AIR - ESXi Standalone Collector

PreviousAIR Responder - Linux (DEB/RPM) supported systems NextAIR Responder - Chrome supported systems

Last updated 9 months ago

Was this helpful?

AIR - ESXi Standalone Collector

The AIR standalone collector currently provides support for execution on ESXi 6.5+ systems.

VMware ESXi is a type of hypervisor, which is software that creates and runs virtual machines (VMs). It is a part of VMware's vSphere product suite and is used for enterprise-level virtualization. ESXi is popular due to its stability, performance, and extensive feature set for managing and running virtual machines.

Binalyze AIR offers a robust approach for evidence collection from ESXi platforms. DRONE is not currently supported for ESXi systems. This is achieved through a standalone ESXi collector, available for download on the Assets page of your AIR console:

Assets>Add New>Deploy New>Direct connection to AIR Console >ESXi

After running Responder using your chosen method, the collected evidence should be converted into a PPC file. This PPC file can then be imported into the AIR Console. Once imported, the asset will be displayed alongside all other assets in AIR, ensuring seamless integration and visibility within the platform.

For the conversion to PPC, you'll need an off-network Responder binary specific to your operating system on which you want to carry out the conversion.

Here’s an example for Microsoft:

Download the Off-Network Responder Package:
Extract the Package:
- Extract the contents of the downloaded Off-Network Responder zip file.
Prepare Your Evidence:
- Copy your ESXi evidence file into the same extracted folder.
Run the Command:
- Execute the following command, replacing your_ESXi_evidence_name with the actual name of your ESXi evidence file:
```
offnetwork_windows_amd64 esxi --input 220240621113447-EsxiDATA.tar.gz
```

Following these steps will create a new folder containing a Case.ppc file. Please import this Case.ppc file into the AIR Console.

This process will ensure that your ESXi evidence is accurately processed and seamlessly integrated into the AIR platform.

After ingestion into AIR the ESXi evidence is parsed and pesented in the Investigation Hub in the normal way:

However, you can if required decompress the tar.gz file to independently access and examine the evidence. Typically, the evidence will include the following: :

System Info: Basic system information about the ESXi machine.
Bash History: Command history executed on the Bash shell.
Collect Bash Files: Gathering files associated with the Bash shell.
Environment Variables: Variables defined in the system environment.
Collect /etc Files: Gather files under the /etc directory.
Log Files: Collecting various log files.
SSH Config: Retrieves the configuration settings related to the SSH (Secure Shell) protocol.
SSH Authorized Keys: Collects information about authorized SSH keys, which are used for secure authentication.
SSH Known Hosts: Gathers details about known hosts in the context of SSH.
File System Enumeration: Involves enumerating and collecting information about the file system on the ESXi machine.

Having run the binary the progress will be displayed in the user's terminal/shell:

Full list of ESXi collected items

File Collectors:

Collector Name

Collected Files

History Files

.ash_history, .bash_history, .sh_history, .tsch_history, .psql_history, .sqlite_history, .mysql_history, .vsql_history, .lesshst, .viminfo

Files of Interest

.bashrc, .bash_logout, .bash_login, .bash_profile .mkshrc, .pam_environment, .profile, .zshrc, authorized_keys, known_hosts, ssh_config

Cronjob Files

/etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly, /etc/cron.d

Cronjob Related Files

*If any executable file is found in crontabs, it is collected.

/etc Collector

All files under /etc is collected

Log Files

All files under /var/log and /scratch/log is collected

Spool Files

All files under /var/spool is collected

Triage Collectors

Collector Name

Process Snapshot Detailed

Process Snapshot Verbose

Open Files

User Info

Disk Usage

Disk Usage By User

Disk Usage Human Readable

System Hostname

VMware Version

System Info

Shell Aliases

Environment Variables

ESX Advanced Configuration

ESX FCoE Configuration

ESX FCoE Networking

ESX IPSec Configuration

ESX IPsec Policy

ESX Module List

ESX Module Query

ESX Multipathing Info

ESX NAS Configuration

ESX Network Interface Cards

ESX Routing Table

ESX Network Routes

ESX IPv6 Routing Table

ESX IPv6 Network Routes

ESX SCSI Devices List

ESX VMKnic List

ESX Volume List

ESX VSwitch List

ESX Configuration Info

List all of the CPUs on this host.

