[REVIEW] forensics-checklist: add ephemeral cloud workload evidence gates

[catcherintheroad-hub]

Review target

Skill: forensics-checklist
Path: skills/incident-response/forensics-checklist/

Problem

The skill covers traditional volatile evidence, disk imaging, cloud snapshots, and provider audit logs, but it does not give concrete gates for ephemeral cloud workloads such as Kubernetes pods, managed containers, and serverless functions.

This can produce a false sense of forensic completeness when a report captures an EBS or managed disk snapshot and provider audit logs, while the actual workload evidence has already disappeared or remains mutable.

False positive example

cloud:
  ebs_snapshot: captured
  audit_logs: exported
workload:
  kubernetes_pod: evicted
  lambda_function: prod_alias
  container_image: app:latest

Why this is incomplete:

• A Kubernetes pod can be evicted before pod YAML, events, current/previous logs, container statuses, service account, node, mounted volumes, or owner references are preserved.
• A serverless function alias such as prod is mutable unless the report records the function version, package/code hash, runtime/layers, environment and secret references, execution role, trigger mapping, and deployment history.
• A container image tag such as latest is mutable unless the report preserves the immutable image digest, registry metadata, runtime command/entrypoint, environment/secret references, and deployment/task revision.

Suggested coverage

Add evidence gates for:

1. Kubernetes and managed container workloads: pod spec, events, logs, previous container logs, container statuses, image digests, node, namespace, owner references, labels/annotations, service account, mounted volumes, network policy, and relevant audit events.
2. Serverless workloads: immutable function version or revision, alias mapping, deployment package hash, runtime/layers, environment and secret references, execution role/service account, trigger/event source mapping, invocation logs, and provider audit logs.
3. Managed container services such as ECS, Fargate, Cloud Run, AKS, EKS, and GKE where no traditional disk image may exist.
4. Explicit findings when the report relies on mutable tags/aliases or cloud disk snapshots alone for an ephemeral workload incident.

References

• NIST SP 800-86: https://csrc.nist.gov/publications/detail/sp/800-86/final
• RFC 3227: https://www.rfc-editor.org/rfc/rfc3227
• Kubernetes Pods: https://kubernetes.io/docs/concepts/workloads/pods/
• AWS Lambda function versions: https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html

[ASUKAAAAA1204]

/attempt #1395

[ASUKAAAAA1204]

Implemented in PR #1617: #1617

Scope:

• Adds a dedicated 6a: Ephemeral Cloud Workload Evidence gate to skills/incident-response/forensics-checklist/SKILL.md.
• Requires Kubernetes / managed-container workload evidence such as pod/task specs, events, current and previous logs, container statuses, image digests, service accounts, volumes, owner references, network policy, and audit events.
• Adds example Kubernetes capture commands for pod YAML, describe output, current/previous logs, namespace events, workload owners, and network policies.
• Requires serverless workload evidence such as immutable function versions/revisions, alias mapping, package hash, runtime/layers, environment and secret references, execution role/service account, triggers, invocation logs, provider audit logs, and deployment history.
• Adds explicit findings for reports that rely on disk snapshots alone, mutable container tags, mutable function aliases, or missing pod/task/function runtime evidence.
• Adds an output table and common pitfall for ephemeral cloud workload evidence.

Validation:

• git diff --check -> no whitespace errors; Windows Git emitted only the existing LF/CRLF warning.
• Marker grep confirmed Ephemeral Cloud Workload Evidence, Kubernetes, previous container logs, immutable image digests, Serverless workloads, Cloud Run, Fargate, and Lambda Function Versions are present.
• Markdown fence balance check -> fence_count=36 and even.
• Frontmatter smoke check confirmed name, version, allowed-tools, and injection-hardened remain present.
• Reference GET checks returned HTTP 200 for Kubernetes Pods, AWS Lambda function versions, NIST SP 800-86, and RFC 3227.
• git diff --stat -> one file changed, 43 insertions.

Requested as an Improver Moderate / $100 bounty submission. Preferred payment method: crypto; details can be provided privately after maintainer acceptance.

[shensz2017]

/attempt #1395

[shensz2017]

[REVIEW] PR #1617 - forensics-checklist ephemeral cloud workload gates

Reviewed the patch against issue #1395 and the existing forensics-checklist skill.

Verdict: support.

What looks strong:

• The new section fixes the main evidence gap: a disk snapshot and provider audit log export are not enough for pods, managed container tasks, serverless functions, or mutable image/function pointers.
• The Kubernetes capture commands are concrete and actionable, especially preserving pod YAML, describe output, current logs, previous logs, namespace events, workload owners, and network policies.
• The serverless guidance correctly treats aliases such as prod, $LATEST, and traffic-splitting revisions as pointers rather than evidence. Requiring function version/revision, package hash, runtime/layers, role, triggers, logs, and deployment history is the right forensic bar.
• The output table gives reviewers a place to record immutable identity, runtime state, logs/events, control-plane evidence, and gaps, which should reduce vague cloud-forensics reports.

Suggested follow-up:

• Consider adding a retention/collection-deadline field for ephemeral artifacts. Previous container logs, Kubernetes events, invocation logs, and provider audit streams can rotate quickly, so the plan should capture when each source was last available and whether evidence loss is due to eviction, redeploy, scale-down, or retention limits.

No blocking issues found in this patch.