ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV025
  • Created: 09th July 2024
  • Updated: 22nd July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Full Disk Encryption

Full Disk Encryption (FDE) involves encrypting all data on a device's hard disk or solid-state drive (SSD), including the Operating System (OS), third party applications and user data. This helps to ensure that data on the disk remains inaccessible if the laptop is lost or stolen, as the data cannot be accessed without the correct decryption key.

 

Typically a user decrypts a FDE disk during the boot process. The user is prompted to enter a password or provide a hardware token to unlock the encryption key. Only after successful authentication can the disk be decrypted and subsequently the Operating System loaded and the data accessed.

Sections

ID Name Description
IF015Theft

A subject steals an item or items belonging to an organization, such as a corporate laptop or corporate mobile phone.

PR011Boot Order Manipulation

A subject accesses BIOS or UEFI to manipulate the boot order of a target computer to boot from an external device in order to access the target computer's file system without needing to interact or authenticate with the Operating System of the target computer.

IF002.007Exfiltration via Target Disk Mode

When a Mac is booted into Target Disk Mode (by powering the computer on whilst holding the ‘T’ key), it acts as an external storage device, accessible from another computer via Thunderbolt, USB, or FireWire connections. A subject with physical access to the computer, and the ability to control boot options, can copy any data present on the target disk, bypassing the need to authenticate to the target computer.

ME016.001Target Disk Mode Access

A subject has the ability to put the target system into “Target Disk Mode” (MacOS).