List usb devices and their passthrough status.

List the boot device order, if available, for this host.

Display the current hardware clock time.

Get information about memory.

List all of the PCI devices on this host.

Get information about the platform.

Information about the status of trusted boot. (TPM, DRTM status).

List active TCP/IP connections.

List configured IPv4 routes.

List configured IPv6 routes.

List ARP table entries.

List the VMkernel network interfaces currently known to the system.

List configured Security Associations.

List configured Security Policys.

Print a list of the DNS server currently configured on the system in the order in which they will be used.

List the rulesets in firewall.

List the Physical NICs currently installed and loaded on the system.

List the virtual switches current on the ESXi host.

Hostname

Get Open Network Files

Get Unix Socket Files

Get the network configuration.

Get the DNS configuration.

Get the IP forwarding table.

Gets information about virtual NICs.

Displays information about virtual switches.

Lists the installed VIB packages.

Gets the host acceptance level. This controls what VIBs will be allowed on a host.

Display the installed image profile.

List the VMkernel UserWorld processes currently on the host.

Collect the list open files.

Report a snapshot of the current processes including used time, verbose, session ID and process group, state and type.

List the NAS volumes currently known to the ESX host.

List the NFS v4.1 volumes currently known to the ESX host.

List the volumes available to the host. This includes VMFS, NAS, VFAT and UFS partitions.

Display the mapping of logical volumes with physical disks.

List the VMkernel modules that the system knows about.

List the enforcement level for each domain.

Get FIPS140 mode of ssh.

Get FIPS140 mode of rhttpproxy.

List the advanced options available from the VMkernel.

List VMkernel kernel settings.

Display the date and time when this system was first installed. Value will not change on subsequent updates.

Show the current global syslog configuration values.

Show the currently configured sub-loggers.

Display WBEM Agent configuration.

List local user accounts.

Display the current system clock parameters.

List permissions defined on the host.

Display the product name, version and build information.

List networking information for the VM's that have active ports.

List the virtual machines on this system. This command currently will only list running VMs on the system.

Get the list of virtual machines on the host.

List Summary status from the vm.

Configuration object for the vm.

Virtual devices for the vm.

Datastores for all virtual machines.

List of networks for all virtual machines.

List registered VMs.

Other Collectors:

Collector Name

Description

File Listing

All files in the system is enumerated with following infos; File Name,File Type,Size (bytes),Access Rights,User ID,User Name,Group ID,Group Name,Number of Hard Links,Mount Point,Inode Number,Birth Time,Last Access Time,Modification Time,Change Time

Executable Hashes

All files' MD5 hashes that has executable permission in the system is collected

PreviousAIR Responder - Linux (DEB/RPM) supported systems NextAIR Responder - Chrome supported systems

Last updated 9 months ago

Was this helpful?

The AIR standalone collector currently provides support for execution on ESXi 6.5+ systems.

Assets>Add New>Deploy New>Direct connection to AIR Console >ESXi

For the conversion to PPC, you'll need an off-network Responder binary specific to your operating system on which you want to carry out the conversion.

Here’s an example for Microsoft:

Download the Off-Network Responder Package:
- If you are not sure where to get the binary, visit the following link for an explanation: .
Extract the Package:
- Extract the contents of the downloaded Off-Network Responder zip file.
Prepare Your Evidence:
- Copy your ESXi evidence file into the same extracted folder.
Run the Command:
- Execute the following command, replacing your_ESXi_evidence_name with the actual name of your ESXi evidence file:
```
offnetwork_windows_amd64 esxi --input 220240621113447-EsxiDATA.tar.gz
```

Following these steps will create a new folder containing a Case.ppc file. Please import this Case.ppc file into the AIR Console.

This process will ensure that your ESXi evidence is accurately processed and seamlessly integrated into the AIR platform.

After ingestion into AIR the ESXi evidence is parsed and pesented in the Investigation Hub in the normal way:

However, you can if required decompress the tar.gz file to independently access and examine the evidence. Typically, the evidence will include the following: :

System Info: Basic system information about the ESXi machine.
Bash History: Command history executed on the Bash shell.
Collect Bash Files: Gathering files associated with the Bash shell.
Environment Variables: Variables defined in the system environment.
Collect /etc Files: Gather files under the /etc directory.
Log Files: Collecting various log files.
SSH Config: Retrieves the configuration settings related to the SSH (Secure Shell) protocol.
SSH Authorized Keys: Collects information about authorized SSH keys, which are used for secure authentication.
SSH Known Hosts: Gathers details about known hosts in the context of SSH.
File System Enumeration: Involves enumerating and collecting information about the file system on the ESXi machine.

