A tool for exploring each layer in a docker image
https://github.com/wagoodman/dive
Random Access Read-Only Tar Mount
https://github.com/mxmlnkn/ratarmount
Component evidence
File system
copy-on-write diffs inside /var/lib/docker
Memory
gcore
obdump
[memfetch](https://github.com/citypw/lcamtuf-memfetch
gdb
dd
Shared volumes
microservices
Containers in a forensic environment
containers may be paused at any time
containers may be quarantined by removing network access or system call privileges
Container isolation
Network isolation
Process namespacing
File system chroot
Device access control
Default seccomp profile