The method of keeping track of cluster allocation is relevatively simple. Each bit in the Bitmap represents 1 cluster, if that bit is “1” then the cluster is in use. For example if a byte in the BitMap is “F”, this means that 4 clusters are in use as F (hex) = 1111 in binary.
Therefore if two bytes of the $BitMap are “FF” this means that the 8 clusters are in use, as FF = 11111111.
When a file is deleted the cluster becomes unallocated or unused (allowing new data to overwrite it) and the bits go back to zero. If 8 consqecutive clusters were in use by files, FF, and then one file was deleted taking which took up just 1 cluster from those 8, the $BitMap entry would change from FF to 7F, as 7F = 1111111. The screen shot below shows the $BitMap (through EnCase) after the drive has been freshly formatted. While there are no user created files, the $BitMap still has clusters allocated because the of the NTFS system files on the partition. The hex values being shown are: FF FF FF FF FF FF FF FF 07 00 00 00 00 00 , this means that 67 clusters are in use.
The screen shot below shows the same volume after a single file has been copied onto the drive. This file was 1,091,631 bytes in size. The hex values being shown in the BitMap are now : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00.
This is 334 clusters
Bitmap from an NTFS volume with a single 1 MB file addedThis maths can be verified as 1,091,631 will take up 267 clusters (including slack). 67 (clusters in use on the freshly formatted drive, in this example)+267 (file size added) = 334 (total clusters in use)
Note: There is one $BitMap per NTFS volume (not per disk). The $BitMap is the 7th entry (MFT record number 6) in the MFT.
Where is Your Data? 
June 1, 2009 at 1:38 pm
[…] Forensics: NTFS Deleted Entry Posted on April 28, 2009 by 585 When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that file. The clusters that were allocated to the fille are now marked as free, within the $BitMap […]
September 21, 2015 at 9:16 pm
Since the number of clusters is known at the time the filesystem is created it would make sense that windows would create the $BitMap image as one contiguous data run, is that known to always be the case or is it possible (maybe by changing the volume size) that the $BitMap might be fragmented?
July 17, 2016 at 6:44 pm
[…] Forensics: What is the $BitMap? | Where is Your Data? – Jun 01, 2009 · The $BitMap is a special file within the NTFS file system. This file keeps track of all of the used and unused clusters on an NTFS volume. When a file … […]