Thread: c:\$logfile & $mft & $bitmap

  #1
    phishphreek
    Join Date
    Jan 2002

    c:\$logfile & $mft & $bitmap

    I fired up filemon to see what was going on behind the scenes and I saw some interesting stuff... I tried to locate these files but can't find them. It will also not let me create them.

    The files found as depicted in the image I've attaced are:


    I've never seen file names start with $. I know that some rootkits use this technique.. but normally start with a _. Example: _hiddenfile.ext in a directory with _hiddendirectory

    These are in c:\

    Does anyone know what or why these files are being accessed, but I can't find them?
    They are running under system:4 privledges.

    I've been searching for a bit now, and can't find anything on it.

    I have up2date virus protection, a firewall, and regualarly capture traffic just to make sure that I don't have stuff accessing the web that shouldn't. I haven't noticed anything weird lately... by that I mean, unexpected traffic, connections or logs going off. I have also run trojan cleaners and adware cleaners.

    <edit> My OS is XPpro with SP1 and all available updates and service patches </edit>

    Ok, I tried to see if it was happening on a 2k box. It is not. I have nothing in the filemon logs for win2k referencing those... and I don't have another XPpro box on hand to check out.

  #2
    The Iceman Cometh
    Join Date
    Aug 2001
    The files in question are meta-data files relating to the NTFS file system. If I remeber right there are more as well ($MFTMirr,$Volume, $AttrDef, $Boot, $BadClus, $Quota and $UpCase).

    Actually, I just found a linke I had with some information. Here is some information about them:


  #3
    phishphreek
    Join Date
    Jan 2002
    Sweet! Thanks. I couldn't find anything on it.

    I wonder why my 2kpro box doesn't have that showing.. its NTFS...

    oh well... off to do some reading!

    Thanx again. I had never seen that before.

