{"id":13614050,"url":"https://github.com/docker-forensics-toolkit/toolkit","last_synced_at":"2025-04-13T18:32:06.508Z","repository":{"id":53263949,"uuid":"174858530","full_name":"docker-forensics-toolkit/toolkit","owner":"docker-forensics-toolkit","description":"A toolkit for the post-mortem examination of Docker containers from forensic HDD copies","archived":false,"fork":false,"pushed_at":"2023-12-09T00:44:15.000Z","size":10083,"stargazers_count":69,"open_issues_count":1,"forks_count":15,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-02-15T02:31:12.658Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/docker-forensics-toolkit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-03-10T17:41:39.000Z","updated_at":"2024-01-19T10:14:34.000Z","dependencies_parsed_at":"2024-01-13T10:43:12.825Z","dependency_job_id":"3b5020f1-198a-43f0-9658-04c38a6537c9","html_url":"https://github.com/docker-forensics-toolkit/toolkit","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-forensics-toolkit%2Ftoolkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-forensics-toolkit%2Ftoolkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-forensics-toolkit%2Ftoolkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-forensics-toolkit%2Ftoolkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/docker-forensics-toolkit","download_url":"https://codeload.github.com/docker-forensics-toolkit/toolkit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248760452,"owners_count":21157362,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T20:00:56.231Z","updated_at":"2025-04-13T18:32:05.969Z","avatar_url":"https://github.com/docker-forensics-toolkit.png","language":"Python","readme":"# A Docker forensics toolkit\n\nThis repo contains a toolkit for performing post-mortem analysis of Docker\nruntime environments based on forensic HDD copies of the docker host system.\n\n\u003cimg alt=\"Logo\" align=\"right\" src=\"https://avatars2.githubusercontent.com/u/48415084\"\u003e\n\n![Build Status](https://api.travis-ci.org/docker-forensics-toolkit/toolkit.svg?branch=master)\n\n## Features\n\n* `mount-image` Mounts the forensic image of the docker host\n* `status` Prints status information about the container runtime\n* `list-images` Prints images found on the computer\n* `show-image-history` Displays the build history of an image\n* `show-image-config` Pretty prints the full config file of an image\n* `list-containers` Prints containers found on the computer\n* `show-container-log` Displays the latest container logfiles\n* `show-container-config` Pretty prints the combined container specific config files (config.v2.json and hostconfig.json).\n* `mount-container`     Mounts the file system of a given container at the given location (overlay2 only)\n* `macrobber-container-layer` Extracts file system metadata from the container layer of the given container. Use the output with the 'mactime' tool to create a timeline.\n* `macrobber-volumes` Extracts file system metadata from the volumes of the given container. Use the output with the 'mactime' tool to create a timeline.\n* `carve-for-deleted-docker-files` Carves the image for deleted Docker files, such as container configs,Dockerfiles and deleted log files. Requires 'scalpel' to be installed.\n\n\nSee [usage.md](USAGE.md) for a tour of the features.\n\n## Development\n\n[git-lfs](https://git-lfs.github.com/) is required to check out this repository. Use whatever editor you like.\n\n## Testing\n\nTesting this tool in integration with a real Docker host image is complicated because:\n* Mounting images typically requires root permissions\n* Tests need to be executed as root to be able to read files owned by root on\n  the Docker Host file system\n\nTherefore there are two ways to test this tool: one with a real docker Host\nImage and one with a temporary folder containing select files from a Docker Host\nimage (created by running the `create_zipfile_from_testimage.py` script. For\nlocal development it's recommended to use the first way while CI may use the\nlatter.\n\n### Coverage\n\nFor a code coverage report run:\n\n    pytest --cov-report term-missing --cov=src tests/\n\n### Testing with a real Docker Host Image\n\n1. Mount the Docker Host image by running:\n    \n    sudo python src/dof/main.py mount-image testimages/alpine-host/output-virtualbox-iso/packer-virtualbox-iso-*-disk001.vmdk.raw\n\nNote the mountpoint of the root Partition in the output:\n    \n    Mounted volume 4.3 GiB 4:Ext4 / [Linux] on /tmp/test-4-root-2.\n\n2. Run the pytest command as root with the image-mountpoint as parameter\n\n    sudo pytest --image-mountpoint=/tmp/test-4-root-2\n\n## Distribution\n\nThe toolkit is distributed as a runnable 'fat' binary, bundled with a Python\ninterpreter. The binary is created by\n[PyInstaller](https://www.pyinstaller.org/). To create such a binary run:\n\n    pyinstaller dof.spec\n","funding_links":[],"categories":["Forensics Tools","Tools","Challenges","others","\u003ca id=\"ecb63dfb62722feb6d43a9506515b4e3\"\u003e\u003c/a\u003e新添加"],"sub_categories":["Docker Forensics"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker-forensics-toolkit%2Ftoolkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdocker-forensics-toolkit%2Ftoolkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker-forensics-toolkit%2Ftoolkit/lists"}