Having run the binary the progress will be displayed in the user's terminal/shell:

Full list of ESXi collected items

File Collectors:

Collector Name

Collected Files

History Files

.ash_history, .bash_history, .sh_history, .tsch_history, .psql_history, .sqlite_history, .mysql_history, .vsql_history, .lesshst, .viminfo

Files of Interest

.bashrc, .bash_logout, .bash_login, .bash_profile .mkshrc, .pam_environment, .profile, .zshrc, authorized_keys, known_hosts, ssh_config

Cronjob Files

/etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly, /etc/cron.d

Cronjob Related Files

*If any executable file is found in crontabs, it is collected.

/etc Collector

All files under /etc is collected

Log Files

All files under /var/log and /scratch/log is collected

Spool Files

All files under /var/spool is collected

Triage Collectors

Collector Name

Process Snapshot Detailed

Process Snapshot Verbose

Open Files

User Info

Disk Usage

Disk Usage By User

Disk Usage Human Readable

System Hostname

VMware Version

System Info

Shell Aliases

Environment Variables

ESX Advanced Configuration

ESX FCoE Configuration

ESX FCoE Networking

ESX IPSec Configuration

ESX IPsec Policy

ESX Module List

ESX Module Query

ESX Multipathing Info

ESX NAS Configuration

ESX Network Interface Cards

ESX Routing Table

ESX Network Routes

ESX IPv6 Routing Table

ESX IPv6 Network Routes

ESX SCSI Devices List

ESX VMKnic List

ESX Volume List

ESX VSwitch List

ESX Configuration Info

List all of the CPUs on this host.

List usb devices and their passthrough status.

List the boot device order, if available, for this host.

Display the current hardware clock time.

Get information about memory.

List all of the PCI devices on this host.

Get information about the platform.

Information about the status of trusted boot. (TPM, DRTM status).

List active TCP/IP connections.

List configured IPv4 routes.

List configured IPv6 routes.

List ARP table entries.

List the VMkernel network interfaces currently known to the system.

List configured Security Associations.

List configured Security Policys.

Print a list of the DNS server currently configured on the system in the order in which they will be used.

List the rulesets in firewall.

List the Physical NICs currently installed and loaded on the system.

List the virtual switches current on the ESXi host.

Hostname

Get Open Network Files

Get Unix Socket Files

Get the network configuration.

Get the DNS configuration.

Get the IP forwarding table.

Gets information about virtual NICs.

Displays information about virtual switches.

Lists the installed VIB packages.

Gets the host acceptance level. This controls what VIBs will be allowed on a host.

Display the installed image profile.

List the VMkernel UserWorld processes currently on the host.

Collect the list open files.

Report a snapshot of the current processes including used time, verbose, session ID and process group, state and type.

List the NAS volumes currently known to the ESX host.

List the NFS v4.1 volumes currently known to the ESX host.

List the volumes available to the host. This includes VMFS, NAS, VFAT and UFS partitions.

Display the mapping of logical volumes with physical disks.

List the VMkernel modules that the system knows about.

List the enforcement level for each domain.

Get FIPS140 mode of ssh.

Get FIPS140 mode of rhttpproxy.

List the advanced options available from the VMkernel.

List VMkernel kernel settings.

Display the date and time when this system was first installed. Value will not change on subsequent updates.

Show the current global syslog configuration values.

Show the currently configured sub-loggers.

Display WBEM Agent configuration.

List local user accounts.

Display the current system clock parameters.

List permissions defined on the host.

Display the product name, version and build information.

List networking information for the VM's that have active ports.

List the virtual machines on this system. This command currently will only list running VMs on the system.

Get the list of virtual machines on the host.

List Summary status from the vm.

Configuration object for the vm.

Virtual devices for the vm.

Datastores for all virtual machines.

List of networks for all virtual machines.

List registered VMs.

Other Collectors:

Collector Name

Description

File Listing

Executable Hashes

All files' MD5 hashes that has executable permission in the system is collected