Incident Forensics
Capture volatile container state — processes, memory, network connections, modified files — on a schedule. Evidence is archived to S3 before pods restart or scale down.
Order of Volatility
Artifacts captured most-ephemeral first:
| Priority | Artifact | Contents |
|---|---|---|
| 1 | Volatile state | Process tree, open FDs, network connections, environment |
| 2 | Memory dump | GDB-compatible ELF core dump, zstd compressed |
| 3 | Filesystem layer | Modified files since container start (diff from base image) |
| 4 | Checkpoint | Full CRIU process snapshot (restorable) |
Schedule with the Agent
Chain forensic captures in order of volatility:
# Hourly forensic evidence chain
reel.io/schedule: |
0 * * * * | export volatile
next | export memory
next | create layer
next | export layer
reel.io/s3-bucket: "forensic-evidence"
Ad-Hoc Investigation
Query a running container through the agent API:
# Recently modified files
reel --agent list files --pod suspect --modified-since 24h -r --hash
# SUID binaries
reel --agent list files --pod suspect --suid -r
# Executables in /tmp
reel --agent list files --pod suspect --path /tmp --type file -r
# File inventory with chain-of-custody hashes
reel --agent export inventory --pod suspect --hash --chain-of-custody
See Forensic Analysis Reference for the full command set.