The NTFS $Bitmap file

By | September 28, 2016
The $Bitmap file is a collection of ones and zeros

The $Bitmap file is a collection of ones and zeros

The NTFS file system uses the $Bitmap file to track vacant vs. in use clusters. As a cluster is either in use or not, it is represented by a zero or a one. A single bit per cluster is enough to store this information. It is literally nothing more than a collection of ones and zeros or a ‘bit array’. Although invisible to the end user, NTFS treats the $Bitmap as ‘just another’ file.

What the $Bitmap is about.

Although the $Bitmap is primarily meant for internal use by the Windows file system driver, it is also very useful for utility software.

The $Bitmap and Undelete Software

File undelete software can use the file to determine if clusters that were allocated to a deleted file are free or in use. If they are free then there is a good chance that a deleted file can be recovered intact. Since at this point in time, the clusters are not allocated to another file.

The Status column displays the percentage of clusters that are not currently in use

The Status column displays the percentage of clusters that are not currently in use, so not claimed by any other file.

If one or more clusters are flagged as ‘in use’, then the recovered file will probably be corrupt as it contains some data from another file. Theoretically it is of course possible that the clusters allocated to our deleted file were overwritten by a file that itself was then also deleted. As a result the clusters will be flagged ‘free’ and yet the recovered file will be corrupt. The clusters will contain data from the second deleted file. So the method is not waterproof.

The $Bitmap and defragmentation Software

Defrag and disk optimization software also relies on the $Bitmap. The $Bitmap is a convenient source to draw a disk cluster map. A cluster map is used to display versus in use clusters. But more importantly, it helps the software to find a block of unused clusters large enough to contain the (fragmented) file to be moved in to.

Defrag software uses the $BitMap to paint a disk map

DiskTuna – darkgreen: free clusters vs lighter green in use clusters

For each file the defrag software needs to move, the $Bitmap is examined. A set of APIs that is referred to as the ‘Windows Defrag API’ offers a  ‘call’ to get the $Bitmap (FSCTL_GET_VOLUME_BITMAP). The software now processes the Bitmap to determine where the file can be moved to in one ‘chunk’. It is possible that the situation on the disk has already changed when the software actually tries to move the file. In this case the move fails. The software then either skips to the next block of contiguous free clusters, or it gets the updated $Bitmap.

The Bitmap itself is treated by NTFS as just a file, although be it a meta file. Meta files are preceded by the ‘$’ character are normally not visible to the user.

2 thoughts on “The NTFS $Bitmap file

  1. Jared Palmer

    Hey DiskTuna, I think we’ve chatted on some other data recovery forums.

    I’m just curious, have you ever done any work to deconstruct how the windows $Bitmap actually keeps track of full/empty clusters? I know when it’s at 00 the cluster block is empty and at FF it’s full, but I’ve never quite figured out what it means when it’s another value like 7F or F0. Is it strictly using the binary 1 for full and 0 for empty? The size of the $Bitmap file leads me to believe that one byte is used to track 8 clusters.

    I was thinking of making a python scripted tool for analyzing these files when looking for things like lost encrypted disk images that may be found only from analyzing the empty space.

    Reply
    1. Joep Post author

      Hi Jared aka Mr Data Medics,

      So far I have only used the API call for use with my defragger and undeleter. Yes one bit per cluster, so my understanding is that 7F would translate to one free and 7 in use clusters. Weird how deep that sinks over time and when you simply use the same code over and over.

      I guess when you’d look at the actual on disk data it’s a sparse file. And again, too long ago that I actually wrote code to ‘decode’ a sparse file ..

      Using (FSCTL_GET_VOLUME_BITMAP) would be easiest I guess.

      Totally unfamiliar with python myself .. Guess it can be done: https://www.python-forum.de/viewtopic.php?t=15080&start=15 ???

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *