When a security breach happens, having a clear plan to respond and investigate the issue is essential. This is where DFIR—Digital Forensics and Incident Response—comes into play. But with the rise of containerized applications, investigating and handling security incidents has become more complex.

In this session, we’ll dive into practical DFIR techniques specifically designed for Kubernetes environments, making it easier to manage security incidents in container setups. We’ll start with a quick overview of DFIR, explaining what it means and why it’s important. From there, we’ll look at advanced methods for analyzing and managing compromised applications in Kubernetes. You'll learn how to “checkpoint” an affected app—essentially creating a snapshot of it—so it can be examined safely in a secure setting. We’ll also cover how to examine memory in containers using established open-source tools.

By the end of the talk, you’ll know the basics of DFIR for containers, understand the pros and cons of these techniques, and feel more confident about tackling security incidents in Kubernetes.