Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionrecovering-deleted-files-with-photorecExecute the skills CLI command in your project's root directory to begin installation:
Fetches recovering-deleted-files-with-photorec from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate recovering-deleted-files-with-photorec. Access via /recovering-deleted-files-with-photorec in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | recovering-deleted-files-with-photorec |
| description | Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage. |
| domain | cybersecurity |
| subdomain | digital-forensics |
| tags | - forensics - file-recovery - photorec - file-carving - data-recovery - evidence-recovery |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_ai_rmf | - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 |
| atlas_techniques | - AML.T0070 - AML.T0066 - AML.T0082 |
| nist_csf | - RS.AN-01 - RS.AN-03 - DE.AE-02 - RS.MA-01 |
# Install TestDisk (includes PhotoRec) on Debian/Ubuntu
sudo apt-get install testdisk
# On RHEL/CentOS
sudo yum install testdisk
# On macOS
brew install testdisk
# Verify installation
photorec --version
# Create output directory structure
mkdir -p /cases/case-2024-001/recovered/{all,documents,images,databases}
# Verify the forensic image
file /cases/case-2024-001/images/evidence.dd
ls -lh /cases/case-2024-001/images/evidence.dd
# Launch PhotoRec against a forensic image
photorec /cases/case-2024-001/images/evidence.dd
# Interactive menu steps:
# 1. Select the disk image: evidence.dd
# 2. Select partition table type: [Intel] for MBR, [EFI GPT] for GPT
# 3. Select partition to scan (or "No partition" for whole disk)
# 4. Select filesystem type: [ext2/ext3/ext4] or [Other] for NTFS/FAT
# 5. Choose scan scope: [Free] (unallocated only) or [Whole] (entire partition)
# 6. Select output directory: /cases/case-2024-001/recovered/all/
# 7. Press C to confirm and begin recovery
# For direct device scanning (with write-blocker)
sudo photorec /dev/sdb
# Non-interactive mode with specific file types
photorec /d /cases/case-2024-001/recovered/documents/ \
/cmd /cases/case-2024-001/images/evidence.dd \
partition_table,options,mode,fileopt,search
# Recover only specific file types using photorec command mode
photorec /d /cases/case-2024-001/recovered/documents/ \
/cmd /cases/case-2024-001/images/evidence.dd \
options,keep_corrupted_file,enable \
fileopt,everything,disable \
fileopt,doc,enable \
fileopt,docx,enable \
fileopt,pdf,enable \
fileopt,xlsx,enable \
search
# Recover only image files
photorec /d /cases/case-2024-001/recovered/images/ \
/cmd /cases/case-2024-001/images/evidence.dd \
fileopt,everything,disable \
fileopt,jpg,enable \
fileopt,png,enable \
fileopt,gif,enable \
fileopt,bmp,enable \
fileopt,tif,enable \
search
# Recover database files
photorec /d /cases/case-2024-001/recovered/databases/ \
/cmd /cases/case-2024-001/images/evidence.dd \
fileopt,everything,disable \
fileopt,sqlite,enable \
fileopt,dbf,enable \
search
# PhotoRec outputs files into recup_dir.1, recup_dir.2, etc.
ls /cases/case-2024-001/recovered/all/
# Count recovered files by type
find /cases/case-2024-001/recovered/all/ -type f | \
sed 's/.*\.//' | sort | uniq -c | sort -rn > /cases/case-2024-001/recovered/file_type_summary.txt
# Sort recovered files into directories by extension
cd /cases/case-2024-001/recovered/all/
for ext in jpg png pdf docx xlsx pptx zip sqlite; do
mkdir -p /cases/case-2024-001/recovered/sorted/$ext
find . -name "*.$ext" -exec cp {} /cases/case-2024-001/recovered/sorted/$ext/ \;
done
# Generate SHA-256 hashes for all recovered files
find /cases/case-2024-001/recovered/all/ -type f -exec sha256sum {} \; \
> /cases/case-2024-001/recovered/recovered_hashes.txt
# Generate file listing with metadata
find /cases/case-2024-001/recovered/all/ -type f \
-printf "%f\t%s\t%T+\t%p\n" | sort > /cases/case-2024-001/recovered/file_listing.txt
# Verify file integrity using file signatures
find /cases/case-2024-001/recovered/all/ -type f -exec file {} \; \
> /cases/case-2024-001/recovered/file_signatures.txt
# Find files with mismatched extension/signature
while IFS= read -r line; do
filepath=$(echo "$line" | cut -d: -f1)
filetype=$(echo "$line" | cut -d: -f2-)
ext="${filepath##*.}"
if [[ "$ext" == "jpg" ]] && ! echo "$filetype" | grep -qi "JPEG"; then
echo "MISMATCH: $filepath -> $filetype"
fi
done < /cases/case-2024-001/recovered/file_signatures.txt > /cases/case-2024-001/recovered/mismatches.txt
# Filter out known-good files using NSRL hash comparison
hashdeep -r -c sha256 /cases/case-2024-001/recovered/all/ | \
