Docs/Forensics

Forensics & Incident Response

Capture volatile state, memory dumps, and evidence from running containers.

This guide covers CLI commands for incident response and one-off captures. For automated forensics, see Scheduling.

Forensics on Running Containers

Memory, process state, network connections, and temporary files are discarded when a container terminates. reel helps you extract forensic data from live containers, without stopping them, following the standard order of volatility.

Order of Volatility

Capture in this order (most volatile first):

01Memory - Process heap, stack, credentials
02Volatile state - Running processes, network connections
03Files - Logs, modified files
04Checkpoint - Full process state

Find Your Workloads

List pods that reel can operate on:

reel get workloads -n <namespace>

Quick Evidence Collection

Follow this sequence to capture evidence in the correct order:

1. Memory (most volatile)

# S3

reel export memory suspicious-pod -n production --dest s3://bucket/forensics/

# Local file

reel export memory suspicious-pod -n production --dest memory.core.zst

2. Volatile state

reel get volatile suspicious-pod -n production -o json > volatile.json

3. Logs and files

reel export files suspicious-pod /var/log -n production --dest logs.tar.gz

4. Package inventory

reel export sbom suspicious-pod -n production --dest sbom.json

Memory Dump Analysis

Memory dumps are exported as ELF Core files, compatible with GDB and standard analysis tools.

reel export memory <pod> -n <namespace> --dest memory.core.zst

Assess Credential Exposure

After a suspected breach, determine what sensitive data may have been accessible to an attacker:

Check for exposed	Command
Credentials	strings memory.core \| grep -iE "(password\|api_key\|token\|secret)"
Connection strings	strings memory.core \| grep -iE "(mysql://\|postgres://\|mongodb://)"
Session tokens	strings memory.core \| grep -E "eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+"

Volatile State

Exports the process tree, open file descriptors, network connections, memory maps, and environment variables.

reel get volatile <pod> -n <namespace> -o json > volatile.json

What it captures:

Process Tree

nginx (pid 1, 8MB)

├─ nginx (pid 12)

└─ nginx (pid 13)

Network Connections

tcp :80 LISTEN

tcp :80 → 10.0.0.5:52341 ESTABLISHED

tcp :80 → 10.0.0.8:48821 ESTABLISHED

Open Files

fd 0: /var/log/nginx/access.log

fd 3: socket:[12345]

fd 4: /etc/nginx/nginx.conf

Environment

NGINX_VERSION=1.25.3

PATH=/usr/local/bin:...

HOME=/root

File Analysis

Search for indicators of compromise and suspicious file modifications.

Find Suspicious Files

Recently modified files

reel get files suspicious-pod / --modified-since 24h --recursive -n production

SUID/SGID binaries (privilege escalation)

reel get files suspicious-pod / --suid --recursive --hash -n production

Executables in /tmp or /dev/shm (malware staging)

reel get files suspicious-pod /tmp --executable --recursive -n production

Hidden files and directories

reel get files suspicious-pod / --hidden --recursive -n production

Modified system binaries

reel get files suspicious-pod /usr/bin --modified-since 7d --hash -n production

Export Files

Extract files for offline analysis:

reel export files suspicious-pod /var/log -n production --dest logs.tar.gz

File Inventory

Export a complete inventory of all files in a container with metadata (path, size, permissions, hashes).

reel export inventory suspicious-pod / --hash --dest inventory.json

Chain of Custody

For legal or compliance purposes, add the --chain-of-custody flag to include provenance metadata:

reel export inventory suspicious-pod / --hash --chain-of-custody --dest evidence.json

Example output:

{

"chain_of_custody": {

"collected_at": "2024-12-20T14:30:22Z",

"tool_version": "reel v0.8.0",

"integrity_hash": "sha256:a1b2c3d4e5f6...",

"collector": "admin@company.com",

"source_node": "node-prod-01",

"method": "direct-read"

"files": [...]

}

Security Scanning Checkpoint