# User Info

## Overview

**Evidence:** User Info\
**Description:** ESXi User Info\
**Category:** System\
**Platform:** esxi\
**Short Name:** userinfo\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

ESXi user session information tracks active and recent user logins, including administrator and service account access. This data is critical for identifying unauthorized access, establishing user activity timelines, and detecting compromised credentials or suspicious login patterns.

## Data Collected

This collector gathers structured data about user info.

### User Info Data

| Field         | Description  | Example       |
| ------------- | ------------ | ------------- |
| `Name`        | Name         | Example value |
| `Terminal`    | Terminal     | Example value |
| `SessionTime` | Session Time | Example value |
| `Date`        | Date         | Example value |
| `IP`          | IP           | Example value |

## Collection Method

This collector parses the user information file (user\_info.txt), extracting username, terminal/session type, login timestamp with date, and source IP address for each user session recorded on the ESXi host.

## Forensic Value

User login records provide evidence of account access, help establish user activity timelines, and identify suspicious login sources. Analyzing login times, source IPs, and session types helps detect unauthorized access, credential misuse, and potential lateral movement from compromised accounts.