Docker Forensic Toolbox

Informations

• Credential : forensic:forensic
• From : Debian Bookworm Slim.
• Size : Around 900MB.
• Time : Few minutes to build. Depending on your system.
• Trivy : 0 unfixed vulnerabilities.

Installation

Docker Hub

sudo docker pull mikehorn/dft:latest

Build Yourself

git clone https://github.com/MikeHorn-git/docker-forensic-toolbox.git
cd docker-forensic-toolbox

Docker Compose

sudo docker-compose up -d

Dockerfile

sudo docker build -t "dft" .

Tools

• aLEAPP - Android Logs Events And Protobuf Parser.
• Binwalk - Firmware Analysis Tool.
• Exiftool - ExifTool meta information reader/writer.
• Ewf-tools - Library to access the Expert Witness Compression Format.
• Foremost - File carving.
• File - Recognize the type of data in a file using "magic" numbers.
• Hindsights - Web browser forensics for Google Chrome/Chromium.
• iLEAPP - IOS Logs, Events, And Plist Parser.
• Loki - Simple IOC and YARA Scanner.
• Mac-robber - Collects data from allocated files in a mounted file system.
• Mvtt - Conducting forensics of mobile devices in order to find signs of a potential compromise.
• Nano - Small, friendly text editor inspired by Pico.
• Ntfs-3g - Safe Read/Write NTFS Driver.
• Parted - A program for creating, destroying, resizing, checking and copying partitions.
• Python-evt - Pure Python parser for classic Windows Event Log files (.evt).
• Python-ntfs - Open source Python library for NTFS analysis.
• Recuperabit - A tool for forensic file system reconstruction.
• Regripper - RegRipper is an open source forensic software used as a Windows Registry data extraction tool.
• Sleuthkit - Library and collection of command line digital forensics tools.
• Stegoveritas - Yet another Stego Tool.
• Tshark - Dump and analyze network traffic.
• Vim - Vi Improved, a highly configurable, improved version of the vi text editor.
• Volatility3 - Advanced memory forensics framework.
• Xmount - Tool to crossmount between multiple input and output harddisk image files.
• Yara - The pattern matching swiss knife.

Security

• The forensic Docker image is scanned with trivy to improve security.
• Install docker-bench-security for hardening your host.

Versions 1.2

• Add docker-compose.yml.

Versions 1.1

• Add new tools (iLEAPP, python-evt, python-ntfs).
• Add security sections and update protobof version for patch vulns [CVE-2021-22570 and CVE-2022-1941] detected with trivy.
• Delete tools.txt.
• Remove miscellaneous tools (htop, john, ssdeep) for a lighter image.