Mapping VolumeID from NTFSInfo and USNInfo report with drive letter

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows

https://dfir-orc.github.io

GNU Lesser General Public License v2.1

370 stars 42 forks source link

Mapping VolumeID from NTFSInfo and USNInfo report with drive letter #51

Closed nahotjan closed 2 years ago

nahotjan commented 2 years ago

Hello,

Both reports from NTFSInfo and USNInfo are using a VolumeID to identify the disk which is not easily mapped to a drive letter. Having this information (drive letter for a VolumeID) displayed either in the volstats.csv file from NTFSInfo or DFIR_ORC json report could make sense.

Currently the information is visible in the log files but not well formatted. This can help during automated ingestion of Orc results for hosts having multiple drives.

fabienfl-orc commented 2 years ago

Hello, this information should be available in the upcoming version from the volstats.csv file. Thank you

nahotjan commented 2 years ago

Good to know 👍 Thank you