NTFS Data Structures ($AttrDef File, $Bitmap File)

The $AttrDef file system metadata file is MFT entry number 4 and defines the file system attribute names and identifiers. The $DATA attribute for this file contains a list of entries, which have the fields shown in table.

Data structure for the $AttrDef entries

Byte Range	Description	Essential
0-127	Name of attribute	Yes
128-131	Type identifier	Yes
132-135	Display rule	No
136-139	Collation rule	No
140-143	Flags	Yes
144-151	Minimum size	No
152-159	Maximum size	No

If the attribute does not have any size limits, the minimum size will be 0, and the maximum size will be 0xffffffffffffffff. The flag field can have the values shown in table.

Flag values for the $AttrDef entry flag field

Value	Description
0x02	Attribute can be used in an index
0x04	Attribute is always resident
0x08	Attribute can be non-resident

The $Bitmap file, which is located in MFT entry 6, has a $DATA attribute that is used to manage the allocation status of clusters. The bitmap data are organized into 1-byte values, and the least significant bit of each byte corresponds to the cluster that follows the cluster that the most significant bit of the previous byte corresponds to.

For example, consider two bytes with the binary values 00000001 and 00000011. The first byte has a 1 in the least significant bit, which corresponds to cluster 0. The next seven bits in the byte (going backwards from right to left) are all 0, so we know that clusters 1 to 7 are not allocated. The second byte has the two least significant bits set to 1, which corresponds to clusters 8 and 9. As you can see, you read this by looking at the least significant bit, moving backwards from right to left, and then going to the next byte to the right.

To determine the allocation status of a given cluster, we need to determine in which byte of the bitmap it is located. This is done by dividing the cluster address by 8 and ignoring the remainder. For example, cluster 5 would be in byte 0 of the bitmap, and cluster 18 would be in byte 2 of the bitmap. To find the bit in the byte that corresponds to the cluster, we examine the remainder. For example, when we divided 5 by 8, we had a remainder of 5, and when we divided 18 by 8 we had a remainder of 2.