# Investigating storage, disks, and volumes

### Disk <a href="#investigatingstorage-disksandvolumes-disk" id="investigatingstorage-disksandvolumes-disk"></a>

The term disk refers to the physical storage device of a computer. However, it can also represent a logical storage device, which spans across one or more physical disks. For example, a Redundant Array of Independent Disks (RAID) configuration combines multiple physical disks to form a single logical disk, providing increased performance, redundancy, or both.

**Windows**

In the **Disk Management** application, the system calls physical drives **disks** and labels them as `Disk 0`, `Disk 1`, ... Under **This PC**, the system assigns these storage devices drive letters (`C:`, `D:`, ...).

These devices can vary in type, including local disks, USB drives or virtual disks.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-640afe4e544bc38d2b79da9a12d032008a6e04f8%2Fscreenshot-2023-03-30-at-14-07-24.png?alt=media" alt="" width="544"><figcaption></figcaption></figure>

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-f8504b282debf81baa5f7db93c0b65a4e37bccfd%2Fscreenshot-2023-03-30-at-14-08-45.png?alt=media" alt="" width="340"><figcaption></figcaption></figure>

**macOS**

In the **Disk Utility** application, the system calls physical drives **media** and they appear as top-level entries. The system classifies them as internal or external and labels them as `disk0`, `disk1`, ...

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-fef041e38bebd81f4de58043e71b3a3d493214aa%2Fnxcheseaux-20230419-171420-2x-20230419-151421.png?alt=media" alt="" width="544"><figcaption></figcaption></figure>

Using the `diskutil list` command, you can display all devices as `/dev/disk0`, `/dev/disk1`, ...

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-bfcda09acaea0c1ee6f9bbc78a29aaad9e992960%2Fscreenshot-2023-03-30-at-14-11-19.png?alt=media" alt=""><figcaption></figcaption></figure>

### Volume <a href="#investigatingstorage-disksandvolumes-volume" id="investigatingstorage-disksandvolumes-volume"></a>

Volume refers to a storage unit within a disk that organizes and manages data. It functions as a logical partition and can be formatted with a file system, allowing users to store and access files. Although a single disk can contain multiple volumes, each volume operates independently, providing additional flexibility and organization to the storage system.

**Windows**

On Windows, in the **Disk Management** application, the system lists volumes under **Volume.**

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-3cfffcc7a12b1fedb8956ac75ecc4b99b007c626%2Fnxcheseaux-20230419-170847-2x-20230419-150922.png?alt=media" alt=""><figcaption></figcaption></figure>

**macOS**

In the **Disk Utility** application, the system displays volumes under the media they belong to.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-1266062905c11f450121f7e5a98d5128b159deae%2Fnxcheseaux-20230419-171303-2x-20230419-151304.png?alt=media" alt="" width="544"><figcaption></figcaption></figure>

Using the `diskutil list` command in macOS shows volumes beneath their respective disk drives, with identifiers like `/dev/disk0s1`, `/dev/disk0s2`, ...

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-bfcda09acaea0c1ee6f9bbc78a29aaad9e992960%2Fscreenshot-2023-03-30-at-14-11-19.png?alt=media" alt=""><figcaption></figcaption></figure>

### NQL examples <a href="#investigatingstorage-disksandvolumes-nqlexamples" id="investigatingstorage-disksandvolumes-nqlexamples"></a>

<details>

<summary>List the system drive (volume/partition) free space on devices.</summary>

{% code overflow="wrap" lineNumbers="true" %}

```
devices during past 7d
| include volumes 
| where system == true 
| compute system_drive_free_space = capacity.sum() * (1 - usage.sum()) 
| list device.name, system_drive_free_space
```

{% endcode %}

</details>

<details>

<summary>List the system drive usage on devices.</summary>

{% code overflow="wrap" lineNumbers="true" %}

```
devices during past 7d 
| include device_performance.events during past 7d 
| compute system_drive_used = event.system_drive_usage.avg() 
| list device.name, system_drive_used 
| sort system_drive_used desc
```

{% endcode %}

</details>

<details>

<summary>List devices with less than 5GB available on the system drive.</summary>

{% code overflow="wrap" lineNumbers="true" %}

```
devices during past 7d
| include volumes 
| where system == true 
| compute system_drive_free_space = capacity.sum() * (1 - usage.sum()) 
| where system_drive_free_space < 5000000000 
| list device.name, system_drive_free_space
```

{% endcode %}

</details>

<details>

<summary>List a summary of the disks and volume of devices.</summary>

{% code overflow="wrap" lineNumbers="true" %}

```
devices during past 7d 
| list device.name, disks, volumes 
```

{% endcode %}

</details>

<details>

<summary>List all disks from all devices with their size, bootable status and type (SSD or HDD).</summary>

{% code overflow="wrap" lineNumbers="true" %}

```
disks
| list device.name, name, is_bootable, capacity , type 
```

{% endcode %}

</details>