License Type
Tool Type
Small Tool
VM analysis

The DFIR4vSphere PowerShell module collects logs and forensics artefacts on both ESXi hosts and the vCenter console.

The module has two main functions:

  • Start-VC_Investigation: This function will collect all vSphere API calls registered on the vCenter, these logs are called VI events. You can also collect only events considered of interest. ESXi inventory, vCenter permissions and users report is also generated by the function. Optionally, a support bundle for the vCenter appliance can be generated.
  • Start-ESXi_Investigation: Collects forensics data on a single or multiple ESXi hosts. Optionally, a support bundle for each hypervisor targeted can be generated.

DFIR4vSphere was first presented at the CoRI&IN 2022 (Conférence sur la réponse aux incidents et l’investigation numérique). Slides of the presentation, in french language, are available here.