Block Devices

Overview

Evidence: Block Devices Description: Collect Block Devices Category: System Platform: Linux Short Name: blockdev Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Linux block device information provides details about storage devices, partitions, and disk configurations. This data is essential for understanding storage infrastructure and detecting unauthorized storage modifications.

Data Collected

This collector gathers structured data about block devices.

Block Devices Data

Field

Description

Example

ID

Primary key (auto-increment)

Name

Block device name

sda

Major

Major device number

Minor

Minor device number

ReadOnly

Whether device is read-only

false

Removable

Whether device is removable

false

Size

Device size in bytes

500107862016

Parent

Parent device name

Collection Method

This collector parses the necessary data from the block_devices table.

This collector collects files from the following locations:

/proc/partitions
/sys/block/

Usage

This evidence is crucial for forensic investigations as it provides storage device information. It helps investigators understand storage infrastructure, detect unauthorized storage modifications, and investigate storage-based attacks. The data can reveal storage devices, partition configurations, and potential storage vulnerabilities. Analysts can use this information to identify storage compromises, trace storage activities, and assess storage security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousSystemctl NextFstab

Last updated 13 minutes ago

Was this helpful?