A forensic analyst is examining Docker container logs and finds a container that ran the command 'rm -rf /' and then stopped. The container was based on a custom image. Which of the following is the most effective way to recover deleted files from the container's filesystem?
Image layers are immutable; files deleted in the container are still present in the underlying layers. 'docker export' can extract the container's filesystem but layers contain original data.
Why this answer
Docker images consist of layers. Even if a container deletes files, the underlying image layers are read-only and contain the original files. Inspecting the image layers can recover them.