{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T13:23:36Z","timestamp":1775913816488,"version":"3.50.1"},"reference-count":37,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,8,19]],"date-time":"2022-08-19T00:00:00Z","timestamp":1660867200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,8,19]],"date-time":"2022-08-19T00:00:00Z","timestamp":1660867200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cloud Comp"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>A container provides an environment where applications are packaged and run with the supporting libraries and dependencies. Due to scalability and efficient software deployment, the popularity of container technology has increased and its services are also available on cloud platforms. The container environment is prone to a variety of threats and vulnerabilities that lead to security breaches and attacks. Investigation is required to analyze the attack and the digital forensics processes have also been implemented in the container environment. In this paper, we present a systematic evaluation of container artifacts. An interface named CONTAIN4n6 is developed to collect data from container environment that extracts the data using introspection libraries, container file systems, and is also capable to trace the system call of running container. The functionality of system calls traces is implemented in an open source containerization software, i.e, Moby project. Container\u2019s artifacts are associated with environmental information, log files, directories, link files, repositories, etc. Data collected from multiple sources are stored in a database and created a hash values to maintain the integrity of collected data. A case study of privilege escalation attacks has been demonstrated which is used to validate the data collection tool, called, CONTAIN4n6. Research challenges associated with security and forensic investigations on containerized applications are also presented.<\/jats:p>","DOI":"10.1186\/s13677-022-00303-8","type":"journal-article","created":{"date-parts":[[2022,8,19]],"date-time":"2022-08-19T08:03:58Z","timestamp":1660896238000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["CONTAIN4n6: a systematic evaluation of container artifacts"],"prefix":"10.1186","volume":"11","author":[{"given":"Anand K.","family":"Mishra","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6056-1147","authenticated-orcid":false,"given":"Emmanuel S.","family":"Pilli","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mahesh C.","family":"Govil","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,8,19]]},"reference":[{"key":"303_CR1","unstructured":"Docker (2019) What is a Container?https:\/\/www.docker.com\/resources\/what-container. Accessed 20 Apr 2022."},{"key":"303_CR2","unstructured":"Google Cloud (2020) Google Kubernetes Engine. https:\/\/cloud.google.com\/kubernetes-engine."},{"key":"303_CR3","unstructured":"AWS (2019) Amazon Elastic Container Service. https:\/\/aws.amazon.com\/ecs\/. Accessed 11 May 2022."},{"key":"#cr-split#-303_CR4.1","unstructured":"Karmel A, Chandramouli R, Iorga M (2016) NIST definition of microservices, application containers and system virtual machines. No. NIST Special Publication"},{"key":"#cr-split#-303_CR4.2","unstructured":"(SP) 800-180 (Draft). National Institute of Standards and Technology. https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-180\/draft. Accessed 10 Mar 2022."},{"key":"303_CR5","unstructured":"Docker (2019) Docker Platform. https:\/\/www.docker.com\/. Accessed 20 Mar 2022."},{"key":"303_CR6","unstructured":"GO Programming (2019) GO Programming Language. https:\/\/golang.org. Accessed 17 Feb 2022."},{"key":"303_CR7","unstructured":"Ross RS (2013) Security and privacy controls for federal information systems and organizations. Technical report, National Institute of Standards and Technology."},{"key":"303_CR8","unstructured":"The National Institute of Standards and Technology (2020) Open Security Controls Assessment Language (OSCAL). https:\/\/pages.nist.gov\/OSCAL\/. Accessed 24 July 2022."