Forensics: What is the $BadClus?

What is the $BadClus?

The $BadClus is one of the 16 key NTFS metadata files. Its role is to track sectors that a damaged/unable to be used on the drive. The Bad Clus  has a MFT record number of 8 and, in the MFT, it comes just below $BitMap and $Boot.

The file $BadClus, as the name implied, is to store a reference of the bad clusters on the hard drive.  Its the same concept as the $BitMap, which stores a list of available and not available sectors across the parition. However the $BadClus keeps track of sectors which is believes are bad/faulty and should not be written to.  If data exists on a sector it will remain there even if the $BadClus marks the sector as bad. Remeber it does not mean that the sector is bad, only that the NTFS file system thinks it is.

If a drive is formatted “Quickly” the $BadClus, will be empty as it does not know what is and is not a bad cluster. If a drive is formatted via the longer method then every cluster will be checked and the $BadClus will be fully updated.