Block Devices

Overview

Evidence: Block Devices Description: Collect block devices Category: DiskFilesystem Platform: linux Short Name: blkd Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Linux exposes block device attributes via sysfs, detailing disks and partitions (size, removability, RO flag). Enumerating these devices reveals attached media and storage topology.

Data Collected

This collector gathers structured data about block devices.

Block Devices Data

Field

Description

Example

Name

Name

Example value

Major

Major

Example value

Minor

Minor

Example value

ReadOnly

Read Only

true

Removable

Removable

true

Size

Size

123

Parent

Parent

Example value

Collection Method

This collector walks /sys/block, parses device attributes (dev, size, removable, ro) and builds a hierarchy of parent/child relationships.

Forensic Value

Block device inventory assists with identifying removable media use, hidden partitions, and potential data staging volumes. It supports triage of storage relevant to an incident.

PreviousAuth Logs NextBoot Logs

Last updated 3 days ago

Was this helpful?