The absence of forensics data can be just as dangerous as the presence of malicious activity. While traditional digital forensics focuses on artefacts located on storage devices, containerized environments like Kubernetes introduce new challenges for collection of digital evidence from compromised applications, where malware now routinely leaves no traces. In this talk, we are going to explore how to collect, preserve, and analyse forensic snapshots with transparent checkpointing methods while maintaining a chain of custody to investigate security incidents. We will also discuss techniques for automation in real-world scenarios and best practices for capturing and analysing malicious activity in compromised containers.