In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) utility:
![](../../.gitbook/assets/image%20%28425%29.png)
This allow you to **navigate through the different blobs of docker images** and check which files were modified/added. **Red** means added and **yellow** means modified. Use **tab** to move to the other view and **space** to to collapse/open folders.
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
Therefore \(as root\) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-unix/privilege-escalation/#process-memory).