Open Files

Overview

Evidence: Open Files
Description: List Open Files
Category: System
Platform: esxi
Short Name: ofiles
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Open file descriptors on ESXi reveal active file access by processes, including VM disk files, configuration files, log files, and system resources. This snapshot captures what files were being accessed at collection time, providing evidence of process behavior and file manipulation.

Data Collected

This collector gathers structured data about open files.

Open Files Data

Field	Description	Example
`AccessTime`	Access Time	2023-10-15 14:30:25+03:00
`AccessCount`	Access Count	123
`URL`	URL	Example value
`Browser`	Browser	Example value
`Title`	Title	Example value
`VisitDuration`	Visit Duration	Example value
`Referrer`	Referrer	Example value
`TypedCount`	Typed Count	123
`IsHidden`	Is Hidden	true
`TransitionType`	Transition Type	Example value
`VisitID`	Visit ID	123
`TransitionQualifiers`	Transition Qualifiers	Example value
`User`	User	Example value
`Profile`	Profile	Example value
`HistoryFilePath`	History File Path	Example value

Collection Method

This collector parses the output of system commands listing open file descriptors, extracting process IDs, file paths, file types, access modes, and file descriptor numbers for each open file on the ESXi host.

Forensic Value

Open file data exposes active process file access patterns, helps identify processes accessing sensitive files, detects unauthorized file modifications in progress, and reveals temporary files or sockets used by malware. Cross-referencing with process data provides complete picture of file-based attacker activities.