LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Full list of ESXi collected items
  • File Collectors:
  • Triage Collectors
  • Other Collectors:

Was this helpful?

Export as PDF
  1. AIR
  2. AIR Setup
  3. AIR Responder - Supported Operating Systems

AIR - ESXi Standalone Collector

PreviousAIR Responder - Linux (DEB/RPM) supported systemsNextAIR Responder - Chrome supported systems

Last updated 9 months ago

Was this helpful?

The AIR standalone collector currently provides support for execution on ESXi 6.5+ systems.

VMware ESXi is a type of hypervisor, which is software that creates and runs virtual machines (VMs). It is a part of VMware's vSphere product suite and is used for enterprise-level virtualization. ESXi is popular due to its stability, performance, and extensive feature set for managing and running virtual machines.

Binalyze AIR offers a robust approach for evidence collection from ESXi platforms. DRONE is not currently supported for ESXi systems. This is achieved through a standalone ESXi collector, available for download on the Assets page of your AIR console:

Assets>Add New>Deploy New>Direct connection to AIR Console >ESXi

After running Responder using your chosen method, the collected evidence should be converted into a PPC file. This PPC file can then be imported into the AIR Console. Once imported, the asset will be displayed alongside all other assets in AIR, ensuring seamless integration and visibility within the platform.

For the conversion to PPC, you'll need an off-network Responder binary specific to your operating system on which you want to carry out the conversion.

Here’s an example for Microsoft:

  1. Download the Off-Network Responder Package:

  2. Extract the Package:

    • Extract the contents of the downloaded Off-Network Responder zip file.

  3. Prepare Your Evidence:

    • Copy your ESXi evidence file into the same extracted folder.

  4. Run the Command:

    • Execute the following command, replacing your_ESXi_evidence_name with the actual name of your ESXi evidence file:

    offnetwork_windows_amd64 esxi --input 220240621113447-EsxiDATA.tar.gz
    

Following these steps will create a new folder containing a Case.ppc file. Please import this Case.ppc file into the AIR Console.

This process will ensure that your ESXi evidence is accurately processed and seamlessly integrated into the AIR platform.

After ingestion into AIR the ESXi evidence is parsed and pesented in the Investigation Hub in the normal way:

However, you can if required decompress the tar.gz file to independently access and examine the evidence. Typically, the evidence will include the following: :

  • System Info: Basic system information about the ESXi machine.

  • Bash History: Command history executed on the Bash shell.

  • Collect Bash Files: Gathering files associated with the Bash shell.

  • Environment Variables: Variables defined in the system environment.

  • Collect /etc Files: Gather files under the /etc directory.

  • Log Files: Collecting various log files.

  • SSH Config: Retrieves the configuration settings related to the SSH (Secure Shell) protocol.

  • SSH Authorized Keys: Collects information about authorized SSH keys, which are used for secure authentication.

  • SSH Known Hosts: Gathers details about known hosts in the context of SSH.

  • File System Enumeration: Involves enumerating and collecting information about the file system on the ESXi machine.

Having run the binary the progress will be displayed in the user's terminal/shell:

Full list of ESXi collected items

File Collectors:

ID

Collector Name

Collected Files

1

History Files

.ash_history, .bash_history, .sh_history, .tsch_history, .psql_history, .sqlite_history, .mysql_history, .vsql_history, .lesshst, .viminfo

2

Files of Interest

.bashrc, .bash_logout, .bash_login, .bash_profile .mkshrc, .pam_environment, .profile, .zshrc, authorized_keys, known_hosts, ssh_config

3

Cronjob Files

/etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly, /etc/cron.d

4

Cronjob Related Files

*If any executable file is found in crontabs, it is collected.

