analyzing-mft-for-deleted-file-recovery
Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
63
55%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-mft-for-deleted-file-recovery/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description for a niche digital forensics skill. It excels at naming concrete actions, specific NTFS artifacts, and forensic tools, making it very distinctive. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about NTFS forensics, MFT analysis, recovering deleted files from NTFS volumes, or mentions $MFT, $LogFile, or $UsnJrnl.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyze MFT, recover metadata and content of deleted files, examine MFT record entries, $LogFile, $UsnJrnl, and MFT slack space. Also names specific tools: MFTECmd, analyzeMFT, and X-Ways Forensics. | 3 / 3 |
Completeness | The 'what' is thoroughly covered (analyze MFT, recover deleted file metadata/content using specific tools and artifacts). However, there is no explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a forensics user would say: 'NTFS', 'Master File Table', '$MFT', 'deleted files', '$LogFile', '$UsnJrnl', 'MFT slack space', 'MFTECmd', 'analyzeMFT', 'X-Ways Forensics'. These are precisely the terms someone working in digital forensics would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: NTFS MFT forensic analysis with specific artifacts ($LogFile, $UsnJrnl) and named tools. This is unlikely to conflict with any other skill due to its very specialized domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill covers MFT forensic analysis comprehensively but suffers from significant verbosity, including reference tables and explanations of NTFS internals that Claude already knows. The workflow lacks clear sequencing and validation checkpoints critical for forensic operations. The content would benefit greatly from being restructured into a concise overview with references to detailed sub-documents.
Suggestions
Remove or move the MFT record header layout table and attribute type table to a separate REFERENCE.md file—Claude already understands NTFS internals and these consume significant tokens without adding actionable guidance.
Create a clear numbered workflow that sequences the techniques (extract → parse MFT → analyze USN Journal → check $LogFile → examine slack → correlate with Recycle Bin/VSS) with explicit validation steps after each phase.
Trim the example output to ~10 lines showing the most forensically relevant fields, or move the full example to an EXAMPLES.md file.
Remove the generic 'When to Use' section and the overview paragraph explaining what NTFS MFT is—replace with a 1-line purpose statement.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose with content Claude already knows—detailed MFT record header layouts, attribute type tables, and explanations of what NTFS structures are. The overview paragraph explains basic NTFS concepts unnecessarily. The 'When to Use' section is generic boilerplate. The example output section alone is ~40 lines of fabricated tool output that adds little instructional value. | 1 / 3 |
Actionability | The skill provides some concrete commands (MFTECmd, RBCmd, LogFileParser) and a Python script for slack space analysis, but many steps are incomplete—e.g., extracting $MFT from a forensic image is hand-waved with a comment, mounting shadow copies lacks actual commands, and the Python script lacks imports for output writing or a complete workflow. Several commands mix evidence paths inconsistently. | 2 / 3 |
Workflow Clarity | The techniques are presented as separate sections rather than a coherent sequenced workflow. There are no explicit validation checkpoints—no steps to verify that $MFT extraction was successful, no error handling guidance, and no feedback loops for when parsing fails or records are corrupted. The correlation section lists tools but doesn't sequence them into the overall investigation flow. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files for detailed content. The MFT record header table, attribute table, full Python script, and extensive example output are all inline when they could be split into reference files. There's no layered structure—everything is dumped at the same level with no navigation aids or content hierarchy. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.