NTFS $Bitmap -Clust...
 
Notifications
Clear all

NTFS $Bitmap -Clusters in use calculation

3 Posts
3 Users
0 Likes
1,599 Views
(@swastibhushan)
Posts: 8
Active Member
Topic starter
 

Ihave an NTFS $Bitmap as follows
8F 07 B0 00 00 00 00 00

How do we calculate which clusters are in use?What is the logic behind such calcuation?Any detailed answers are most welcome

 
Posted : 10/07/2019 2:28 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Maybe you could give some context, what you posted does not seem (part of ) a $BitMap (file) nor a $BitMap (attribute). ?

Anyway
http//sabercomlogica.com/en/ebook/ntfs-resident-and-no-named-attributes/
http//sabercomlogica.com/en/ebook/ntfs-non-resident-and-no-named-attributes/

jaclaz

 
Posted : 10/07/2019 3:37 pm
jvw-dfsee
(@jvw-dfsee)
Posts: 1
New Member
 

As jaclaz said, your question does not make much sense with the info provided.

$BitMap can either refer to the systemfile by that name, in which case there is an entire (1 Kib) MFT record for it at MFT record index 6, which usually will be an unfragmented file, so has a single extent runlist (8 bytes).

Or it can refer to an attribute in an MFT record (like for the $MFT itself) in which case it is usually an NONRESIDENT attribute with a smallish runlist, the attribute typically taking up 48 bytes in the MFT record.

You supply 8 bytes out of context, which can not be a runlist for some ($BitMap attribute) allocation since the startbyte is inconsistent with that (sum of the first two nibbles must be 6 or less for an 8 byte runlist)

So please supply some more context …

 
Posted : 10/07/2019 5:07 pm
Share: