Forensics: What is the $BitMap?

The $BitMap is a special file within the NTFS file system. This file keeps track of all of the used and unused clusters on an NTFS volume.  When a file takes up space on the NTFS volume the location is uses is marked out in the $BitMap.

The method of keeping track of cluster allocation is relevatively simple.  Each bit in the Bitmap represents 1 cluster, if that bit is “1” then the cluster is in use. For example if a byte in the BitMap is “F”, this means that 4 clusters are in use as F (hex)  = 1111 in binary.

Therefore if two bytes of the $BitMap are “FF”  this means that the 8 clusters are in use, as FF  = 11111111.

When a file is deleted the cluster becomes unallocated or unused (allowing new data to overwrite it) and the bits go back to zero.  If 8 consqecutive clusters were in use by files, FF, and then one file was deleted taking which took up just 1 cluster from those 8, the  $BitMap entry would change from FF to 7F, as 7F = 1111111. The screen shot below shows the $BitMap (through EnCase) after the drive has been freshly formatted. While there are no user created files, the $BitMap still has clusters allocated because the of the NTFS system files on the partition. The hex values being shown are: FF FF FF FF FF FF FF FF 07 00 00 00 00 00 , this means that 67 clusters are in use.

BitMap on NTFS Volume just formatted

The screen shot below shows the same volume after a single file has been copied onto the drive. This file was 1,091,631 bytes in size. The hex values being shown in the BitMap are now : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00.

This is 334 clusters

Bitmap from an NTFS volume with a single 1 MB file added Bitmap from an NTFS volume with a single 1 MB file added

This maths can be verified as 1,091,631 will take up 267 clusters (including slack). 67 (clusters in use on the freshly formatted drive, in this example)+267 (file size added) = 334 (total clusters in use)

Note:  There is one $BitMap per NTFS volume (not per disk). The $BitMap is the 7th entry (MFT record number  6) in the MFT.

Advertisements

3 Responses to “Forensics: What is the $BitMap?”

  1. Forensics: NTFS Deleted Entry « Data – Where is it? Says:

    […] Forensics: NTFS Deleted Entry Posted on April 28, 2009 by 585 When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that file. The clusters that were allocated to the fille are now marked as free, within the $BitMap […]

  2. Stu Says:

    Since the number of clusters is known at the time the filesystem is created it would make sense that windows would create the $BitMap image as one contiguous data run, is that known to always be the case or is it possible (maybe by changing the volume size) that the $BitMap might be fragmented?

  3. Bitmap File System What | Bolakovic1 Says:

    […] Forensics: What is the $BitMap? | Where is Your Data? – Jun 01, 2009  · The $BitMap is a special file within the NTFS file system. This file keeps track of all of the used and unused clusters on an NTFS volume. When a file … […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: