SUMMARY
Container systems are type of virtualization technology with isolated environment. The isolated environment in container system does not make cyber attacks impossible to occur. In this research, containers in which a cyber incident occurred were forensically tested on the container's memory to obtain digital evidence. The forensic process is carried out using standards from NIST framework with the stages of collection, examination, analysis and reporting. The forensic process begins by performing a checkpoint on the container to obtain information from the container's memory. In Podman the checkpoint process is carried out on one of the containers and will produce a file in .tar.gz form, where this file contains the information contained in the container. After the checkpoint process is complete, forensics is then carried out by reading the checkpoint file using a tool called checkpointctl. Forensic results showed that the container was running a malicious program in the form of a backdoor with a PHP extension.