Which of the following metafiles used by the Windows NTFS file system is known to be utilized by hackers to hide data?

The metafile that is known to be utilized by hackers to hide data in the Windows NTFS file system is the $BADCLUS file. This metafile is used to keep track of bad clusters on a disk, essentially marking areas that are faulty or unusable. Hackers can exploit this feature by writing data to areas of the disk that have been marked as bad, allowing them to conceal this data from normal file system operations and typical user scrutiny.

By hiding data in bad sectors, malicious actors can evade detection, as standard file recovery and scanning tools may not check these areas, thinking they are unusable. This tactic can be effective in avoiding forensic analysis since investigators often focus on the more standard data allocation areas in the file system.

In contrast, the other metafiles have different functions within the NTFS structure. The $DATA file is used to store the actual content of files, $MFT holds the Master File Table that contains records for all files and directories, and $Bitmap keeps track of allocated and unallocated space on the disk. These functions do not inherently provide the same means for hiding data as the $BADCLUS does.