large MFT change

Discussion in 'other software & services' started by Rainwalker, Feb 12, 2007.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    My MFT sector has appeared to be about the same size for some time....i would expect this to be the case. ..the other day i turned on the box and saw that it was very very small......maybe 12 clusters, there abouts.....today it appears to be about the size i would expect it to be....what might cause the seemingly shrinking ?....i understand the MFT allotment is not supposed to "shrink".
     
  2. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Nobody has any ideas o_O I was wondering if it would be possible for a Trojan to steal this info...thus explaining the few clusters...i have very good Trojan protection running in real time.
     
  3. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    http://www.ntfs.com/ntfs-mft.htm

    changes with what your storing\employing

    sometimes it's the index to the data,
    sometimes its the data itself

     
  4. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    OK .....thanks for responding ......but the allocated MFT space has always been the same...until, as i wrote, it suddenly "shrunk" to a very small size for a few days before returning to "normal".....i have not done anything that would account for that.........so i was wondering if a Trojan might grab the MFT .......what do you think and what other ideas might someone have ?
    I lot of people have looked at this thread o_O
     
  5. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    its a little hard to say what might have accounted for the shrinkage, not all the displayed MFT is normally employed. Most of it is "reserved" based on what the filesystem thinks is going to happen, based on what has previously happened. Maybe the day it "shrunk" you saw its actual shape and size inbetween its next "reserve" move.

    I wouldnt think a Tojan \ Keylogger would mess with an MFT, first they want to go undetected, second if malware is gleaning the filesystem its more probable to look at virtual memory (pagefile) than the MFT for CC numbers, passwords, logons ect.

    As mentioned the Master File Table is dynamic and your observation wouldnt raise much concern IMO. ;)
     
  6. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    OK...Thanks Ice_Czar :)
     
Loading...
Thread Status:
Not open for further replies.