# Triage and Imaging One of my go-to tools for Linux/Unix triaging is UAC ()\ \ I worked with the UAC dev to test some new functionality and support for native esxcli commands, and as a result v2.2.0 has enhanced support for ESXi environments. It also correctly detects the VMkernel as ESXi and runs the corresonding artefacts profiles - so there's no need to append '-s linux' on the commandline (as listed below). I'l keep it here as it's relevant for versions older than v2.2.0. **TL;DR** - to run UAC on an ESXi host, you need to append '-s linux' (to force linux detection as UAC assigns artefact profiles based on the detected kernel, however ESXi kernel appears as 'vmkernel'). AVML will fail because of how memory is allocated in ESXi (ie not /proc/core or /proc/mem) > ./uac -p full -s linux /output-directory UAC runs on the following operating systems and is platform agnostic; ``` AIX Android FreeBSD Linux macOS NetBSD NetScaler OpenBSD Solaris ``` The ESXi kernel (VMkernel) is a customised kernel with several open source applications bundled on top of it. The shell itself is based on BusyBox. It is not based on Linux itself, but in some parts it resembles a Linux kernel (folder structure, process initiation, driver support, etc). This presents a number of challenges for those who are comfortable with platform-specific commands, such as those found on Debian-based systems. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.iblue.team/esxi-forensics/triage-and-imaging.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.