Authors: Radostin Stoyanov, Lorena Goldoni, Adrian Reber, Christopher Hargreaves, Rodrigo Bruno
DFRWS USA 2026
Abstract
Container orchestration platforms have become a crucial part of the cloud-native infrastructure for deploying modern applications. The highly dynamic and ephemeral nature of these environments, however, introduces new challenges for digital forensics: malicious code often runs entirely in memory and vanishes when the container terminates, leaving no traces. The absence of forensic data can be just as dangerous as the malicious activity itself, preventing post-incident investigation and adequate response. In this paper, we propose FSC – a framework for forensic snapshot chains that transparently capture and preserve the state, configurations, and metadata of running containers. These snapshot artifacts allow investigators to accurately reconstruct and analyze the events during a security incident without impacting the running cluster. To achieve this, FSC leverages memory-tracking mechanisms inspired by live-migration optimization techniques that enable high-frequency snapshot capture when a security alert is triggered, while minimizing performance and storage overhead. Our evaluation with real-world cloud-native workloads demonstrates that FSC, with minimal performance overhead, enables accurate temporal reconstruction of memory-resident malicious activity derived from container snapshot chains under both stealthy execution and active attack scenarios.