# Mount

## Overview

**Evidence:** Mount\
**Description:** Collects the list of mounted filesystems.\
**Category:** DiskFilesystem\
**Platform:** macos\
**Short Name:** mnt\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

This collector gathers mount information from the macOS system. This data is essential for understanding storage configuration, detecting unauthorized mounts, and investigating storage-related incidents.

## Data Collected

This collector gathers structured data about mount.

### Mount Data

| Field        | Description | Example       |
| ------------ | ----------- | ------------- |
| `ID`         | ID          | 123           |
| `Device`     | Device      | Example value |
| `MountPoint` | Mount Point | Example value |
| `FileSystem` | File System | Example value |
| `Options`    | Options     | Example value |

## Collection Method

This collector invokes the `mount` command and parses its output to record entries in the `mount` table.

## Forensic Value

This evidence is crucial for forensic investigations as it provides visibility into mounted devices, file systems, and options that may reveal persistence or data exfiltration paths.