CSI Forensics: Unraveling Kubernetes Crime Scenes

Alberto Pellitteri's blog post delves into the application of Digital Forensics and Incident Response (DFIR) in Kubernetes environments, emphasizing the nuanced differences between container and host environments. The article highlights the use of the Kubernetes feature known as k8s checkpoint, which, though still in development, can be automated via Falco components to create snapshots of containers for forensic analysis. It illustrates a real-world scenario involving a chatbot connecting to a malicious server, where automated container checkpoints are triggered using tools like Falco, Falcosidekick, and Argo. The post further explores static and dynamic analysis of checkpointed containers, employing tools such as checkpointctl and CRIT for static analysis, and Wireshark and Sysdig for dynamic analysis. Emphasizing best practices, the article recommends using secure environments for restoring and analyzing malware while detailing the integration of these methods into forensic investigations to enhance security in containerized applications.