Evidence of Data Exfiltration via Containerised Applications on Virtual Private Servers

The use of application containerisation is on the rise due to the lightweight, portable nature of applications developed with this technology, and the ease with which containers can be administered. Instead of deploying an entire virtual machine to run applications separately from one another, users are now able to create modular, insulated software packages which are not necessarily integrated with the host operating system. This means the packages are able to be configured once, then deployed to many servers, many times, instantiated and then removed without affecting the host in the same way traditional applications would. Because of the portability of the applications, they are more versatile and less resource expensive to deploy and maintain. This also means that containerised applications are somewhat ethereal, and can be run only when required, this can present a challenge for security professionals because these applications do not collaborate with the host operating system in a traditional way. Therefore, they can leave fewer artefacts behind for a forensic investigator to analyse. This analysis can be further impeded by the fact containerisation is being used within virtual private servers hosted in the cloud.