Disk Encryption
Overview
Section titled “Overview”Evidence: Disk Encryption
Description: Collect Disk Encryption status
Category: DiskFilesystem
Platform: macos
Short Name: diskenc
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Disk encryption is a fundamental security control that protects data at rest. FileVault on macOS provides full-disk encryption using XTS-AES-128 encryption. Understanding encryption status is essential for compliance verification, security policy enforcement, and detecting potential data protection gaps.
Data Collected
Section titled “Data Collected”This collector gathers structured data about disk encryption.
Disk Encryption Data
Section titled “Disk Encryption Data”| Field | Description | Example |
|---|---|---|
Name | Name | Example value |
UUID | UUID | Example value |
Encrypted | Encrypted | 123 |
Type | Type | Example value |
EncryptionStatus | Encryption Status | Example value |
UID | UID | Example value |
UserUID | User UID | Example value |
FileVaultStatus | File Vault Status | Example value |
Collection Method
Section titled “Collection Method”This collector queries the disk_encryption table via osquery to retrieve encryption status for all volumes, including FileVault status, encryption types, and associated user credentials.
Forensic Value
Section titled “Forensic Value”Disk encryption status reveals security posture and potential data exposure risks. Unencrypted volumes may indicate policy violations, attacker attempts to bypass security controls, or system misconfigurations. This evidence helps assess data protection compliance and identify unauthorized disk access.