drop mft csv · detect sparse files used to hide data or create dummy large files · identify sparse file patterns inconsistent with legitimate use · surface anti-forensic use of ntfs sparse file feature · runs locally
mft csv
drop mft csv (multi-file)
or click
FILE_ATTRIBUTE_SPARSE_FILE · logical vs allocated size · VHD/SQL whitelist
drop mft csv with file attributes (multi-file)