Get-ForensicVolumeInformation
SYNOPSIS
Gets information about the specified volume.
SYNTAX
ByVolume
Get-ForensicVolumeInformation [[-VolumeName] <String>]
ByPath
Get-ForensicVolumeInformation -Path <String>
DESCRIPTION
The Get-ForensicVolumeInformation cmdlet parses the $Volume file's $VOLUME_INFORMATION attribute to return the metadata about the specified volume.
By default, the cmdlet parses the $Volume file on the C:\ drive. To specify an alternate target drive, use the -VolumeName parameter. To specify an exported $Volume file, use the -Path parameter.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
EXAMPLES
Example 1
[ADMIN]: PS C:\> Get-ForensicVolumeInformation
Name : VOLUME_INFORMATION
Version : 3.1
Flags : 0
This command gets the metadata about the C:\ logical volume.
Example 2
[ADMIN]: PS C:\> Get-ForensicVolumeInformation -Path 'C:\evidence\$Volume'
This command gets metadata about an exported volume file, C:\evidence\$Volume.
PARAMETERS
-Path
Path to file to be parsed.
Type: String
Parameter Sets: ByPath
Aliases: FullName
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-VolumeName
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \.\C:, C:, or C.
Type: String
Parameter Sets: ByVolume
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False