Finder Mounted Volume
Overview
Section titled “Overview”Evidence: Finder Mounted Volume
Description: Collects the list of mounted volumes in Finder.
Category: DiskFilesystem
Platform: macos
Short Name: fmvlm
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Finder preferences track mounted volumes shown on the desktop. This data is essential for identifying external drives and volumes accessed by users.
Data Collected
Section titled “Data Collected”This collector gathers structured data about finder mounted volume.
Finder Mounted Volume Data
Section titled “Finder Mounted Volume Data”| Field | Description | Example |
|---|---|---|
ID | ID | 123 |
Username | Username | Example value |
VolumeName | Volume Name | Example value |
Collection Method
Section titled “Collection Method”This collector reads each user’s com.apple.finder.plist and extracts FXDesktopVolumePositions into finder_mounted_volumes.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it indicates removable media usage and mounted volume names relevant to data movement.