Open Files

Overview

Evidence: Open Files Description: List Open Files Category: System Platform: esxi Short Name: ofiles Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Open file descriptors on ESXi reveal active file access by processes, including VM disk files, configuration files, log files, and system resources. This snapshot captures what files were being accessed at collection time, providing evidence of process behavior and file manipulation.

Data Collected

This collector gathers structured data about open files.

Open Files Data

Field

Description

Example

AccessTime

Access Time

2023-10-15 14:30:25+03:00

AccessCount

Access Count

123

URL

URL

Example value

Browser

Browser

Example value

Title

Title

Example value

VisitDuration

Visit Duration

Example value

Referrer

Referrer

Example value

TypedCount

Typed Count

123

IsHidden

Is Hidden

true

TransitionType

Transition Type

Example value

VisitID

Visit ID

123

TransitionQualifiers

Transition Qualifiers

Example value

User

User

Example value

Profile

Profile

Example value

HistoryFilePath

History File Path

Example value

Collection Method

This collector parses the output of system commands listing open file descriptors, extracting process IDs, file paths, file types, access modes, and file descriptor numbers for each open file on the ESXi host.

Forensic Value

Open file data exposes active process file access patterns, helps identify processes accessing sensitive files, detects unauthorized file modifications in progress, and reveals temporary files or sockets used by malware. Cross-referencing with process data provides complete picture of file-based attacker activities.

PreviousNIC List NextPCI Info

Last updated 9 days ago

Was this helpful?