Someone deployed their application as a Docker container. Then another someone came along and hacked it. Then everyone starts looking at you asking, "How did this happen?"
This talk goes into how to extract the forensics artifacts of a Docker container, both if it was still running on a live system (easy) and if you must start from a cold disk image (harder).
A cheatsheet of the high points of this talk is also available here: https://www.didactic-security.com/resources/docker-forensics-cheatsheet.pdf
The video of this presentation at BSides RDU 2018 is online here: https://youtu.be/esj_NoTsywU?t=3667