# API Reference: Docker Container Forensics Tools ## docker inspect - Container Details ### Syntax ```bash docker inspect docker inspect --format '{{.HostConfig.Privileged}}' docker inspect --format '{{json .Mounts}}' | jq docker inspect --format '{{.GraphDriver.Data.MergedDir}}' ``` ### Key JSON Paths | Path | Description | |------|-------------| | `.HostConfig.Privileged` | Privileged mode status | | `.HostConfig.CapAdd` | Added capabilities | | `.HostConfig.PidMode` | PID namespace mode | | `.HostConfig.NetworkMode` | Network namespace mode | | `.Mounts` | Volume mount configuration | | `.Config.User` | Container user | | `.Config.Env` | Environment variables | | `.Config.Image` | Source image name | | `.State.StartedAt` | Container start time | ## docker diff - Filesystem Changes ### Syntax ```bash docker diff ``` ### Output Codes | Code | Meaning | |------|---------| | `A` | File or directory was added | | `C` | File or directory was changed | | `D` | File or directory was deleted | ## docker export - Container Filesystem Export ### Syntax ```bash docker export > container_fs.tar docker export | gzip > container_fs.tar.gz ``` ## docker commit / docker save - Image Preservation ### Syntax ```bash docker commit forensic-evidence:case001 docker save forensic-evidence:case001 > evidence_image.tar ``` ## docker logs - Container Log Retrieval ### Syntax ```bash docker logs --timestamps docker logs --since 2024-01-15 docker logs --tail 1000 docker logs -f # Follow (live) ``` ## dive - Image Layer Analysis ### Syntax ```bash dive # Interactive mode dive --ci # CI mode (non-interactive) dive --ci --json out.json # JSON output ``` ### Output Includes - Layer-by-layer filesystem changes - Image efficiency score - Wasted space analysis ## container-diff - Image Comparison ### Syntax ```bash container-diff diff daemon://nginx:latest daemon://suspect:latest \ --type=file --type=apt --type=history --json ``` ### Diff Types | Type | Description | |------|-------------| | `file` | File system differences | | `apt` | APT package differences | | `pip` | Python package differences | | `history` | Docker build history differences | ## Trivy - Vulnerability Scanning ### Syntax ```bash trivy image trivy image --format json trivy image --scanners vuln,secret trivy fs /path/to/exported/container/ ``` ### Severity Levels `CRITICAL` | `HIGH` | `MEDIUM` | `LOW` | `UNKNOWN` ## docker-explorer - Offline Forensics ### Syntax ```bash de.py -r /var/lib/docker list de.py -r /var/lib/docker mount /mnt/forensic de.py -r /var/lib/docker history ```