A forensic analyst is examining a Docker container suspected of being used for malicious activities. The container was running an Alpine Linux image and was stopped 2 hours ago. Which of the following is the BEST first step to collect volatile evidence?
docker export creates a tar archive of the container's filesystem, preserving persistent data.
Why this answer
When a container is stopped, its process state and other in-memory data are lost. The best first step is to create a forensic image of the container's filesystem layers, which are still available on the host. Docker containers' filesystems are stored as layers on the host, accessible via docker export or by copying the container's filesystem from /var/lib/docker/overlay2/.