Volumes Information

Overview

Evidence: Volumes Information Description: Collect information about volumes Category: DiskFilesystem Platform: windows Short Name: voli Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows organizes storage into logical volumes (drive letters). Each volume has properties including file system type, capacity, free space, volume label, and serial number.

Volume serial numbers are particularly important for forensic analysis as they appear in various artifacts (prefetch, LNK files, shellbags) and can be used to correlate evidence from removable drives.

Data Collected

This collector gathers structured data about volumes information.

Volumes Information Data

Field

Description

Example

Letter

Drive letter

Type

Volume type

Fixed

Label

Volume label

System

FileSystem

File system type

NTFS

FSFlags

File system flags

0x700FF

TotalSize

Total volume size in bytes

500000000000

FreeSpace

Available free space in bytes

250000000000

Serial

Volume serial number

0x12345678

Collection Method

This collector:

Enumerates all logical drives using GetLogicalDrives
For each drive letter (A-Z):
- Gets drive type via GetDriveType
- Retrieves volume information if mounted
- Records volume properties even if not mounted

Volume types: Fixed, Removable, Remote, CDRom, RamDisk, NotMounted, Unknown.

Forensic Value

Volume information is essential for understanding storage configuration and correlating artifacts. Investigators use this data to identify all storage devices, track volume serial numbers for correlation, detect encrypted or unmounted volumes, understand disk capacity and usage, correlate with USB device history, and identify network or removable drives.

PreviousVMware Logs NextWBEM

Last updated 3 days ago

Was this helpful?