# Datastores ## Overview **Evidence:** Datastores\ **Description:** ESXi Datastores for all Virtual Machines\ **Category:** DiskFilesystem\ **Platform:** esxi\ **Short Name:** dstr\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background ESXi datastores are storage containers where virtual machine files, ISOs, and templates are stored. Understanding datastore configuration is essential for tracking VM artifacts, identifying unauthorized data access, and investigating storage-based attacks or data exfiltration. ## Data Collected This collector gathers structured data about datastores. ### Datastores Data | Field | Description | Example | | ---------------------- | --------------------- | ------------------------- | | `AccessTime` | Access Time | 2023-10-15 14:30:25+03:00 | | `AccessCount` | Access Count | 123 | | `URL` | URL | Example value | | `Browser` | Browser | Example value | | `Title` | Title | Example value | | `VisitDuration` | Visit Duration | Example value | | `Referrer` | Referrer | Example value | | `TypedCount` | Typed Count | 123 | | `IsHidden` | Is Hidden | true | | `TransitionType` | Transition Type | Example value | | `VisitID` | Visit ID | 123 | | `TransitionQualifiers` | Transition Qualifiers | Example value | | `User` | User | Example value | | `Profile` | Profile | Example value | | `HistoryFilePath` | History File Path | Example value | ## Collection Method This collector parses the datastore information file obtained via vim-cmd vmsvc/get.datastores command. It extracts datastore name, URL, capacity, free space, accessibility status, type (VMFS, NFS, etc.), and multi-host access configuration for each datastore attached to virtual machines. ## Forensic Value Datastore metadata provides visibility into storage capacity, accessibility, and sharing configuration. This information helps investigators identify suspicious storage mounts, trace VM file locations, detect capacity anomalies that may indicate data staging, and validate storage security policies.