Forensic analysis of container snapshot chains for post-event reconstruction

Journal article

Container orchestration platforms have become a crucial part of the cloud-native infrastructure for deploying modern applications. The highly dynamic and ephemeral nature of these environments, however, introduces new challenges for digital forensics: malicious code often runs entirely in memory and vanishes when the container terminates, leaving no traces. The absence of forensic data can be just as dangerous as the malicious activity itself, preventing post-incident investigation and adequate response. In this paper, we propose Forensic Snapshot Chains (FSC) – a framework that transparently captures and preserves the state, configurations, and metadata of running containers. These snapshot artifacts allow investigators to accurately reconstruct and analyze the events during a security incident without impacting the running cluster. To achieve this, FSC leverages memory-tracking mechanisms inspired by live-migration optimization techniques that enable high-frequency snapshot capture when a security alert is triggered, while minimizing performance and storage overhead. Our evaluation with real-world cloud-native workloads demonstrates that FSC, with minimal performance overhead, enables accurate temporal reconstruction of memory-resident malicious activity derived from container snapshot chains under both stealthy execution and active attack scenarios.

Authors: Stoyanov, R; Goldoni, L; Reber, A; Hargreaves, C; Bruno, R

• Publication status: Accepted
• Peer review status: Peer reviewed
• Publisher: Elsevier
• Journal: Journal of Forensic Science International: Digital Investigation
• Acceptance date: 2026-04-03
• EISSN: 2666-2825
• ISSN: 2666-2817
• Language: English
• Keywords: container checkpointing; Kubernetes; forensic readiness; event reconstruction; digital investigation