BoneStack has several container-focused forensic views. Some are quick summaries, and some are investigation-heavy.
Filesystem- Shows the selected container's visible filesystem so you can inspect directories and spot odd paths, dropped payloads, or unexpected files.
Processes- Lists running processes and process stats so you can spot shells, miners, downloaders, or other unexpected commands inside the container.
Volumes- Shows mounted volumes and bind mounts so you can see what host paths or persistent storage the container can write to.
Logs- Shows recent container logs so you can look for crashes, suspicious command output, callback URLs, or failed startup loops.
Environment- Summarizes environment variables, groups them by type, and highlights likely secrets or risky runtime configuration.
Resources- Shows CPU, memory, and process-count usage so you can spot runaway processes, suspicious load spikes, or unhealthy containers.
Threat Hunt- Scans for suspicious artifacts and content like reverse shells, cron persistence, SSH key drops, encoded payloads, and YARA matches.
Container Diff- Shows files added, changed, or deleted since the container started so you can see what changed at runtime.
Timeline- Shows recent Docker lifecycle events such as
create,start,die,kill, andrestartfor timing and sequence reconstruction.
- Shows recent Docker lifecycle events such as
BoneStack’s highest-signal workflow is still:
Threat HuntContainer DiffTimeline
The intended workflow is:
- Open a container.
- Enter the forensics menu with
f. - Review
Threat Huntfor suspicious artifacts and content matches. - Review
Container Difffor filesystem changes since container start. - Review
Timelinefor recent Docker lifecycle events. - Export a combined report with
w.
Start BoneStack:
go build -o bonestack ./cmd/bonestack/main.go
./bonestackThen in the TUI:
- Select
View Containers - Pick a container
- Press
f - Choose one of:
FilesystemProcessesVolumesLogsEnvironmentResourcesThreat HuntContainer DiffTimeline
Environment- Use this when you want to understand how the container was configured at runtime.
Resources- Use this when a container looks noisy, slow, overloaded, or suspiciously busy.
Threat Hunt- Use this when you want BoneStack to actively look for suspicious indicators.
Container Diff- Use this when you want to know what changed after container startup.
Timeline- Use this when you want timing context for restarts, kills, recreations, or other Docker events.
Threat Hunt looks for suspicious container artifacts and suspicious content in files such as:
- cron entries
authorized_keys- shell history files
- service files
- shell scripts
- base64 payload hints
- reverse shell strings such as
nc -e,/dev/tcp,bash -i - download-and-exec patterns such as
curl ... | sh LD_PRELOAD
rrescanwwrite report↑/↓scrollbback
Container Diff uses Docker's container diff API to show filesystem changes since the container started.
It groups changes as:
addedmodifieddeleted
It also flags suspicious paths such as:
- cron locations
- SSH key locations
- shell history files
.serviceunitsld.so.preload- payloads in
/tmpor/dev/shm
rreloadwwrite report↑/↓scrollbback
Timeline reads recent Docker events for the selected container.
Typical event actions include:
createstartdiekillrestartrename
This is useful when you want to answer:
- Did the container restart unexpectedly?
- Was it killed recently?
- Was it recreated from a different image?
rreloadwwrite report↑/↓scrollbback
From Threat Hunt, Container Diff, or Timeline, press w.
BoneStack writes a combined container forensics report under:
.bonestack/reports/<container>/
Files written:
forensics.jsonforensics.csvforensics.html
The report includes:
- threat-hunt findings
- container diff changes
- timeline events
Example:
- Open container
suspicious-web - Press
f - Open
Threat Hunt - See:
reverse-shellcron-persistenceyara:BoneStackReverseShell
- Press
b - Open
Container Diff - See changes such as:
/tmp/revshell.sh/root/.ssh/authorized_keys
- Press
b - Open
Timeline - See:
startdierestart
- Press
w
You now have one exported report with all three views combined.