Datastores

Overview

Evidence: Datastores
Description: ESXi Datastores for all Virtual Machines
Category: DiskFilesystem
Platform: esxi
Short Name: dstr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

ESXi datastores are storage containers where virtual machine files, ISOs, and templates are stored. Understanding datastore configuration is essential for tracking VM artifacts, identifying unauthorized data access, and investigating storage-based attacks or data exfiltration.

Data Collected

This collector gathers structured data about datastores.

Datastores Data

Field	Description	Example
`AccessTime`	Access Time	2023-10-15 14:30:25+03:00
`AccessCount`	Access Count	123
`URL`	URL	Example value
`Browser`	Browser	Example value
`Title`	Title	Example value
`VisitDuration`	Visit Duration	Example value
`Referrer`	Referrer	Example value
`TypedCount`	Typed Count	123
`IsHidden`	Is Hidden	true
`TransitionType`	Transition Type	Example value
`VisitID`	Visit ID	123
`TransitionQualifiers`	Transition Qualifiers	Example value
`User`	User	Example value
`Profile`	Profile	Example value
`HistoryFilePath`	History File Path	Example value

Collection Method

This collector parses the datastore information file obtained via vim-cmd vmsvc/get.datastores command. It extracts datastore name, URL, capacity, free space, accessibility status, type (VMFS, NFS, etc.), and multi-host access configuration for each datastore attached to virtual machines.

Forensic Value

Datastore metadata provides visibility into storage capacity, accessibility, and sharing configuration. This information helps investigators identify suspicious storage mounts, trace VM file locations, detect capacity anomalies that may indicate data staging, and validate storage security policies.