Question 1

How do I mount a Docker container filesystem for forensic analysis?

Accepted Answer

Use the 'de.py mount' command with the container ID and mount point, but ensure aufs-tools is installed. The README shows examples like 'de.py -r /tmp/ mount <container_id> /tmp/test' to replicate live container access.

Question 2

Is Docker Explorer better than using live Docker commands for investigation?

Accepted Answer

For offline forensics, yes—it preserves evidence integrity by not requiring a live daemon. However, for live monitoring or quick checks, standard Docker commands are more straightforward and immediate.

Question 3

Does Docker Explorer work with Containerd or only Docker?

Accepted Answer

It only works with Docker. For Containerd systems, the README directs users to a separate tool called container-explorer, highlighting its limited runtime support.

Question 4

What forensic tools are compatible with Docker Explorer mounts?

Accepted Answer

Mounted filesystems can be used with tools like log2timeline for timeline analysis, as mentioned in the README, or any file inspection tool, enabling integrated forensic workflows.

Question 5

How to install Docker Explorer on CentOS or other Linux distros?

Accepted Answer

Installation is primarily via PPA for Ubuntu or PyPI; for other distros, you may need to build from source or handle dependencies manually, which can be complex due to package requirements like aufs-tools.

Question 6

Why am I getting 'unknown filesystem type aufs' errors?

Accepted Answer

This error occurs if aufs-tools isn't installed or the kernel lacks support. The README suggests installing linux-image-extra packages on Ubuntu, but troubleshooting may vary by system.

docker-explorer

What is docker-explorer?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions