When you are given an exported docker image \(probably in `.tar` format\) you can use [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) to **extract a summary of the modifications**:
In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) ****\(download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)\) utility:
This allow you to **navigate through the different blobs of docker images** and check which files were modified/added. **Red** means added and **yellow** means modified. Use **tab** to move to the other view and **space** to to collapse/open folders.
With die you won't be able to access the content of the different stages of the image. To do so you will need to **decompress each layer and access it**.
You can decompress all the layers from an image from the directory where the image was decompressed executing:
```bash
tar -xf image.tar
for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; done
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
Therefore \(as root\) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-unix/privilege-escalation/#process-memory).