Disk Encryption

Overview

Evidence: Disk Encryption Description: Collect Disk Encryption status Category: DiskFilesystem Platform: macos Short Name: diskenc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Disk encryption is a fundamental security control that protects data at rest. FileVault on macOS provides full-disk encryption using XTS-AES-128 encryption. Understanding encryption status is essential for compliance verification, security policy enforcement, and detecting potential data protection gaps.

Data Collected

This collector gathers structured data about disk encryption.

Disk Encryption Data

Field

Description

Example

Name

Name

Example value

UUID

UUID

Example value

Encrypted

Encrypted

123

Type

Type

Example value

EncryptionStatus

Encryption Status

Example value

UID

UID

Example value

UserUID

User UID

Example value

FileVaultStatus

File Vault Status

Example value

Collection Method

This collector queries the disk_encryption table via osquery to retrieve encryption status for all volumes, including FileVault status, encryption types, and associated user credentials.

Forensic Value

Disk encryption status reveals security posture and potential data exposure risks. Unencrypted volumes may indicate policy violations, attacker attempts to bypass security controls, or system misconfigurations. This evidence helps assess data protection compliance and identify unauthorized disk access.

PreviousDiscord Desktop Cache NextDMG File Opened

Last updated 3 days ago

Was this helpful?