Back to binalyze.com

Datastores

Overview

Evidence: Datastores Description: ESXi Datastores for all Virtual Machines Category: DiskFilesystem Platform: esxi Short Name: dstr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

ESXi datastores are storage containers where virtual machine files, ISOs, and templates are stored. Understanding datastore configuration is essential for tracking VM artifacts, identifying unauthorized data access, and investigating storage-based attacks or data exfiltration.

Data Collected

This collector gathers structured data about datastores.

Datastores Data

Field
Description
Example

AccessTime

Access Time

2023-10-15 14:30:25+03:00

AccessCount

Access Count

123

URL

URL

Example value

Browser

Browser

Example value

Title

Title

Example value

VisitDuration

Visit Duration

Example value

Referrer

Referrer

Example value

TypedCount

Typed Count

123

IsHidden

Is Hidden

true

TransitionType

Transition Type

Example value

VisitID

Visit ID

123

TransitionQualifiers

Transition Qualifiers

Example value

User

User

Example value

Profile

Profile

Example value

HistoryFilePath

History File Path

Example value

Collection Method

This collector parses the datastore information file obtained via vim-cmd vmsvc/get.datastores command. It extracts datastore name, URL, capacity, free space, accessibility status, type (VMFS, NFS, etc.), and multi-host access configuration for each datastore attached to virtual machines.

Forensic Value

Datastore metadata provides visibility into storage capacity, accessibility, and sharing configuration. This information helps investigators identify suspicious storage mounts, trace VM file locations, detect capacity anomalies that may indicate data staging, and validate storage security policies.

PreviousCPU InfoNextDisk Usage

Last updated

Was this helpful?