Containers have revolutionized the way we deploy and run applications, offering a lightweight and portable alternative to traditional virtual machines which are normally pretty heaving going. While containers offer many benefits, they also pose unique challenges for incident response and forensics. Fundamentally it's hard to get at the data! What is Container Forensics? Container forensics is the practice of using forensic techniques to examine the contents and activities of containerized applications. This includes analyzing the contents of container images, examining the runtime behavior of containers, and analyzing the host system for signs of container activity. Why is Container Forensics Important? Containers are increasingly being used in production environments, and as a result, they are increasingly being targeted by attackers. Containers offer a number of benefits to attackers, including the ability to quickly deploy malicious code and the ability to evade detection by hiding within a larger containerized environment. As a result, it's important to have a process in place for conducting forensic investigations of containerized environments in the event of a security incident. Container Incident Response Incident response in a containerized environment involves a number of steps, including: Identification: The first step in any incident response process is to identify that an incident has occurred. This may involve monitoring for unusual activity, receiving alerts from security tools, or receiving reports from users or other stakeholders. Containment: Once an incident has been identified, the next step is to contain the affected containers to prevent further damage. This may involve shutting down affected containers, isolating the affected host, or implementing other containment measures as appropriate. Analysis: After the affected containers have been contained, the next step is to conduct a forensic analysis to determine the extent of the incident and gather evidence for further investigation. This may involve examining container images and logs, analyzing network traffic, or examining the host system for signs of malicious activity.

1. Container Forensics &
Incident Response

2. Preserve Intrusion Evidence
Zero-impact to
production systems
Easy data collection from anywhere:
✓ Cloud
✓ Containers
✓ On-prem systems

3. Investigate at Cloud Speed
Quick automated data processing:
✓ Fast
✓ Efficient
✓ Effective
Patent-pending
cloud-based architecture

4. Understand the Full Picture
Complete
visibility and context
Seamless investigation of
multiple data sources:
✓ Host
✓ Logs
✓ Memory

5. Identify Root Cause
Patent-pending
analytics engine
Powerful analytics that saves:
✓ Time
✓ Resources
✓ Money

6. Cado Use Cases
● Conduct forensics
investigations across
complex & expansive cloud
environments
● Investigate cloud incidents
that span multiple cloud
platforms, regions, systems,
and accounts with ease
● Capture incident data
before it’s gone across
virtualization technologies
that continuously grow,
shrink and recycle data
● Process and investigate
container environments and
auto scaling groups
● Ensure optimal security
even where an agent-based
detection solution can’t be
deployed
● Conduct threat hunts
across high-availability
production systems with
zero impact
Cloud Forensics Container Forensics Cloud Threat Hunting

7. Know Your Cloud
with Cado.
www.cadosecurity.com