Block Devices
Overview
Section titled “Overview”Evidence: Block Devices
Description: Collect block devices
Category: DiskFilesystem
Platform: linux
Short Name: blkd
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Linux exposes block device attributes via sysfs, detailing disks and partitions (size, removability, RO flag). Enumerating these devices reveals attached media and storage topology.
Data Collected
Section titled “Data Collected”This collector gathers structured data about block devices.
Block Devices Data
Section titled “Block Devices Data”| Field | Description | Example |
|---|---|---|
Name | Name | Example value |
Major | Major | Example value |
Minor | Minor | Example value |
ReadOnly | Read Only | true |
Removable | Removable | true |
Size | Size | 123 |
Parent | Parent | Example value |
Collection Method
Section titled “Collection Method”This collector walks /sys/block, parses device attributes (dev, size, removable, ro) and builds a hierarchy of parent/child relationships.
Forensic Value
Section titled “Forensic Value”Block device inventory assists with identifying removable media use, hidden partitions, and potential data staging volumes. It supports triage of storage relevant to an incident.