Analicemos. Muchas entradas parecen no tener utilidad.
Si alguna vez llegaste a entender la FAT y te pareció farragoso, el NTFS te va a dar hasta mareos. XDDD

MFT Record header:
00000000 46 49 4C 45 30 00 03 00 6A 10 20 00 00 00 00 00 FILE0...j. .....
00000010 08 00 01 00 38 00 01 00 80 01 00 00 00 04 00 00 ....8...€.......
00000020 00 00 00 00 00 00 00 00 05 00 00 00 08 00 00 00 ................
00000030 02 00 00 00 00 00 00 00
0x00-0x03: Magic Number: "FILE": 46 49 4C 45 <=================
Con esto vemos que se trata de una entrada MFT.
0x04-0x05: Offset to the update sequence: 30 00
0x06-0x07: Number of entries in fixup array: 03 00
0x08-0x0f: $LogFile Sequence Number (LSN): 6A 10 20 00 00 00 00 00
0x10-0x11: Sequence number: 08 00
0x12-0x13: Hard link count: 01 00
0x14-0x15: Offset to first attribute: 38 00 <========================
Este nos interesa ya que indica donde termina la MFT record header o cabecera y comienzan los atributos.
0x16-0x17: Flags: 0x01: record in use, 0x02 directory: 01 00
0x18-0x1b: Used size of MFT entry: 80 01 00 00 <====================
Indica donde termina la MFT record, 180h.
0x1c-0x1f: Allocated size of MFT entry: 00 04 00 00 <==================
Indica el espacio en disco que usa la MFT record. 400h, 1Kb o 2 sectores.
0x20-0x27: File reference to the base FILE record: 00 00 00 00 00 00 00 00
0x28-0x29: Next attribute ID: 05 00
0x2a-0x2b: (XP) Align to 4B boundary: 00 00
0x2c-0x2f: (XP) Number of this MFT record: 08 00 00 00 <================
Esto nos indica que se trata de una MFT record reservada, la BadClus.
0x30-0x100: Attributes and fixup value: 02 00 00 00 00 00 00 00

Cabecera atributo residente STANDAR:
00000030 XX XX XX XX XX XX XX XX 10 00 00 00 60 00 00 00 ............`...
00000040 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H.......
0x00 Attribute Type Identifier: 10 00 00 00
El 10 indica que es el atributo STANDAR.
0x04 Length of Attribute: 60 00 00 00 <===========
Indica la longitud de este atributo y empieza el siguiente.
0x08 non-resident flag: 00 <=============
Indica que la información se guarda dentro del MFT y no en clusters externos. Los archivos menores de 900 bytes se guardan aquí.
Si es 01 indica que no es residente y se usan otros clusters para guardar la información.
0x09 length of name: 00
0x0a offset to name: 18 00 <============
Indica el comienzo de los datos del atributo.
0x0c flags: 00 00
0x0e Attribute Identifier: 00 00
0x10 Size of content: 48 00 00 00
0x14 Offset to content: 18 00
0x16 Indexed flag: 00
0x17 Padding: 00

Atributo STANDAR:
00000050 20 04 0F 95 42 E6 C8 01 20 04 0F 95 42 E6 C8 01 ..•BæÈ. ..•BæÈ.
00000060 20 04 0F 95 42 E6 C8 01 20 04 0F 95 42 E6 C8 01 ..•BæÈ. ..•BæÈ.
00000070 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00
0x00 File Creation Time: 20 04 0F 95 42 E6 C8 01
0x08 File Alteration Time: 20 04 0F 95 42 E6 C8 01
0x10 MFT Change: 20 04 0F 95 42 E6 C8 01
0x18 File Read Time: 20 04 0F 95 42 E6 C8 01
0x20 DOS File Permissions: 06 00 00 00
0x24 Maximum number of versions: 00 00 00 00
0x28 Version number: 00 00 00 00
0x2C Class ID: 00 00 00 00
0x30 Owner Id 2K: 00 00 00 00
0x34 Security Id 2K: 00 01 00 00
0x38 Quota Charged 2K: 00 00 00 00 00 00 00 00
0x40 Update Sequence Number (USN) 2K: 00 00 00 00 00 00 00 00
0x48

Cabecera atributo residente FILE_NAME:
00000090 XX XX XX XX XX XX XX XX 30 00 00 00 70 00 00 00 ........0...p...
000000A0 00 00 18 00 00 00 03 00 52 00 00 00 18 00 01 00 ........R.......
0x00 Attribute Type Identifier: 30 00 00 00
Indica que el atributo es FILE_NAME.
0x04 Length of Attribute: 70 00 00 00 <============
Indica la longitud y donde comienza el siguiente atributo.
0x08 non-resident flag: 00
0x09 length of name: 00
0x0a offset to name: 18 00 <==========
Indica donde comienzan los datos.
0x0c flags: 00 00
0x0e Attribute Identifier: 03 00
0x10 Size of content: 52 00 00 00
0x14 Offset to content: 18 00
0x16 Indexed flag: 01
0x17 Padding: 00

