analyzing-mft-for-deleted-file-recovery
CommunityReconstructs deleted NTFS data from MFT metadata.
AuthorAxxxxxxaaann
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Forensic analysts can extract and interpret deleted NTFS Master File Table (MFT) records to recover file metadata, reconstruct storage timelines, and detect timestomping across NTFS artifacts.
Core Features & Use Cases
- MFT Deleted Record Detection: identifies InUse = FALSE entries, captures filenames, paths, sizes, and timestamps for deleted files.
- Cross-Artifact Correlation: correlates MFT data with USN Journal, $LogFile, and MFT slack space to strengthen evidence and sequencing.
- Reporting & Timelines: generates structured reports and supports timeline reconstruction for incident response and formal investigations.
Quick Start
Run the MFT Deleted File Recovery agent against an extracted $MFT file to generate a comprehensive JSON report.
Dependency Matrix
Required Modules
None requiredComponents
scriptsreferencesassets
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: analyzing-mft-for-deleted-file-recovery Download link: https://github.com/Axxxxxxaaann/KAIRI-Skills/archive/main.zip#analyzing-mft-for-deleted-file-recovery Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.