Investigating a GKE Container

  As containerized applications have gained popularity and are the most common method for deploying applications in the cloud, digital forensics analysts need to be familiar with the process and tools to examine the containers.  A previous blog post Container Forensics with Docker Explorer dives into details on analyzing a compromised container with an open source tool Docker Explorer .  This article focuses on analysis of Google Kubernetes Engine (GKE) containers running containerd and the process and open source tools that would aid in forensic analysis of a potential compromised container. The research work for this article was conducted using a GKE cluster. In this article, the commands starting with gcloud are Google Cloud Platform (GCP) specific commands, and kubectl commands are Kubenetes commands that are the same for all cloud providers. In our investigation, we received signals indicating scanning activity towards the web server running on a GKE cluster. All we know at thi