Finder Mounted Volume

Overview

Evidence: Finder Mounted Volume Description: Collects the list of mounted volumes in Finder. Category: DiskFilesystem Platform: macos Short Name: fmvlm Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Finder preferences track mounted volumes shown on the desktop. This data is essential for identifying external drives and volumes accessed by users.

Data Collected

This collector gathers structured data about finder mounted volume.

Finder Mounted Volume Data

Collection Method

This collector reads each user's com.apple.finder.plist and extracts FXDesktopVolumePositions into finder_mounted_volumes.

Forensic Value

This evidence is crucial for forensic investigations as it indicates removable media usage and mounted volume names relevant to data movement.