drop mft csv · detect files with NTFS compression applied anomalously · identify compressed executables and unusual compressed file populations · surface compression used to obscure file sizes and evade detection · runs locally
mft csv
drop mft csv (multi-file)
mftecmd export with FileAttributes · LogicalSize · PhysicalSize
parses FILE_ATTRIBUTE_COMPRESSED (0x800) · whitelists WinSxS/help paths
drop mft csv with FileAttributes column (multi-file)