Containers are, by their nature, highly volatile.
This property of containers runs contrary to the fundamental forensics need to preserve evidence. Container images that start and stop constantly represent not just moving targets but targets that frequently cease to exist. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 177). BCS Learning & Development Limited. Kindle Edition.
The underlying container image is stored in one location; this image contains the configuration data and applications that form the container image. Any changes made while the container runs will be written to a separate file and can be committed into a new image on the fly without affecting the running container. If a container is believed to be compromised, you can run that newly committed image to explore its contents. Note, however, that such an action results in creating a new container from the image, not the exact same copy of the container you committed from. This differs from a VM snapshotting approach since running processes in the target container are not included in the image. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 177). BCS Learning & Development Limited. Kindle Edition.