Docs/Reference/Forensic Analysis

Forensic Analysis Reference

Detailed CLI reference for volatile state, memory dumps, file analysis, and forensic inventory.

All commands require agent mode (--agent). For scheduling, see Incident Forensics.

export volatile

reel --agent export volatile --pod <pod> [--container <container>] -n <namespace> [-o <file>]

Runtime state: process tree, open file descriptors, network connections, memory maps, and environment variables.

Flag	Description	Default
-o, --output	Destination file	stdout
-f, --format	Output format: json, yaml	json

reel --agent export metadata --pod <pod> [--container <container>] -n <namespace> [-o <file>]

Container configuration, image info, resource limits, environment variables, and volume mounts.

Flag	Description	Default
-o, --output	Destination file	stdout
-f, --format	Output format: json, yaml	json

reel --agent export memory --pod <pod> [--container <container>] -n <namespace> [-o <file>]

GDB-compatible ELF core dump. Uses gcore when available, falls back to /proc/mem. Compressed with zstd by default (~60% size reduction).

Flag	Description	Default
-o, --output	Destination file	auto
--compress	Compression: none, fast, default, better, best	default

# List files (query)

reel --agent list files --pod <pod> --path <path> -n <namespace> [flags]

# Export files (archive)

reel --agent export files --pod <pod> --path <path> -n <namespace> -o <file>

reel --agent export inventory --pod <pod> --path <path> -n <namespace> --hash [-o <file>]

Forensic file inventory in CycloneDX 1.6 format. Includes cryptographic hashes, permissions, timestamps, and optional chain-of-custody metadata.

Flag	Description
-o, --output	Destination file
-f, --format	Output format: json, xml
--chain-of-custody	Include extended forensic metadata
--hash	Calculate file hashes
--diff-only	Scan only diff layer (zero-copy)
--from-layer	Scan stored layer by ID

See Incident Forensics for scheduling and use case examples.