# Open Files ## Overview **Evidence:** Open Files\ **Description:** List Open Files\ **Category:** System\ **Platform:** esxi\ **Short Name:** ofiles\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background Open file descriptors on ESXi reveal active file access by processes, including VM disk files, configuration files, log files, and system resources. This snapshot captures what files were being accessed at collection time, providing evidence of process behavior and file manipulation. ## Data Collected This collector gathers structured data about open files. ### Open Files Data | Field | Description | Example | | ---------------------- | --------------------- | ------------------------- | | `AccessTime` | Access Time | 2023-10-15 14:30:25+03:00 | | `AccessCount` | Access Count | 123 | | `URL` | URL | Example value | | `Browser` | Browser | Example value | | `Title` | Title | Example value | | `VisitDuration` | Visit Duration | Example value | | `Referrer` | Referrer | Example value | | `TypedCount` | Typed Count | 123 | | `IsHidden` | Is Hidden | true | | `TransitionType` | Transition Type | Example value | | `VisitID` | Visit ID | 123 | | `TransitionQualifiers` | Transition Qualifiers | Example value | | `User` | User | Example value | | `Profile` | Profile | Example value | | `HistoryFilePath` | History File Path | Example value | ## Collection Method This collector parses the output of system commands listing open file descriptors, extracting process IDs, file paths, file types, access modes, and file descriptor numbers for each open file on the ESXi host. ## Forensic Value Open file data exposes active process file access patterns, helps identify processes accessing sensitive files, detects unauthorized file modifications in progress, and reveals temporary files or sockets used by malware. Cross-referencing with process data provides complete picture of file-based attacker activities.