Mount
Overview
Section titled “Overview”Evidence: Mount
Description: Collects the list of mounted filesystems.
Category: DiskFilesystem
Platform: macos
Short Name: mnt
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers mount information from the macOS system. This data is essential for understanding storage configuration, detecting unauthorized mounts, and investigating storage-related incidents.
Data Collected
Section titled “Data Collected”This collector gathers structured data about mount.
Mount Data
Section titled “Mount Data”| Field | Description | Example |
|---|---|---|
ID | ID | 123 |
Device | Device | Example value |
MountPoint | Mount Point | Example value |
FileSystem | File System | Example value |
Options | Options | Example value |
Collection Method
Section titled “Collection Method”This collector invokes the mount command and parses its output to record entries in the mount table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it provides visibility into mounted devices, file systems, and options that may reveal persistence or data exfiltration paths.