User Info

Overview

Evidence: User Info Description: ESXi User Info Category: System Platform: esxi Short Name: userinfo Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

ESXi user session information tracks active and recent user logins, including administrator and service account access. This data is critical for identifying unauthorized access, establishing user activity timelines, and detecting compromised credentials or suspicious login patterns.

Data Collected

This collector gathers structured data about user info.

User Info Data

Collection Method

This collector parses the user information file (user_info.txt), extracting username, terminal/session type, login timestamp with date, and source IP address for each user session recorded on the ESXi host.

Forensic Value

User login records provide evidence of account access, help establish user activity timelines, and identify suspicious login sources. Analyzing login times, source IPs, and session types helps detect unauthorized access, credential misuse, and potential lateral movement from compromised accounts.