Volumes Information
Overview
Section titled “Overview”Evidence: Volumes Information
Description: Collect information about volumes
Category: DiskFilesystem
Platform: windows
Short Name: voli
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows organizes storage into logical volumes (drive letters). Each volume has properties including file system type, capacity, free space, volume label, and serial number.
Volume serial numbers are particularly important for forensic analysis as they appear in various artifacts (prefetch, LNK files, shellbags) and can be used to correlate evidence from removable drives.
Data Collected
Section titled “Data Collected”This collector gathers structured data about volumes information.
Volumes Information Data
Section titled “Volumes Information Data”| Field | Description | Example |
|---|---|---|
Letter | Drive letter | C |
Type | Volume type | Fixed |
Label | Volume label | System |
FileSystem | File system type | NTFS |
FSFlags | File system flags | 0x700FF |
TotalSize | Total volume size in bytes | 500000000000 |
FreeSpace | Available free space in bytes | 250000000000 |
Serial | Volume serial number | 0x12345678 |
Collection Method
Section titled “Collection Method”This collector:
- Enumerates all logical drives using
GetLogicalDrives - For each drive letter (A-Z):
- Gets drive type via
GetDriveType - Retrieves volume information if mounted
- Records volume properties even if not mounted
- Gets drive type via
Volume types: Fixed, Removable, Remote, CDRom, RamDisk, NotMounted, Unknown.
Forensic Value
Section titled “Forensic Value”Volume information is essential for understanding storage configuration and correlating artifacts. Investigators use this data to identify all storage devices, track volume serial numbers for correlation, detect encrypted or unmounted volumes, understand disk capacity and usage, correlate with USB device history, and identify network or removable drives.