Kubernetes Forensics Intermediate - 3 days - 3500€ HT
Description
Kubernetes has established itself as the orchestration solution for modern cloud-native infrastructures, managing the deployment and scaling of applications at large scale. This ubiquity now makes it an essential area of investigation for forensic analysts. The platform's distributed architecture, the variety of its components, and the volatile nature of its workloads significantly complicate the collection and preservation of digital artifacts.
In practice, Kubernetes is frequently used through managed services offered by the major cloud providers: AWS, Azure, and GCP. This training covers the specifics of these environments while exploring the inner workings of Kubernetes in a platform-agnostic manner, regardless of the underlying provider.
The training will first cover the fundamentals of containerization and the typical architecture of a Kubernetes cluster. Several forensic analysis approaches will then be presented: some rely on the underlying operating system of cluster nodes, while others leverage the logging mechanisms and native tools provided by cloud providers.
-
3 days (21 hours)
-
Container and Kubernetes cluster analysis
Objectives
- Understand the distributed architecture of Kubernetes and the digital artifacts generated by its components
- Master the methodologies for collecting and preserving evidence in containerized and volatile environments
- Conduct forensic investigations on managed clusters (AWS, Azure, GCP) and agnostic infrastructures
Public and prerequisites
This training is designed for individuals looking to discover Kubernetes forensics while deepening their knowledge of container analysis. It is intended for anyone involved in administering or investigating Kubernetes clusters.
-
System administrators
-
SOC / CERT analysts
-
DevOps / DevSecOps engineers
A solid understanding of Linux and its shell environment is strongly recommended.
Content
Day 1
Introduction: getting started, and overview of Kubernetes investigation. Kubernetes and container threat landscape: volatility of information in Kubernetes, container internals, container runtimes. Fundamentals: cluster architecture, permissions model, Kubernetes weaknesses, exploration and identification of suspicious behavior.
Day 2
Collection and response: artifact collection checklist, CRIU and checkpoints, audit logs, and container isolation. Filesystem and memory analysis: overlayfs analysis, file recovery, memory analysis using checkpoints, image comparison.
Day 3
Network analysis and tooling: Kubernetes network model and forensic implications, traffic capture, DNS forensics and NetworkPolicies, syscall capture. Exercise: hands-on application of acquired knowledge through an incident response scenario under real-world conditions.
All the details regarding how the training is conducted are described on this page.