Containers, and specifically Docker, provide a useful abstraction for packaging arbitrary applications and their dependencies in a way that provides a degree of security and isolation from the host environment. This is particularly useful in cybersecurity disciplines such as incident response and forensics, as it is crucial to not modify the data that is being investigated. Additionally, while not a secure as a traditional virtual machine, judicious use of privilege separation and the principle of least privilege can help maintain the integrity of the host environment, as well as allow the safer handling of potentially dangerous files. By creating this corpus of work, I hope to help reduce the friction that others may experience when trying to run these various tools in a Linux environment, as well as to contribute to state-of-the art practices in digital forensics and investigations.
Throughout the process of building these various digital forensics tools a Docker images, I learned a great deal about the inner workings of Docker, as well as increased my understanding of BASH Programming. Additionally, all of the work for this project is checked into version control using git.
A website containing all of the content of this project is available at https://delve.vincible.space. The repository containing all of the Dockerfiles, build scripts, and runtime parameters to use these images is located on GitLab and mirrored on GitHub. The Git repository for this website is also available on GitLab. The container registry containing all of the images, which are automatically rebuilt using GitLab Continuous Integration & Delivery is located at registry.gitlab.com/bghost/docker-forensics.
My work including the various Dockerfiles, build scripts, and run scripts, is available under an ISC License, which is a permissive free software license which disclaims any warranty and requires attribution. The various applications installed as a result of running these scripts remain under their own licenses, a table of which is located in the introduction. Docker CE is licensed under the Apache License 2.0.
.gitlab-ci.yml script that is used to build all of these images is below:
image: docker:latest services: - docker:dind before_script: - apk upgrade -U && apk add bash - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY - export REGISTRY="registry.gitlab.com/bghost/docker-forensics/" - export PUSH="true" # Change below to match the user and group ID's # on the target host machine - export ID=1000 - export GID=1000 - export PLUGDEV=240 - export AUDIO=18 autopsy:corretto: script: - cd autopsy - bash ./build corretto regripper:latest: script: - cd regripper - bash ./build latest volatility:latest: script: - cd volatility - bash ./build latest ftkimager:latest: script: - cd ftkimager - bash ./build latest wireshark:latest: script: - cd wireshark - bash ./build latest
In the process of building these images, the most difficult was Autopsy, especially because of the recent changes to the Oracle Jave SE Licence. As a result of my efforts to document the process of getting The Sleuth Kit and Autopsy to compile and install on Linux, I submitted a pull request to the upstream Autopsy project on GitHub, providing documentation for how to install Autopsy on Ubuntu 18.10 using Amazon Corretto 8, adding the file README_Linux.md. A local copy of this file is available at README_Linux.md.