AIR - ESXi Standalone Collector

The AIR standalone collector currently provides support for execution on ESXi 6.5+ systems.

VMware ESXi is a type of hypervisor, which is software that creates and runs virtual machines (VMs). It is a part of VMware's vSphere product suite and is used for enterprise-level virtualization. ESXi is popular due to its stability, performance, and extensive feature set for managing and running virtual machines.

Binalyze AIR offers a robust approach for evidence collection from ESXi platforms. DRONE is not currently supported for ESXi systems. This is achieved through a standalone ESXi collector, available for download on the Assets page of your AIR console:

Assets>Add New>Deploy New>Direct connection to AIR Console >ESXi

After running Responder using your chosen method, the collected evidence should be converted into a PPC file. This PPC file can then be imported into the AIR Console. Once imported, the asset will be displayed alongside all other assets in AIR, ensuring seamless integration and visibility within the platform.

For the conversion to PPC, you'll need an off-network Responder binary specific to your operating system on which you want to carry out the conversion.

Here’s an example for Microsoft:

Download the Off-Network Responder Package:
- If you are not sure where to get the binary, visit the following link for an explanation: Off-Network Responder Package.
Extract the Package:
- Extract the contents of the downloaded Off-Network Responder zip file.
Prepare Your Evidence:
- Copy your ESXi evidence file into the same extracted folder.
Run the Command:
- Execute the following command, replacing your_ESXi_evidence_name with the actual name of your ESXi evidence file:
```
offnetwork_windows_amd64 esxi --input 220240621113447-EsxiDATA.tar.gz
```

Following these steps will create a new folder containing a Case.ppc file. Please import this Case.ppc file into the AIR Console.

This process will ensure that your ESXi evidence is accurately processed and seamlessly integrated into the AIR platform.

After ingestion into AIR the ESXi evidence is parsed and pesented in the Investigation Hub in the normal way:

However, you can if required decompress the tar.gz file to independently access and examine the evidence. Typically, the evidence will include the following: :

System Info: Basic system information about the ESXi machine.
Bash History: Command history executed on the Bash shell.
Collect Bash Files: Gathering files associated with the Bash shell.
Environment Variables: Variables defined in the system environment.
Collect /etc Files: Gather files under the /etc directory.
Log Files: Collecting various log files.
SSH Config: Retrieves the configuration settings related to the SSH (Secure Shell) protocol.
SSH Authorized Keys: Collects information about authorized SSH keys, which are used for secure authentication.
SSH Known Hosts: Gathers details about known hosts in the context of SSH.
File System Enumeration: Involves enumerating and collecting information about the file system on the ESXi machine.

A full list of ESXi collected items is shown here

Having run the binary the progress will be displayed in the user's terminal/shell:

Full list of ESXi collected items

File Collectors:

Triage Collectors

Other Collectors:

PreviousAIR Responder - Linux (DEB/RPM) supported systems NextAIR Responder - Chrome supported systems

Last updated 3 days ago