analyzing-mft-for-deleted-file-recovery
Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-mft-for-deleted-file-recovery/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that excels in naming concrete actions, tools, and domain-specific artifacts relevant to NTFS forensic analysis. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The technical specificity makes it very distinctive and unlikely to conflict with other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to perform NTFS forensic analysis, recover deleted files from an MFT dump, or investigate file system artifacts like $LogFile or $UsnJrnl.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyze MFT, recover metadata and content of deleted files, examine MFT record entries, $LogFile, $UsnJrnl, and MFT slack space. Also names specific tools: MFTECmd, analyzeMFT, and X-Ways Forensics. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (analyze MFT to recover deleted file metadata/content using specific tools and artifacts), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a forensics user would say: NTFS, Master File Table, $MFT, deleted files, MFT record entries, $LogFile, $UsnJrnl, MFT slack space, MFTECmd, analyzeMFT, X-Ways Forensics. These are highly specific domain terms that users in digital forensics would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely niche and specific to NTFS MFT forensic analysis with named artifacts and tools. Very unlikely to conflict with other skills given the highly specialized domain terminology. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill contains useful forensic techniques and tool references but suffers from excessive verbosity, explaining NTFS fundamentals Claude already knows. It lacks a coherent end-to-end workflow with validation checkpoints critical for forensic analysis, and the monolithic structure would benefit from splitting reference material into separate files. The actionable content is present but incomplete in key areas like evidence extraction steps.
Suggestions
Remove the MFT record header table, attribute table, and NTFS overview paragraph—Claude knows NTFS internals. Focus only on forensic-specific knowledge like timestomping detection thresholds and recovery heuristics.
Add a clear numbered end-to-end workflow: image mounting → $MFT extraction (with actual commands) → parsing → analysis → correlation → reporting, with explicit validation checkpoints (e.g., verify hash before/after extraction, validate CSV row counts).
Move reference tables and the lengthy example output to separate files (e.g., MFT_REFERENCE.md, EXAMPLE_OUTPUT.md) and link to them from the main skill.
Complete the evidence extraction step with actual commands (e.g., FTK Imager CLI or icat from Sleuth Kit) instead of comments saying 'extract $MFT from forensic image.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose with information Claude already knows—detailed MFT record header layouts, attribute type tables, and explanations of what NTFS is. The 'When to Use' section is generic boilerplate. The overview paragraph explains basic NTFS concepts that are unnecessary for an AI assistant. The example output section alone is ~40 lines of fabricated tool output that adds little instructional value. | 1 / 3 |
Actionability | The skill provides some concrete commands (MFTECmd, RBCmd, LogFileParser) and a Python script for slack space analysis, but many steps are incomplete—e.g., extracting $MFT from a forensic image is hand-waved with a comment rather than shown. The Python script is functional but lacks error handling and output writing. Several commands assume files are already extracted without showing how. | 2 / 3 |
Workflow Clarity | There is no clear end-to-end workflow with sequenced steps and validation checkpoints. The techniques are presented as isolated sections without a coherent process flow. For a forensic analysis involving destructive/batch operations on evidence, there are no verification steps (e.g., hash verification of evidence, validating parsed output integrity). Missing feedback loops cap this at 1. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with headers and sections, but it's monolithic—all reference tables, techniques, correlation steps, and example output are inline in a single file. The MFT record header table and attribute table could be in separate reference files. External references are listed but there's no clear navigation structure pointing to supplementary materials. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.