Disk Usage

Overview

Evidence: Disk Usage
Description: ESXi Disk Usage
Category: DiskFilesystem
Platform: esxi
Short Name: diskusg
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

ESXi disk usage statistics track storage consumption across filesystems, partitions, and volumes on the hypervisor. Monitoring disk usage helps identify suspicious storage patterns, detect data staging for exfiltration, and reveal space exhaustion attacks or log file tampering.

Data Collected

This collector gathers structured data about disk usage.

Disk Usage Data

Field	Description	Example
`AccessTime`	Access Time	2023-10-15 14:30:25+03:00
`AccessCount`	Access Count	123
`URL`	URL	Example value
`Browser`	Browser	Example value
`Title`	Title	Example value
`VisitDuration`	Visit Duration	Example value
`Referrer`	Referrer	Example value
`TypedCount`	Typed Count	123
`IsHidden`	Is Hidden	true
`TransitionType`	Transition Type	Example value
`VisitID`	Visit ID	123
`TransitionQualifiers`	Transition Qualifiers	Example value
`User`	User	Example value
`Profile`	Profile	Example value
`HistoryFilePath`	History File Path	Example value

Collection Method

This collector parses disk usage reports, extracting filesystem mount points, total capacity, used space, available space, usage percentages, and mount status for each storage volume accessible to the ESXi host.

Forensic Value

Disk usage patterns reveal anomalous storage consumption that may indicate malware staging areas, log file manipulation to hide evidence, or denial-of-service attempts via disk exhaustion. Comparing usage trends helps identify rapid changes consistent with data exfiltration or malicious file placement.