AIR - ESXi Standalone Collector
Last updated
Last updated
The AIR standalone collector currently provides support for execution on ESXi 6.5+ systems.
VMware ESXi is a type of hypervisor, which is software that creates and runs virtual machines (VMs). It is a part of VMware's vSphere product suite and is used for enterprise-level virtualization. ESXi is popular due to its stability, performance, and extensive feature set for managing and running virtual machines.
Binalyze AIR offers a robust approach for evidence collection from ESXi platforms. DRONE is not currently supported for ESXi systems. This is achieved through a standalone ESXi collector, available for download on the Assets page of your AIR console:
Assets>Add New>Deploy New>Direct connection to AIR Console >ESXi
After running Responder using your chosen method, the collected evidence should be converted into a PPC file. This PPC file can then be imported into the AIR Console. Once imported, the asset will be displayed alongside all other assets in AIR, ensuring seamless integration and visibility within the platform.
For the conversion to PPC, you'll need an off-network Responder binary specific to your operating system on which you want to carry out the conversion.
Here’s an example for Microsoft:
Download the Off-Network Responder Package:
If you are not sure where to get the binary, visit the following link for an explanation: Off-Network Responder Package.
Extract the Package:
Extract the contents of the downloaded Off-Network Responder zip file.
Prepare Your Evidence:
Copy your ESXi evidence file into the same extracted folder.
Run the Command:
Execute the following command, replacing your_ESXi_evidence_name
with the actual name of your ESXi evidence file:
Following these steps will create a new folder containing a Case.ppc
file. Please import this Case.ppc
file into the AIR Console.
This process will ensure that your ESXi evidence is accurately processed and seamlessly integrated into the AIR platform.
After ingestion into AIR the ESXi evidence is parsed and pesented in the Investigation Hub in the normal way:
However, you can if required decompress the tar.gz file to independently access and examine the evidence. Typically, the evidence will include the following: :
System Info: Basic system information about the ESXi machine.
Bash History: Command history executed on the Bash shell.
Collect Bash Files: Gathering files associated with the Bash shell.
Environment Variables: Variables defined in the system environment.
Collect /etc Files: Gather files under the /etc directory.
Log Files: Collecting various log files.
SSH Config: Retrieves the configuration settings related to the SSH (Secure Shell) protocol.
SSH Authorized Keys: Collects information about authorized SSH keys, which are used for secure authentication.
SSH Known Hosts: Gathers details about known hosts in the context of SSH.
File System Enumeration: Involves enumerating and collecting information about the file system on the ESXi machine.
A full list of ESXi collected items is shown here
Having run the binary the progress will be displayed in the user's terminal/shell:
ID
Collector Name
Collected Files
1
History Files
.ash_history, .bash_history, .sh_history, .tsch_history, .psql_history, .sqlite_history, .mysql_history, .vsql_history, .lesshst, .viminfo
2
Files of Interest
.bashrc, .bash_logout, .bash_login, .bash_profile .mkshrc, .pam_environment, .profile, .zshrc, authorized_keys, known_hosts, ssh_config
3
Cronjob Files
/etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly, /etc/cron.d
4
Cronjob Related Files
*If any executable file is found in crontabs, it is collected.
5
/etc Collector
All files under /etc is collected
6
Log Files
All files under /var/log and /scratch/log is collected
7
Spool Files
All files under /var/spool is collected
ID
Collector Name
1
Process Snapshot Detailed
2
Process Snapshot Verbose
3
Open Files
4
User Info
5
Disk Usage
6
Disk Usage By User
7
Disk Usage Human Readable
8
System Hostname
9
VMware Version
10
System Info
11
Shell Aliases
12
Environment Variables
13
ESX Advanced Configuration
14
ESX FCoE Configuration
15
ESX FCoE Networking
16
ESX IPSec Configuration
17
ESX IPsec Policy
18
ESX Module List
19
ESX Module Query
20
ESX Multipathing Info
21
ESX NAS Configuration
22
ESX Network Interface Cards
23
ESX Routing Table
24
ESX Network Routes
25
ESX IPv6 Routing Table
26
ESX IPv6 Network Routes
27
ESX SCSI Devices List
28
ESX VMKnic List
29
ESX Volume List
30
ESX VSwitch List
31
ESX Configuration Info
32
List all of the CPUs on this host.
33
List usb devices and their passthrough status.
34
List the boot device order, if available, for this host.
35
Display the current hardware clock time.
36
Get information about memory.
37
List all of the PCI devices on this host.
38
Get information about the platform.
39
Information about the status of trusted boot. (TPM, DRTM status).
40
List active TCP/IP connections.
41
List configured IPv4 routes.
42
List configured IPv6 routes.
43
List ARP table entries.
44
List the VMkernel network interfaces currently known to the system.
45
List configured Security Associations.
46
List configured Security Policys.
47
Print a list of the DNS server currently configured on the system in the order in which they will be used.
48
List the rulesets in firewall.
49
List the Physical NICs currently installed and loaded on the system.
50
List the virtual switches current on the ESXi host.
51
Hostname
52
Get Open Network Files
53
Get Unix Socket Files
54
Get the network configuration.
55
Get the DNS configuration.
56
Get the IP forwarding table.
57
Gets information about virtual NICs.
58
Displays information about virtual switches.
59
Lists the installed VIB packages.
60
Gets the host acceptance level. This controls what VIBs will be allowed on a host.
61
Display the installed image profile.
62
List the VMkernel UserWorld processes currently on the host.
63
Collect the list open files.
64
Report a snapshot of the current processes including used time, verbose, session ID and process group, state and type.
65
List the NAS volumes currently known to the ESX host.
66
List the NFS v4.1 volumes currently known to the ESX host.
67
List the volumes available to the host. This includes VMFS, NAS, VFAT and UFS partitions.
68
Display the mapping of logical volumes with physical disks.
69
List the VMkernel modules that the system knows about.
70
List the enforcement level for each domain.
71
Get FIPS140 mode of ssh.
72
Get FIPS140 mode of rhttpproxy.
73
List the advanced options available from the VMkernel.
74
List VMkernel kernel settings.
75
Display the date and time when this system was first installed. Value will not change on subsequent updates.
76
Show the current global syslog configuration values.
77
Show the currently configured sub-loggers.
78
Display WBEM Agent configuration.
79
List local user accounts.
80
Display the current system clock parameters.
81
List permissions defined on the host.
82
Display the product name, version and build information.
83
List networking information for the VM's that have active ports.
84
List the virtual machines on this system. This command currently will only list running VMs on the system.
85
Get the list of virtual machines on the host.
86
List Summary status from the vm.
87
Configuration object for the vm.
88
Virtual devices for the vm.
89
Datastores for all virtual machines.
90
List of networks for all virtual machines.
91
List registered VMs.
ID
Collector Name
Description
1
File Listing
All files in the system is enumerated with following infos; File Name,File Type,Size (bytes),Access Rights,User ID,User Name,Group ID,Group Name,Number of Hard Links,Mount Point,Inode Number,Birth Time,Last Access Time,Modification Time,Change Time
2
Executable Hashes
All files' MD5 hashes that has executable permission in the system is collected