AIR - ESXi Standalone Collector

The AIR standalone collector currently provides support for execution on ESXi 6.5+ systems.

VMware ESXi is a type of hypervisor, which is software that creates and runs virtual machines (VMs). It is a part of VMware's vSphere product suite and is used for enterprise-level virtualization. ESXi is popular due to its stability, performance, and extensive feature set for managing and running virtual machines.

Binalyze AIR offers a robust approach for evidence collection from ESXi platforms. DRONE is not currently supported for ESXi systems. This is achieved through a standalone ESXi collector, available for download on the Assets page of your AIR console:

Assets>Add New>Deploy New>Direct connection to AIR Console >ESXi

After installation on an ESXi machine, the collector facilitates the acquisition of diverse evidence types, compiling them into a tar.gz archive, which is directly importable into AIR where the asset will be shown alongside all of the others.

After ingestion into AIR the ESXi evidence is parsed and pesented in the Investigation Hub in the normal way:

However, you can if required decompress the tar.gz file to independently access and examine the evidence. Typically, the evidence will include the following: :

  • System Info: Basic system information about the ESXi machine.

  • Bash History: Command history executed on the Bash shell.

  • Collect Bash Files: Gathering files associated with the Bash shell.

  • Environment Variables: Variables defined in the system environment.

  • Collect /etc Files: Gather files under the /etc directory.

  • Log Files: Collecting various log files.

  • SSH Config: Retrieves the configuration settings related to the SSH (Secure Shell) protocol.

  • SSH Authorized Keys: Collects information about authorized SSH keys, which are used for secure authentication.

  • SSH Known Hosts: Gathers details about known hosts in the context of SSH.

  • File System Enumeration: Involves enumerating and collecting information about the file system on the ESXi machine.

A full list of ESXi collected items is shown here

Having run the binary the progress will be displayed in the user's terminal/shell:

Full list of ESXi collected items

File Collectors:

ID

Collector Name

Collected Files

1

History Files

.ash_history, .bash_history, .sh_history, .tsch_history, .psql_history, .sqlite_history, .mysql_history, .vsql_history, .lesshst, .viminfo

2

Files of Interest

.bashrc, .bash_logout, .bash_login, .bash_profile .mkshrc, .pam_environment, .profile, .zshrc, authorized_keys, known_hosts, ssh_config

3

Cronjob Files

/etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly, /etc/cron.d

4

Cronjob Related Files

*If any executable file is found in crontabs, it is collected.

5

/etc Collector

All files under /etc is collected

6

Log Files

All files under /var/log and /scratch/log is collected

7

Spool Files

All files under /var/spool is collected

Triage Collectors

ID

Collector Name

1

Process Snapshot Detailed

2

Process Snapshot Verbose

3

Open Files

4

User Info

5

Disk Usage

6

Disk Usage By User

7

Disk Usage Human Readable

8

System Hostname

9

VMware Version

10

System Info

11

Shell Aliases

12

Environment Variables

13

ESX Advanced Configuration

14

ESX FCoE Configuration

15

ESX FCoE Networking

16

ESX IPSec Configuration

17

ESX IPsec Policy

18

ESX Module List

19

ESX Module Query

20

ESX Multipathing Info

21

ESX NAS Configuration

22

ESX Network Interface Cards

23

ESX Routing Table

24

ESX Network Routes

25

ESX IPv6 Routing Table

26

ESX IPv6 Network Routes

27

ESX SCSI Devices List

28

ESX VMKnic List

29

ESX Volume List

30

ESX VSwitch List

31

ESX Configuration Info

32

List all of the CPUs on this host.

33

List usb devices and their passthrough status.

34

List the boot device order, if available, for this host.

35

Display the current hardware clock time.

36

Get information about memory.

37

List all of the PCI devices on this host.

38

Get information about the platform.

39

Information about the status of trusted boot. (TPM, DRTM status).

40

List active TCP/IP connections.

41

List configured IPv4 routes.

42

List configured IPv6 routes.

43

List ARP table entries.

44

List the VMkernel network interfaces currently known to the system.

45

List configured Security Associations.

46

List configured Security Policys.

47

Print a list of the DNS server currently configured on the system in the order in which they will be used.

48

List the rulesets in firewall.

49

List the Physical NICs currently installed and loaded on the system.

50

List the virtual switches current on the ESXi host.

51

Hostname

52

Get Open Network Files

53

Get Unix Socket Files

54

Get the network configuration.

55

Get the DNS configuration.

56

Get the IP forwarding table.

57

Gets information about virtual NICs.

58

Displays information about virtual switches.

59

Lists the installed VIB packages.

60

Gets the host acceptance level. This controls what VIBs will be allowed on a host.

61

Display the installed image profile.

62

List the VMkernel UserWorld processes currently on the host.

63

Collect the list open files.

64

Report a snapshot of the current processes including used time, verbose, session ID and process group, state and type.

65

List the NAS volumes currently known to the ESX host.

66

List the NFS v4.1 volumes currently known to the ESX host.

67

List the volumes available to the host. This includes VMFS, NAS, VFAT and UFS partitions.

68

Display the mapping of logical volumes with physical disks.

69

List the VMkernel modules that the system knows about.

70

List the enforcement level for each domain.

71

Get FIPS140 mode of ssh.

72

Get FIPS140 mode of rhttpproxy.

73

List the advanced options available from the VMkernel.

74

List VMkernel kernel settings.

75

Display the date and time when this system was first installed. Value will not change on subsequent updates.

76

Show the current global syslog configuration values.

77

Show the currently configured sub-loggers.

78

Display WBEM Agent configuration.

79

List local user accounts.

80

Display the current system clock parameters.

81

List permissions defined on the host.

82

Display the product name, version and build information.

83

List networking information for the VM's that have active ports.

84

List the virtual machines on this system. This command currently will only list running VMs on the system.

85

Get the list of virtual machines on the host.

86

List Summary status from the vm.

87

Configuration object for the vm.

88

Virtual devices for the vm.

89

Datastores for all virtual machines.

90

List of networks for all virtual machines.

91

List registered VMs.

Other Collectors:

ID

Collector Name

Description

1

File Listing

All files in the system is enumerated with following infos; File Name,File Type,Size (bytes),Access Rights,User ID,User Name,Group ID,Group Name,Number of Hard Links,Mount Point,Inode Number,Birth Time,Last Access Time,Modification Time,Change Time

2

Executable Hashes

All files' MD5 hashes that has executable permission in the system is collected

Last updated