# Disk Usage ## Overview **Evidence:** Disk Usage\ **Description:** ESXi Disk Usage\ **Category:** DiskFilesystem\ **Platform:** esxi\ **Short Name:** diskusg\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background ESXi disk usage statistics track storage consumption across filesystems, partitions, and volumes on the hypervisor. Monitoring disk usage helps identify suspicious storage patterns, detect data staging for exfiltration, and reveal space exhaustion attacks or log file tampering. ## Data Collected This collector gathers structured data about disk usage. ### Disk Usage Data | Field | Description | Example | | ---------------------- | --------------------- | ------------------------- | | `AccessTime` | Access Time | 2023-10-15 14:30:25+03:00 | | `AccessCount` | Access Count | 123 | | `URL` | URL | Example value | | `Browser` | Browser | Example value | | `Title` | Title | Example value | | `VisitDuration` | Visit Duration | Example value | | `Referrer` | Referrer | Example value | | `TypedCount` | Typed Count | 123 | | `IsHidden` | Is Hidden | true | | `TransitionType` | Transition Type | Example value | | `VisitID` | Visit ID | 123 | | `TransitionQualifiers` | Transition Qualifiers | Example value | | `User` | User | Example value | | `Profile` | Profile | Example value | | `HistoryFilePath` | History File Path | Example value | ## Collection Method This collector parses disk usage reports, extracting filesystem mount points, total capacity, used space, available space, usage percentages, and mount status for each storage volume accessible to the ESXi host. ## Forensic Value Disk usage patterns reveal anomalous storage consumption that may indicate malware staging areas, log file manipulation to hide evidence, or denial-of-service attempts via disk exhaustion. Comparing usage trends helps identify rapid changes consistent with data exfiltration or malicious file placement.