Block Devices
Overview
Section titled “Overview”Evidence: Block Devices
Description: Collect Block Devices
Category: DiskFilesystem
Platform: macos
Short Name: blkd
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Block devices represent storage devices attached to the system, including internal disks, external drives, USB devices, and virtual disks. Understanding block device inventory is essential for identifying unauthorized storage access, data exfiltration vectors, and storage-based persistence mechanisms.
Data Collected
Section titled “Data Collected”This collector gathers structured data about block devices.
Block Devices Data
Section titled “Block Devices Data”| Field | Description | Example |
|---|---|---|
Name | Name | Example value |
Parent | Parent | Example value |
Vendor | Vendor | Example value |
Model | Model | Example value |
Size | Size | 123 |
BlockSize | Block Size | 123 |
UUID | UUID | Example value |
Type | Type | Example value |
Label | Label | Example value |
Collection Method
Section titled “Collection Method”This collector queries the block_devices table via osquery to retrieve information about all attached block devices, including their names, vendors, models, sizes, UUIDs, and parent-child relationships.
Forensic Value
Section titled “Forensic Value”Block device information reveals storage infrastructure and potential data transfer paths. Unexpected devices may indicate unauthorized USB storage use, external drive connections for data exfiltration, or attacker-controlled storage devices. This evidence helps identify data theft vectors, unauthorized access points, and storage-based command and control mechanisms.