Question 1

How do I mount a Docker container filesystem offline using Docker Explorer?

Accepted Answer

Use the de.py script with the mount command, specifying the container ID and mount point, after installing required packages like aufs-tools. For example, 'de.py -r /mnt/root/var/lib/docker mount <container_id> /tmp/test' as shown in the README.

Question 2

Docker Explorer vs container-explorer: which one should I use?

Accepted Answer

Use Docker Explorer for Docker-based systems and container-explorer for Containerd systems. The README explicitly mentions this distinction and provides a link to the separate tool for Containerd.

Question 3

Can Docker Explorer analyze running containers without shutting them down?

Accepted Answer

No, it requires offline access to the Docker data directory. You need to acquire a disk image or snapshot of the host's storage to analyze containers without interrupting them, as it's designed for forensic offline analysis.

Question 4

What Docker storage drivers does Docker Explorer support?

Accepted Answer

It supports AuFS and OverlayFS, as mentioned in the overview, handling the layered filesystem structure common in Docker installations for forensic reconstruction.

Question 5

How to integrate Docker Explorer with log2timeline for timeline analysis?

Accepted Answer

After mounting the container filesystem using de.py, you can run log2timeline.py on the mount point to generate a plaso file, as outlined in the usage steps for forensic timeline creation.

Question 6

Is Docker Explorer compatible with Windows Docker containers?

Accepted Answer

The tool is focused on Linux-based Docker installations and storage drivers like AuFS and OverlayFS; compatibility with Windows containers is not mentioned and likely unsupported, given its forensic focus on common Linux setups.

docker-explorer

What is docker-explorer?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions