Forensics Reference
Commands for volatile state, memory dumps, file analysis, and metadata.
get/export volatile
# Query (stdout)
reel get volatile <pod> <container> -n <namespace> [flags]
# Export to file/S3
reel export volatile <pod> <container> -n <namespace> --dest <path>
Includes process tree, open file descriptors, network connections, memory maps, and environment variables.
get/export metadata
# Query (stdout)
reel get metadata <pod> <container> -n <namespace> [flags]
# Export to file/S3
reel export metadata <pod> <container> -n <namespace> --dest <path>
Includes container configuration, image info, resource limits, environment variables, and volume mounts.
export memory
reel export memory <pod> <container> -n <namespace> [flags]
| Flag | Description | Default |
|---|---|---|
| -d, --dest | Destination path or S3 URI | required |
| --compress | Compression: none, fast, best | none |
| --pid | Specific PID to dump | main process |
Output: ELF Core dump (GDB-compatible)
get/export files
# Query (stdout)
reel get files <pod> <container> <path> -n <namespace> [flags]
# Export to file/S3
reel export files <pod> <container> <path> -n <namespace> --dest <path>
| Flag | Description |
|---|---|
| --recursive | Include subdirectories |
| --modified-since | Modified after timestamp/duration |
| --modified-before | Modified before timestamp/duration |
| --suid | Only SUID/SGID files |
| --hash | Calculate file hashes |
| --show-hidden | Include hidden files |
export inventory
reel export inventory <pod> <container> <path> -n <namespace> [flags]
| Flag | Description |
|---|---|
| -d, --dest | Destination path |
| --chain-of-custody | Extended forensic metadata |
| --hash | Calculate file hashes |
Output: CycloneDX SBOM format with chain-of-custody metadata.
See Forensics Tutorial for examples.