},{"key":"303_CR9","first-page":"1","volume":"800-190","author":"M Souppaya","year":"2017","unstructured":"Souppaya M, Morello J, Scarfone K (2017) Application container security guide. NIST Spec Publ 800-190:1\u201356.","journal-title":"NIST Spec Publ"},{"key":"303_CR10","volume-title":"Docker Security: Using Containers Safely in Production","author":"A Mouat","year":"2015","unstructured":"Mouat A (2015) Docker Security: Using Containers Safely in Production. O\u2019Reilly Media, Sebastopol."},{"key":"303_CR11","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1007\/978-3-319-11599-3_5","volume-title":"Nordic Conference on Secure IT Systems","author":"E Reshetova","year":"2014","unstructured":"Reshetova E, Karhunen J, Nyman T, Asokan N (2014) Security of os-level virtualization technologies In: Nordic Conference on Secure IT Systems, 77\u201393.. Springer, Troms\u00f8."},{"key":"303_CR12","unstructured":"Bui T (2015) Analysis of docker security. arXiv preprint arXiv:1501.02967. http:\/\/arxiv.org\/abs\/1501.02967. Accessed 4 Jan 2022."},{"issue":"5","key":"303_CR13","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1109\/MCC.2016.100","volume":"3","author":"T Combe","year":"2016","unstructured":"Combe T, Martin A, Di Pietro R (2016) To docker or not to docker: A security perspective. IEEE Cloud Comput 3(5):54\u201362.","journal-title":"IEEE Cloud Comput"},{"key":"303_CR14","unstructured":"NIST (2018) NATIONAL VULNERABILITY DATABASE. https:\/\/nvd.nist.gov\/. Accessed 5 Mar 2022."},{"key":"303_CR15","unstructured":"Gummaraju J, Desikan T, Turner Y (2015) Over 30% of official images in docker hub contain high priority security vulnerabilities. Technical Report, Banyan Ops."},{"key":"303_CR16","first-page":"19","volume-title":"IEEE Conference on Application, Information and Network Security","author":"E Mostajeran","year":"2017","unstructured":"Mostajeran E, Mydin MNM, Khalid MF, Ismail BI, Kandan R, Hoe OH (2017) Quantitative risk assessment of container based cloud platform In: IEEE Conference on Application, Information and Network Security, 19\u201324.. IEEE, Sarawak."},{"key":"303_CR17","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1016\/j.comcom.2018.03.011","volume":"122","author":"A Martin","year":"2018","unstructured":"Martin A, Raponi S, Combe T, Di Pietro R (2018) Docker ecosystem\u2013vulnerability analysis. Comput Commun 122:30\u201343.","journal-title":"Comput Commun"},{"key":"303_CR18","first-page":"491","volume-title":"IEEE 26th Int. Conf. on Software Analysis, Evolution & Reengineering","author":"A Zerouali","year":"2019","unstructured":"Zerouali A, Mens T, Robles G, Gonzalez-Barahona JM (2019) On the relation between outdated docker containers, severity vulnerabilities, and bugs In: IEEE 26th Int. Conf. on Software Analysis, Evolution & Reengineering, 491\u2013501.. IEEE, Hangzhou."},{"key":"303_CR19","unstructured":"Debian\u2019s security team (2020) Security Bug Tracker. https:\/\/security-tracker.debian.org\/tracker\/. Accessed 23 June 2022."},{"key":"303_CR20","first-page":"354","volume-title":"IEEE 3rd International Conference on Information Systems and Computer Aided Education","author":"J Wenhao","year":"2020","unstructured":"Wenhao J, Zheng L (2020) Vulnerability analysis and security research of docker container In: IEEE 3rd International Conference on Information Systems and Computer Aided Education, 354\u2013357.. IEEE, Dalian."},{"key":"303_CR21","first-page":"1","volume-title":"IEEE Globecom Workshops","author":"AS Abed","year":"2015","unstructured":"Abed AS, Clancy TC, Levy DS (2015) Applying bag of system calls for anomalous behavior detection of applications in linux containers In: IEEE Globecom Workshops, 1\u20135.. IEEE, San Diego."},{"key":"303_CR22","unstructured":"Clausing J (2016) SANS ISC InfoSec Forums: Forensicating Docker. https:\/\/isc.sans.edu\/forums\/diary\/Forensicating+Docker+Part+1\/20835\/. Accessed 8 Jan 2022."},{"key":"303_CR23","unstructured":"(2019) The Volatility Foundation. https:\/\/www.volatilityfoundation.org\/. Accessed 19 Feb 2022."},{"key":"303_CR24","unstructured":"Winkel S (2017) Forensicating docker with elk. The SANS Institute. https:\/\/sansorg.egnyte.com\/dl\/J3Zw8Npj4F. Accessed 18 Apr 2022."},{"key":"303_CR25","first-page":"142","volume-title":"International Conference on Cryptography, Security and Privacy","author":"Z Jian","year":"2017","unstructured":"Jian Z, Chen L (2017) A defense method against docker escape attack In: International Conference on Cryptography, Security and Privacy, 142\u2013146.. ACM, Wuhan."