Digital Forensics & Incident Response
Search
K

Triage and Imaging

One of my go-to tools for Linux/Unix triaging is UAC (https://github.com/tclahr/uac) I worked with the UAC dev to test some new functionality and support for native esxcli commands, and as a result v2.2.0 has enhanced support for ESXi environments. It also correctly detects the VMkernel as ESXi and runs the corresonding artefacts profiles - so there's no need to append '-s linux' on the commandline (as listed below). I'l keep it here as it's relevant for versions older than v2.2.0.
TL;DR - to run UAC on an ESXi host, you need to append '-s linux' (to force linux detection as UAC assigns artefact profiles based on the detected kernel, however ESXi kernel appears as 'vmkernel'). AVML will fail because of how memory is allocated in ESXi (ie not /proc/core or /proc/mem)
./uac -p full -s linux /output-directory
UAC runs on the following operating systems and is platform agnostic;
AIX
Android
FreeBSD
Linux
macOS
NetBSD
NetScaler
OpenBSD
Solaris
The ESXi kernel (VMkernel) is a customised kernel with several open source applications bundled on top of it. The shell itself is based on BusyBox. It is not based on Linux itself, but in some parts it resembles a Linux kernel (folder structure, process initiation, driver support, etc).
This presents a number of challenges for those who are comfortable with platform-specific commands, such as those found on Debian-based systems.
ESXi Forensics - Previous
General Notes
Next - ESXi Forensics
ESXi VMFS Exploration
Last modified 1yr ago