshaked1)\n- [**Amir Sheffer**](https://github.com/amir9339)\n","funding_links":[],"categories":["Forensics Tools","Volatility 3"],"sub_categories":["Plugins"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Famir9339%2Fvolatility-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Famir9339%2Fvolatility-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Famir9339%2Fvolatility-docker/lists"}