},{"key":"303_CR26","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1016\/j.diin.2017.06.008","volume":"22","author":"C Stelly","year":"2017","unstructured":"Stelly C, Roussev V (2017) Scarf: A container-based approach to cloud-scale digital forensic processing. Digit Investig 22:39\u201347.","journal-title":"Digit Investig"},{"key":"303_CR27","unstructured":"Dewald A, Luft M, Suleder J (2018) Incident Analysis and Forensics in Docker Environments. ERNW WHITE PAPER. https:\/\/static.ernw.de\/whitepaper\/ERNW_Whitepaper64_IncidentForensicDocker_signed.pdf. Accessed 12 Apr 2022."},{"key":"303_CR28","doi-asserted-by":"publisher","first-page":"159","DOI":"10.1145\/3199478.3199506","volume-title":"2nd Int. Conf. on Cryptography, Security and Privacy","author":"J Xiang","year":"2018","unstructured":"Xiang J, Chen L (2018) A method of docker container forensics based on api In: 2nd Int. Conf. on Cryptography, Security and Privacy, 159\u2013164.. ACM, New York."},{"key":"303_CR29","doi-asserted-by":"publisher","first-page":"418","DOI":"10.1145\/3274694.3274720","volume-title":"Proc. 34th Annual Computer Security Applications Conference","author":"X Lin","year":"2018","unstructured":"Lin X, Lei L, Wang Y, Jing J, Sun K, Zhou Q (2018) A measurement study on linux container security: Attacks and countermeasures In: Proc. 34th Annual Computer Security Applications Conference, 418\u2013429.. Association for Computing Machinery, San Juan."},{"key":"303_CR30","unstructured":"Williams A, Ball B, Hoang Dinh G, Hecht L (2019) Monitoring and Management with Docker and Containers. https:\/\/thenewstack.io\/ebooks\/docker-and-containers\/monitoring-management-docker-containers\/. Accessed 29 Apr 2022."},{"key":"303_CR31","unstructured":"Sysdig (2020) Run Confidently with Secure Devops - Security for containers, Kubernetes, and cloud services. https:\/\/sysdig.com\/. Accessed 18 Mar 2022."},{"key":"303_CR32","doi-asserted-by":"publisher","first-page":"63650","DOI":"10.1109\/ACCESS.2019.2905424","volume":"7","author":"Z Lu","year":"2019","unstructured":"Lu Z, Xu J, Wu Y, Wang T, Huang T (2019) An empirical case study on the temporary file smell in dockerfiles. IEEE Access 7:63650\u201363659.","journal-title":"IEEE Access"},{"key":"303_CR33","first-page":"839","volume-title":"International Conference of Reliable Information and Communication Technology","author":"K Awuson-David","year":"2019","unstructured":"Awuson-David K, Al-Hadhrami T, Funminiyi O, Lotfi A (2019) Using hyperledger fabric blockchain to maintain the integrity of digital evidence in a containerised cloud ecosystem In: International Conference of Reliable Information and Communication Technology, 839\u2013848.. Springer, Johor."},{"key":"303_CR34","unstructured":"Chris Foster (2019) Root Please. https:\/\/hub.docker.com\/r\/chrisfosterelli\/rootplease\/. Accessed 16 Jan 2022."},{"key":"303_CR35","unstructured":"Docker-CE (2019) Fork and clone the Moby code. https:\/\/github.com\/docker\/docker-ce\/blob\/master\/components\/engine\/docs\/contributing\/set-up-git.md. Accessed 28 Apr 2022."},{"key":"303_CR36","unstructured":"Docker (2019) Isolate containers with a user namespace. https:\/\/docs.docker.com\/engine\/security\/userns-remap\/. Accessed 14 May 2022."}],"container-title":["Journal of Cloud Computing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s13677-022-00303-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s13677-022-00303-8\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s13677-022-00303-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,8,19]],"date-time":"2022-08-19T08:13:28Z","timestamp":1660896808000},"score":1,"resource":{"primary":{"URL":"https:\/\/journalofcloudcomputing.springeropen.com\/articles\/10.1186\/s13677-022-00303-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,8,19]]},"references-count":37,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,12]]}},"alternative-id":["303"],"URL":"https:\/\/doi.org\/10.1186\/s13677-022-00303-8","relation":{},"ISSN":["2192-113X"],"issn-type":[{"value":"2192-113X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,8,19]]},"assertion":[{"value":"29 July 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"27 July 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 August 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"28"}}