ESXi Child Collection not Working

[qmadev]

If I run acquire 3.21 against an ESXi VM (A test VM that has ESXi 7 installed), it does not work, but when I try it with acquire 3.18 it does. I did not try all version between 18 and 21. I just jumped to 18.

Acquire 3.18

user:ESXi7.vmwarevm/ $ pipx install 'acquire[full]==3.18'                                                                              [2:31:52]
  installed package acquire 3.18, installed using Python 3.11.14
  These apps are now globally available
    - acquire
    - acquire-decrypt
done! ✨ 🌟 ✨
user:ESXi7.vmwarevm/ $ acquire -o asdf --children --compress -o asdf --skip-parent ESXi7.vmx                                           [2:32:06]
Traceback (most recent call last):
  File "/Users/user/.local/bin/acquire", line 3, in <module>
    from acquire.acquire import main
  File "/Users/user/.local/pipx/venvs/acquire/lib/python3.11/site-packages/acquire/acquire.py", line 28, in <module>
    from dissect.target.tools.utils import args_to_uri
ImportError: cannot import name 'args_to_uri' from 'dissect.target.tools.utils' (/Users/user/.local/pipx/venvs/acquire/lib/python3.11/site-packages/dissect/target/tools/utils/__init__.py)
user:ESXi7.vmwarevm/ $ pipx inject acquire dissect.target==3.23 --force                                                                [2:32:11]
  injected package dissect-target into venv acquire
done! ✨ 🌟 ✨
user:ESXi7.vmwarevm/ $ acquire -o asdf --children --compress -o asdf --skip-parent ESXi7.vmx                                           [2:32:23]
                       _
  __ _  ___ __ _ _   _(_)_ __ ___
 / _` |/ __/ _` | | | | | '__/ _ \
| (_| | (_| (_| | |_| | | | |  __/
 \__,_|\___\__, |\__,_|_|_|  \___|
  by Fox-IT   |_|             v3.18
  part of NCC Group

User: user | Admin: False
Arguments: -o asdf --children --compress -o asdf --skip-parent ESXi7.vmx
Default Arguments:

Loading target localhost
<Target ESXi7.vmx>


Loading child target /vmfs/volumes/67fe6901-e1c446a7-5335-000c2930caff/debbie/debbie.vmx
<Target ESXi7.vmx>

// Disks
<Container type=vmdk size=8589934592 vs=disk>
- <Volume name='part_00100000' size=7564427264 fs='ext'>
- <Volume name='part_1c3000000' size=1022361600 fs=None>

// Volumes
<Volume name='part_00100000' size=7564427264 fs='ext'>
<Volume name='part_1c3000000' size=1022361600 fs=None>

Target name: debbie
Hostname: debbie
OS: Debian GNU/Linux 12 (bookworm)

========================================== WARNING ==========================================

The support for operating system 'linux' is experimental. Some artifacts may not yet be included and some
features may not work as expected. Please notify upstream for any missing artifacts or features.

========================================== WARNING ==========================================
Using default collection profile

Modules selected: Boot, Etc, Home, SSH, Var
Logging to file /Users/user/Virtual Machines.localized/ESXi/ESXi7.vmwarevm/asdf/debbie_20260116013237.log
Writing output to /Users/user/Virtual Machines.localized/ESXi/ESXi7.vmwarevm/asdf/debbie_20260116013237.tar.gz

*** Acquiring etc
- Collecting file /etc/fstab to: fs/$rootfs$/etc/fstab
- Collecting file /etc/fstab succeeded
- Collecting file /etc/locale.alias to: fs/$rootfs$/etc/locale.alias
- Collecting file /etc/locale.alias succeeded

Acquire 3.21

user:ESXi7.vmwarevm/ $ pipx install 'acquire[full]==3.21'                                                                                             [2:36:58]
  installed package acquire 3.21, installed using Python 3.11.14
  These apps are now globally available
    - acquire
    - acquire-decrypt
done! ✨ 🌟 ✨
user:ESXi7.vmwarevm/ $ acquire -o asdf --children --compress -o asdf --skip-parent ESXi7.vmx                                                          [2:37:13]
                       _
  __ _  ___ __ _ _   _(_)_ __ ___
 / _` |/ __/ _` | | | | | '__/ _ \
| (_| | (_| (_| | |_| | | | |  __/
 \__,_|\___\__, |\__,_|_|_|  \___|
  by Fox-IT   |_|             v3.21
  part of NCC Group

User: user | Admin: False
Arguments: -o asdf --children --compress -o asdf --skip-parent ESXi7.vmx
Default Arguments:

Loading target localhost
<Target ESXi7.vmx>

Acquiring artifacts succeeded
Acquire finished successful
Arguments: -o asdf --children --compress -o asdf --skip-parent ESXi7.vmx
Default Arguments:
Exiting with status code 0 (SUCCESS)
Log written to file /Users/user/Virtual Machines.localized/ESXi/ESXi7.vmwarevm/asdf/Unknown_20260116013724.log