5

/etc Collector

All files under /etc is collected

6

Log Files

All files under /var/log and /scratch/log is collected

7

Spool Files

All files under /var/spool is collected

Triage Collectors

ID

Collector Name

1

Process Snapshot Detailed

2

Process Snapshot Verbose

3

Open Files

4

User Info

5

Disk Usage

6

Disk Usage By User

7

Disk Usage Human Readable

8

System Hostname

9

VMware Version

10

System Info

11

Shell Aliases

12

Environment Variables

13

ESX Advanced Configuration

14

ESX FCoE Configuration

15

ESX FCoE Networking

16

ESX IPSec Configuration

17

ESX IPsec Policy

18

ESX Module List

19

ESX Module Query

20

ESX Multipathing Info

21

ESX NAS Configuration

22

ESX Network Interface Cards

23

ESX Routing Table

24

ESX Network Routes

25

ESX IPv6 Routing Table

26

ESX IPv6 Network Routes

27

ESX SCSI Devices List

28

ESX VMKnic List

29

ESX Volume List

30

ESX VSwitch List

31

ESX Configuration Info

32

List all of the CPUs on this host.

33

List usb devices and their passthrough status.

34

List the boot device order, if available, for this host.

35

Display the current hardware clock time.

36

Get information about memory.

37

List all of the PCI devices on this host.

38

Get information about the platform.

39

Information about the status of trusted boot. (TPM, DRTM status).

40

List active TCP/IP connections.

41

List configured IPv4 routes.

42

List configured IPv6 routes.

43

List ARP table entries.

44

List the VMkernel network interfaces currently known to the system.

45

List configured Security Associations.

46

List configured Security Policys.

47

Print a list of the DNS server currently configured on the system in the order in which they will be used.

48

List the rulesets in firewall.

49

List the Physical NICs currently installed and loaded on the system.

50

List the virtual switches current on the ESXi host.

51

Hostname

52

Get Open Network Files

53

Get Unix Socket Files

54

Get the network configuration.

55

Get the DNS configuration.

56

Get the IP forwarding table.

57

Gets information about virtual NICs.

58

Displays information about virtual switches.

59

Lists the installed VIB packages.

60

Gets the host acceptance level. This controls what VIBs will be allowed on a host.

61

Display the installed image profile.

62

List the VMkernel UserWorld processes currently on the host.

63

Collect the list open files.

64

Report a snapshot of the current processes including used time, verbose, session ID and process group, state and type.

65

List the NAS volumes currently known to the ESX host.

66

List the NFS v4.1 volumes currently known to the ESX host.

67

List the volumes available to the host. This includes VMFS, NAS, VFAT and UFS partitions.

68

Display the mapping of logical volumes with physical disks.

69

List the VMkernel modules that the system knows about.

70

List the enforcement level for each domain.

71

Get FIPS140 mode of ssh.

72

Get FIPS140 mode of rhttpproxy.

73

List the advanced options available from the VMkernel.

74

List VMkernel kernel settings.

75

Display the date and time when this system was first installed. Value will not change on subsequent updates.

76

Show the current global syslog configuration values.

77

Show the currently configured sub-loggers.

78

Display WBEM Agent configuration.

79

List local user accounts.

80

Display the current system clock parameters.

81

List permissions defined on the host.

82

Display the product name, version and build information.

83

List networking information for the VM's that have active ports.

84

List the virtual machines on this system. This command currently will only list running VMs on the system.

85

Get the list of virtual machines on the host.

86

List Summary status from the vm.

87

Configuration object for the vm.

88

Virtual devices for the vm.

89

Datastores for all virtual machines.

90

List of networks for all virtual machines.

91

List registered VMs.

Other Collectors:

ID

Collector Name

Description

1

File Listing

All files in the system is enumerated with following infos; File Name,File Type,Size (bytes),Access Rights,User ID,User Name,Group ID,Group Name,Number of Hard Links,Mount Point,Inode Number,Birth Time,Last Access Time,Modification Time,Change Time

2

Executable Hashes

All files' MD5 hashes that has executable permission in the system is collected

If you are not sure where to get the binary, visit the following link for an explanation: .

Off-Network Responder Package
A full list of ESXi collected items is shown here
ESXi platform is shown on the AIR Asset page
ESXi evidence in the Investigation Hub
ESXi collection example