Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page

Was this helpful?

  1. ESXi Forensics
  2. Understanding ESXi

Partitions / Volumes

This hypervisor has 1 x 250GB NVMe SSD (Kingston A2000) and 1 x 2TB Samsung 870 QVO SATA SSD.

To identify the disks and partitions;

[root@localhost:~] ls -l /vmfs/devices/disks/
total 4395419064
-rw-------    1 root     root     2000398934016 Apr 29 04:54 t10.ATA_____Samsung_SSD_870_QVO_2TB_________________S5SUNF0R913749K_____
-rw-------    1 root     root     2000396747264 Apr 29 04:54 t10.ATA_____Samsung_SSD_870_QVO_2TB_________________S5SUNF0R913749K_____:2
-rw-------    1 root     root     250059350016 Apr 29 04:54 t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600
-rw-------    1 root     root     104857600 Apr 29 04:54 t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:1
-rw-------    1 root     root     4293918720 Apr 29 04:54 t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:5
-rw-------    1 root     root     4293918720 Apr 29 04:54 t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:6
-rw-------    1 root     root     128742064128 Apr 29 04:54 t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:7
-rw-------    1 root     root     112619331072 Apr 29 04:54 t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:8
lrwxrwxrwx    1 root     root            68 Apr 29 04:54 vml.0100000000433535395f334435315f363842375f32363030004b494e475354 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.0100000000433535395f334435315f363842375f32363030004b494e475354:1 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:1
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.0100000000433535395f334435315f363842375f32363030004b494e475354:5 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:5
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.0100000000433535395f334435315f363842375f32363030004b494e475354:6 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:6
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.0100000000433535395f334435315f363842375f32363030004b494e475354:7 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:7
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.0100000000433535395f334435315f363842375f32363030004b494e475354:8 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:8
lrwxrwxrwx    1 root     root            72 Apr 29 04:54 vml.0100000000533553554e4630523931333734394b202020202053616d73756e -> t10.ATA_____Samsung_SSD_870_QVO_2TB_________________S5SUNF0R913749K_____
lrwxrwxrwx    1 root     root            74 Apr 29 04:54 vml.0100000000533553554e4630523931333734394b202020202053616d73756e:2 -> t10.ATA_____Samsung_SSD_870_QVO_2TB_________________S5SUNF0R913749K_____:2
lrwxrwxrwx    1 root     root            68 Apr 29 04:54 vml.052b2c3dd7d64c86be0724a2e781d8178a37266e63476cfc9276f4517b9d400370 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.052b2c3dd7d64c86be0724a2e781d8178a37266e63476cfc9276f4517b9d400370:1 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:1
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.052b2c3dd7d64c86be0724a2e781d8178a37266e63476cfc9276f4517b9d400370:5 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:5
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.052b2c3dd7d64c86be0724a2e781d8178a37266e63476cfc9276f4517b9d400370:6 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:6
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.052b2c3dd7d64c86be0724a2e781d8178a37266e63476cfc9276f4517b9d400370:7 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:7
lrwxrwxrwx    1 root     root            70 Apr 29 04:54 vml.052b2c3dd7d64c86be0724a2e781d8178a37266e63476cfc9276f4517b9d400370:8 -> t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600:8

We can then run partedUtil on the specified disk to identify partitions. The A2000 has ESXi installed.

[root@localhost:~] partedUtil getptbl "/vmfs/devices/disks/t10.NVMe____KINGSTON_SA2000M8250G___________________C5593D5168B72600"
gpt
30401 255 63 488397168
1 64 204863 C12A7328F81F11D2BA4B00A0C93EC93B systemPartition 128
5 208896 8595455 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0
6 8597504 16984063 EBD0A0A2B9E5443387C068B6B72699C7 linuxNative 0
7 16986112 268435455 4EB2EA3978554790A79EFAE495E21F8D vmfsl 0
8 268437504 488397134 AA31E02A400F11DB9590000C2911D1B8 vmfs 0

The QVO is configured as a single VMFS datastore

[root@localhost:~] partedUtil getptbl "/vmfs/devices/disks/t10.ATA_____Samsung_SSD_870_QVO_2TB_________________S5SUNF0R913749K_____"
gpt
243201 255 63 3907029168
2 2048 3907026944 AA31E02A400F11DB9590000C2911D1B8 vmfs 0
PreviousUnderstanding ESXiNextESXi console / shell

Last updated 3 years ago

Was this helpful?