# Content of Unknown_20260116013724.log

[2026-01-16 02:37:24,912] [DEBUG] ESXi7.vmx: Attempting to use loader: <lazyattr dissect.target.loaders.vmx.VmxLoader loaded=True failed=False>
[2026-01-16 02:37:25,034] [DEBUG] <Target ESXi7.vmx>: Opened volume system: <VolumeSystem type=disk serial=None> on <Container type=vmdk size=152471339008 vs=disk>
[2026-01-16 02:37:25,531] [DEBUG] <Target ESXi7.vmx>: LVM volumes found: [<Volume name='OSDATA' size=128742063616 fs=None>, <Volume name='datastore1' size=15031319552 fs=None>]
[2026-01-16 02:37:25,531] [DEBUG] <Target ESXi7.vmx>: Encrypted volumes found: []
[2026-01-16 02:37:25,532] [DEBUG] <Target ESXi7.vmx>: Opened LVM: <VolumeSystem type=vmfs serial=None>
[2026-01-16 02:37:25,532] [DEBUG] <Target ESXi7.vmx>: Opened LVM: <VolumeSystem type=vmfs serial=None>
[2026-01-16 02:37:25,534] [DEBUG] <Target ESXi7.vmx>: LVM volumes found: []
[2026-01-16 02:37:25,534] [DEBUG] <Target ESXi7.vmx>: Encrypted volumes found: []
[2026-01-16 02:37:25,725] [DEBUG] <Target ESXi7.vmx>: Opened filesystem: <Filesystem type=fat> on <Volume name='BOOT' size=104857088 fs='fat'>
[2026-01-16 02:37:25,726] [DEBUG] <Target ESXi7.vmx>: Opened filesystem: <Filesystem type=fat> on <Volume name='BOOTBANK1' size=4293918208 fs='fat'>
[2026-01-16 02:37:25,726] [DEBUG] <Target ESXi7.vmx>: Opened filesystem: <Filesystem type=fat> on <Volume name='BOOTBANK2' size=4293918208 fs='fat'>
[2026-01-16 02:37:25,733] [DEBUG] <Target ESXi7.vmx>: Opened filesystem: <Filesystem type=vmfs> on <Volume name='67fe6901-cd9537f1-e10e-000c2930caff' size=128580583424 fs='vmfs'>
[2026-01-16 02:37:25,739] [DEBUG] <Target ESXi7.vmx>: Opened filesystem: <Filesystem type=vmfs> on <Volume name='67fe6901-dbe6d291-ef1a-000c2930caff' size=14763950080 fs='vmfs'>
[2026-01-16 02:37:29,136] [INFO ] <Target ESXi7.vmx>: Found compatible OS plugin: ESXiPlugin
[2026-01-16 02:37:29,175] [DEBUG] <Target ESXi7.vmx>: Selected OS plugin: ESXiPlugin
[2026-01-16 02:37:30,600] [WARNING] <Target ESXi7.vmx>: local.tgz is encrypted but static decryption failed and no dynamic decryption available!
[2026-01-16 02:37:30,627] [WARNING] <Target ESXi7.vmx>: Failed to read log_dir from configstore, falling back to /scratch/log
[2026-01-16 02:37:30,627] [INFO ] Loading target localhost
[2026-01-16 02:37:30,627] [INFO ] <Target ESXi7.vmx>

Looks like the local.tgz decryption is failing.

[EinatFox]

Hi @qmadev , thanks for reporting this, we are looking into it.

[Schamper]

fox-it/dissect.target#1499 probably fixes this.

[Schamper]

fox-it/dissect.target#1499 was merged, can you verify if that fixed it?

[qmadev]

Unfortunately not. I still get the same error.

[Schamper]

Unfortunately not. I still get the same error.

Did you check on the latest main branch?

The local.tgz warning could also be due to fox-it/dissect.target#1332

[qmadev]

Yes, I did a git pull and checked if the commit was there with git log.

commit 0041dd4f5d2e9bcaa483f3540890eecf596d1f51 (HEAD -> main, upstream/main)
Author: Computer Network Investigation <121175071+JSCU-CNI@users.noreply.github.com>
Date:   Fri Jan 16 12:21:45 2026 +0100

    Fix ESXi configstore call in OS create method (#1499)

Even tried it in a new venv.

[qmadev]

I see that my configstore does not contain certain keys.

    if version and version[0] == "7":
        import json
        print(json.dumps(target.configstore._configstore["esx"]))
        try:
            log_dir = target.configstore._configstore["esx"]["syslog"]["global_settings"][""]["user_value"]["log_dir"]
        except KeyError:
            target.log.warning("Failed to read log_dir from configstore, falling back to /scratch/log")
            log_dir = "/scratch/log"

If I dump this dict as json and look through it, I can't find global_settings and log_dir anywhere.

I will do some more debugging later.

[qmadev]

@Schamper it seems to me that the entire child acquisition is broken. Just running acquire on my Macbook with VMware VMs is not working either. I was debugging and found this little bug:

Traceback (most recent call last):
  File "/Users/ssvep/Documents/projects/github/acquire/acquire/acquire.py", line 2561, in acquire_children_and_targets
    child_target = load_child(target, child.path)
                                      ^^^^^^^^^^
AttributeError: 'tuple' object has no attribute 'path'

Could you double check?

If I change this in acquire/acquire.py it all works fine:

def acquire_children_and_targets(target: Target, args: argparse.Namespace) -> list[str | Path]:
...
    if args.children:
        # for child in target.list_children():
        for _, child in target.list_children():
            counter += 1
            acquire_gui.shard = int((progress_limit / total_targets) * counter)
            try:
                child_target = load_child(target, child.path)
            except Exception:
                continue
...

which makes sense because: https://github.com/fox-it/dissect.target/blob/a102b3106b692c2315592892694d99d5ab630c45/dissect/target/target.py#L557

[Schamper]

@qmadev that does appear to be a problem 😄 could you make a PR for that?

[qmadev]

Done!