CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-mft-for-deleted-file-recovery

Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with real commands and code, but it is padded with duplicate reference tables and a large fabricated example output, and it neither signals nor links its own bundle files. Tightening the inline reference material and routing it to references/ would raise conciseness and progressive disclosure.

Suggestions

Move the MFT record header and attribute tables into references/api-reference.md and replace them in SKILL.md with a one-line 'See references/api-reference.md' pointer.

Add explicit validation/verification checkpoints to each workflow (e.g., verify image hash before and after extraction, confirm InUse flag interpretation) to satisfy the feedback-loop requirement.

Trim or relocate the large 'Example Output' block to a bundled file and link it, so the body stays a lean overview.

DimensionReasoningScore

Conciseness

Mostly actionable but padded with an explanatory Overview of NTFS basics, full duplicate MFT record/attribute tables that mirror references/api-reference.md, and an oversized ~40-line fabricated 'Example Output' block; not at level 3 because several tokens do not earn their place, and not at level 1 because real commands dominate rather than concept explanation.

2 / 3

Actionability

Provides fully executable MFTECmd/RBCmd/LogFileParser/vssadmin commands with real flags and a complete, runnable Python parser with real struct unpacking — copy-paste ready rather than pseudocode.

3 / 3

Workflow Clarity

Techniques and the references/workflows.md flows are sequenced, but there are no validation/verification checkpoints (e.g., image hash verification, integrity checks) for destructive/batch forensic operations, so per the rubric workflow clarity is capped at 2.

2 / 3

Progressive Disclosure

A bundle exists (references/, scripts/, assets/) but SKILL.md never signals or links those files, and the inline MFT header/attribute tables duplicate references/api-reference.md — content that should be separate is inline, matching the level-2 anchor rather than the well-navigated level-3 anchor.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and distinctive, naming concrete recovery actions and tools, but is missing an explicit 'Use when...' trigger clause, which caps its completeness. Adding a one-line trigger phrase would lift it to full marks.

Suggestions

Append an explicit trigger clause such as 'Use when investigating deleted files on NTFS volumes, recovering file-system evidence, or hunting timestomping indicators.'

Add common natural variations of user phrasing (e.g., 'file recovery', 'MFT analysis', 'recover deleted files') alongside the artifact names.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ('recover metadata and content of deleted files', 'examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space') plus specific tools (MFTECmd, analyzeMFT, X-Ways), matching the anchor for multiple specific concrete actions rather than the partial level-2 anchor.

3 / 3

Completeness

Clearly answers 'what' but lacks any 'Use when...' clause or equivalent explicit trigger guidance, so per the judging guideline completeness is capped at 2 even though the 'what' is strong.

2 / 3

Trigger Term Quality

Includes natural terms a forensics user would actually say — 'deleted files', 'recover', 'NTFS', 'MFT' — alongside the canonical artifact names; not reduced to 2 because the core terms map directly to user phrasing rather than being generic jargon.

3 / 3

Distinctiveness Conflict Risk

A clear niche (NTFS MFT deleted-file recovery) with distinct triggers ($MFT, $UsnJrnl, MFTECmd) that are unlikely to fire for unrelated skills; more specific than the overlapping level-2 anchor.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.