Volume Information

Overview

Evidence: Volumes Information Description: Collect Information About Volumes Category: Disk Platform: Windows Short Name: voli Is Parsed: Yes - Volume information parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows organizes storage into logical volumes (drive letters). Each volume has properties including file system type, capacity, free space, volume label, and serial number.

Volume serial numbers are particularly important for forensic analysis as they appear in various artifacts (prefetch, LNK files, shellbags) and can be used to correlate evidence from removable drives.

Data Collected

Collection Method

This collector:

• Enumerates all logical drives using GetLogicalDrives

• For each drive letter (A-Z):

  • Gets drive type via GetDriveType

  • Retrieves volume information if mounted

  • Records volume properties even if not mounted

Volume types: Fixed, Removable, Remote, CDRom, RamDisk, NotMounted, Unknown.

Usage

Volume information is essential for understanding storage configuration and correlating artifacts. Investigators use this data to identify all storage devices, track volume serial numbers for correlation, detect encrypted or unmounted volumes, understand disk capacity and usage, correlate with USB device history, and identify network or removable drives.

Known Limitations

• Only captures current state

• Unmounted volumes have limited information

• Network drives may not provide full details

• Volume properties can change over time

Notes

Volume serial numbers are critical for correlating evidence. A volume serial found in a prefetch file or LNK file can be matched to this data to identify which drive a file was accessed from.