analyzing-mft-for-deleted-file-recovery
Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
46
48%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-mft-for-deleted-file-recovery/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description for a niche digital forensics skill. It excels at naming concrete actions, specific NTFS artifacts, and forensic tools, making it very distinctive. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about NTFS forensics, MFT analysis, recovering deleted files from NTFS volumes, or mentions $MFT, $LogFile, or $UsnJrnl.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyze MFT, recover metadata and content of deleted files, examine MFT record entries, $LogFile, $UsnJrnl, and MFT slack space. Also names specific tools: MFTECmd, analyzeMFT, and X-Ways Forensics. | 3 / 3 |
Completeness | The 'what' is thoroughly covered (analyze MFT, recover deleted file metadata/content using specific tools and artifacts). However, there is no explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a forensics user would say: 'NTFS', 'Master File Table', '$MFT', 'deleted files', '$LogFile', '$UsnJrnl', 'MFT slack space', 'MFTECmd', 'analyzeMFT', 'X-Ways Forensics'. These are precisely the terms someone working in digital forensics would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: NTFS MFT forensic analysis with specific artifacts ($LogFile, $UsnJrnl) and named tools. This is unlikely to conflict with any other skill due to its very specialized domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a forensics textbook chapter than an actionable skill for Claude. It is heavily padded with reference material Claude already knows (NTFS internals, attribute types), lacks a coherent end-to-end workflow with validation checkpoints, and dumps everything into a single monolithic file. The actionable content (tool commands, Python script) is decent but buried in verbose context.
Suggestions
Add a clear numbered end-to-end workflow (e.g., 1. Mount image → 2. Extract $MFT → 3. Parse with MFTECmd → 4. Validate output → 5. Correlate with USN/LogFile → 6. Report findings) with explicit validation checkpoints after each step.
Move the MFT record header table, attribute type table, and example output into separate reference files (e.g., MFT_REFERENCE.md, EXAMPLE_OUTPUT.md) and link to them from the main skill.
Remove explanatory content about what NTFS and MFT are — Claude knows this. Start directly with the extraction and analysis procedures.
Replace incomplete instructions like 'Extract $MFT from forensic image using KAPE or FTK Imager' with actual executable commands for at least one tool.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose. It explains NTFS fundamentals Claude already knows (what MFT is, what attributes are, byte-level record layouts), includes a lengthy 'When to Use' section with generic boilerplate, and the example output section alone is ~40 lines of fabricated tool output. The MFT record header table and key attributes table are reference material Claude doesn't need inline. | 1 / 3 |
Actionability | The skill provides some concrete commands (MFTECmd, RBCmd, LogFileParser) and a working Python script for slack space analysis. However, several steps are incomplete — e.g., extracting $MFT from a forensic image is hand-waved ('Extract $MFT from forensic image using KAPE or FTK Imager'), and the volume shadow copy section gives no actual extraction commands. The filtering step in MFTECmd output relies on a GUI tool (Timeline Explorer) without command-line alternatives. | 2 / 3 |
Workflow Clarity | There is no clear end-to-end workflow with sequenced steps and validation checkpoints. The techniques are presented as isolated sections without a coherent process flow. For a forensic recovery operation (which is destructive-adjacent and error-prone), there are no validation steps, no verification that extracted artifacts are intact, and no feedback loops for error recovery. | 1 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no bundle files to offload reference material. The MFT record layout tables, attribute type tables, and the massive example output block should be in separate reference files. There are no internal cross-references or navigation aids, and the References section links to external URLs rather than structured companion files. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.