Block Devices

Overview

Evidence: Block Devices Description: Collect Block Devices Category: DiskFilesystem Platform: macos Short Name: blkd Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Block devices represent storage devices attached to the system, including internal disks, external drives, USB devices, and virtual disks. Understanding block device inventory is essential for identifying unauthorized storage access, data exfiltration vectors, and storage-based persistence mechanisms.

Data Collected

This collector gathers structured data about block devices.

Block Devices Data

Field

Description

Example

Name

Name

Example value

Parent

Parent

Example value

Vendor

Vendor

Example value

Model

Model

Example value

Size

Size

123

BlockSize

Block Size

123

UUID

UUID

Example value

Type

Type

Example value

Label

Label

Example value

Collection Method

This collector queries the block_devices table via osquery to retrieve information about all attached block devices, including their names, vendors, models, sizes, UUIDs, and parent-child relationships.

Forensic Value

Block device information reveals storage infrastructure and potential data transfer paths. Unexpected devices may indicate unauthorized USB storage use, external drive connections for data exfiltration, or attacker-controlled storage devices. This evidence helps identify data theft vectors, unauthorized access points, and storage-based command and control mechanisms.

PreviousAuto Loaded Processes NextBluetooth Connections

Last updated 3 days ago

Was this helpful?