Atributo FILE_NAME:
000000B0 05 00 00 00 00 00 05 00 20 04 0F 95 42 E6 C8 01 ........ ..•BæÈ.
000000C0 20 04 0F 95 42 E6 C8 01 20 04 0F 95 42 E6 C8 01 ..•BæÈ. ..•BæÈ.
000000D0 20 04 0F 95 42 E6 C8 01 00 00 00 00 00 00 00 00 ..•BæÈ.........
000000E0 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ................
000000F0 08 03 24 00 42 00 61 00 64 00 43 00 6C 00 75 00 ..$.B.a.d.C.l.u.
00000100 73 00 00 00 00 00 00 00 XX XX XX XX XX XX XX XX s.......€.......
0x00 File reference to parent directory: 05 00 00 00 00 00 05 00
0x08 File creation time: 20 04 0F 95 42 E6 C8 01
0x10 File modification time: 20 04 0F 95 42 E6 C8 01
0x18 MFT modification time: 20 04 0F 95 42 E6 C8 01
0x20 File access time: 20 04 0F 95 42 E6 C8 01
0x28 Allocated size of file: 00 00 00 00 00 00 00 00
0x30 Real size of file: 00 00 00 00 00 00 00 00
0x38 Flags: 06 00 00 00
0x3c Used by EAs and Reparse: 00 00 00 00
0x40 Filename length in unicode characters: 08
0x41 Filename namespace: 03
0x42 File name in unicode: 24 00 42 00 61 00 64 00 43 00 6C 00 75 00 73 00 00 00 00 00 00 00

Cabecera atributo residente DATA 1º:
00000100 XX XX XX XX XX XX XX XX 80 00 00 00 18 00 00 00 s.......€.......
00000110 00 00 18 00 00 00 02 00 00 00 00 00 18 00 00 00 ................
0x00 Attribute Type Identifier: 80 00 00 00
Indica que el atributo es DATA.
0x04 Length of Attribute: 18 00 00 00 <============
Indica la longitud y donde comienza el siguiente atributo.
0x08 non-resident flag: 00
0x09 length of name: 00
0x0a offset to name: 18 00 <==========
Indica donde comienzan los datos.
0x0c flags: 00 00
0x0e Attribute Identifier: 02 00
0x10 Size of content: 00 00 00 00
0x14 Offset to content: 18 00
0x16 Indexed flag: 00
0x17 Padding: 00

Datos del DATA: vacío

Cabecera atributo no residente DATA 2º:
00000120 80 00 00 00 58 00 00 00 01 04 40 00 00 00 01 00 €...X.....@.....
00000130 00 00 00 00 00 00 00 00 FE D4 03 00 00 00 00 00 ........þÔ......
00000140 48 00 00 00 00 00 00 00 00 F0 4F 3D 00 00 00 00 H........ðO=....
00000150 00 F0 4F 3D 00 00 00 00 00 00 00 00 00 00 00 00 .ðO=............
0x00 Attribute Type Identifier: 80 00 00 00
Indica que el atributo es DATA.
0x04 Length of Attribute: 58 00 00 00 <============
Indica la longitud y donde comienza el siguiente atributo.
0x08 non-resident flag: 01 <===================================
Indica que los datos no estarán dentro del MFT sino en un fichero.
0x09 length of name: 04
0x0a offset to name: 40 00 <=============
Nombre del archivo.
Indica donde comienzan los datos.
0x0c flags: 00 00
0x0e Attribute Identifier: 01 00
0x10 Starting Virtual Cluster Number of the runlist: 00 00 00 00 00 00 00 00
0x18 Ending Virtual Cluster Number of the runlist: FE D4 03 00 00 00 00 00
0x20 Offset to the runlist: 48 00 <========
Tabla runlist.
0x22 Compression unit size: 00 00
0x24 Unused: 00 00 00 00
0x28 Allocated size of the attribute content: 00 F0 4F 3D 00 00 00 00
0x30 Actual size of attribute content: 00 F0 4F 3D 00 00 00 00
0x38 Initialized size of the attribute content: 00 00 00 00 00 00 00 00
0x40

Datos del DATA 2º:
00000160 24 00 42 00 61 00 64 00 02 9A 00 21 04 9A 00 03 $.B.a.d..š.!.š..
00000170 61 D4 03 00 00 00 00 00
Name: 24 00 42 00 61 00 64 00 $Bad
Runlist: 02 9A 00 21 04 9A 00 03 61 D4 03 00 00 00 00 00

Estructura de runlist:
Size of the Offset field
Size of the Length field
Length of the run
Offset to the starting LCN of the previous element

Decodificando runlist: hay 3 bloques sobre toda la unidad:
Bloque inicial: 02 9A 00:
02: 0 indica el tamaño del offset (0 bytes). 2 indica el tamaño de la longitud (2 bytes).
009Ah (154) clusters desde el cluster 0 al cluster 009Ah (154).
Bloque intermedio: 21 04 9A 00:
21: 2 indica el tamaño del offset (2 bytes). 1 indica el tamaño de la longitud (1 bytes).
4 clusters desde el 009Ah (154) al 009Dh (158).
Bloque final: 03 61 D4 03:
03: 0 indica el tamaño del offset (0 bytes). 3 indica el tamaño de la longitud (3 bytes).
03D461h clusters desde el cluster 009D (158) hasta el final de la unidad 03D4FEh.

00000170 XX XX XX XX XX XX XX XX FF FF FF FF XX XX XX XX aÔ......ÿÿÿÿ....
Los FF FF FF FF indican el final de la entrada BadClus.