grep -vFf /opt/nsrl/nsrl_sha256.txt > /cases/case-2024-001/recovered/unknown_files.txt
# Remove zero-byte and corrupted files
find /cases/case-2024-001/recovered/all/ -type f -empty -delete
find /cases/case-2024-001/recovered/all/ -name "*.jpg" -exec jpeginfo -c {} \; 2>&1 | \
grep "ERROR" > /cases/case-2024-001/recovered/corrupted_images.txt
| Concept | Description |
|---|---|
| File carving | Recovering files from raw data using file header/footer signatures |
| File signatures | Magic bytes at the start of files identifying their type (e.g., FF D8 FF for JPEG) |
| Unallocated space | Disk sectors not assigned to any active file; may contain deleted data |
| Fragmented files | Files stored in non-contiguous sectors; harder to carve completely |
| Cluster/Block size | Minimum allocation unit on a file system; affects carving granularity |
| File footer | Byte sequence marking the end of a file (not all formats have footers) |
| Data remanence | Residual data remaining after deletion until sectors are overwritten |
| False positives | Carved artifacts that match signatures but contain corrupted or partial data |
| Tool | Purpose |
|---|---|
| PhotoRec | Open-source file carving tool supporting 300+ file formats |
| TestDisk | Companion tool for partition recovery and repair |
| Foremost | Alternative file carver originally developed by US Air Force OSI |
| Scalpel | High-performance file carver based on Foremost |
| hashdeep | Recursive hash computation and audit tool |
| jpeginfo | JPEG file integrity verification |
| file | Unix utility identifying file types by magic bytes |
| exiftool | Extract metadata from recovered image and document files |
Scenario 1: Recovering Deleted Evidence from a Suspect's USB Drive Image the USB drive with dcfldd, run PhotoRec targeting document and image formats, organize by file type, hash all recovered files, compare against known-bad hash sets, extract metadata from images for GPS and timestamp information.
Scenario 2: Formatted Hard Drive Recovery Run PhotoRec in "Whole" mode against the entire formatted partition, recover all file types, expect higher false positive rate due to file fragmentation, validate recovered files with signature checking, catalog and hash for evidence chain.
Scenario 3: Memory Card from a Surveillance Camera Recover deleted video files (AVI, MP4, MOV) from the memory card image, use targeted file type selection to speed recovery, verify video files are playable, extract frame timestamps, document recovery in case notes.
Scenario 4: Corrupted File System on Evidence Drive When file system metadata is destroyed, PhotoRec bypasses the file system entirely and carves from raw sectors, recover maximum possible data, accept that file names and directory structure will be lost, rename files based on content during review.
PhotoRec Recovery Summary:
Source Image: evidence.dd (500 GB)
Partition: NTFS (Partition 2)
Scan Mode: Free space only
Files Recovered: 4,523
Documents: 234 (doc: 45, docx: 89, pdf: 67, xlsx: 33)
Images: 2,145 (jpg: 1,890, png: 198, gif: 57)
Videos: 34 (mp4: 22, avi: 12)
Archives: 67 (zip: 45, rar: 22)
Databases: 12 (sqlite: 8, dbf: 4)
Other: 2,031
Data Recovered: 12.4 GB
Corrupted Files: 312 (flagged for review)
Output Directory: /cases/case-2024-001/recovered/all/
Hash Manifest: /cases/case-2024-001/recovered/recovered_hashes.txt
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
We added recovering-deleted-files-with-photorec from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend recovering-deleted-files-with-photorec for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Useful defaults in recovering-deleted-files-with-photorec — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: recovering-deleted-files-with-photorec is focused, and the summary matches what you get after install.
Keeps context tight: recovering-deleted-files-with-photorec is the kind of skill you can hand to a new teammate without a long onboarding doc.
recovering-deleted-files-with-photorec has been reliable in day-to-day use. Documentation quality is above average for community skills.
We added recovering-deleted-files-with-photorec from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
recovering-deleted-files-with-photorec fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: recovering-deleted-files-with-photorec is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for recovering-deleted-files-with-photorec matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 63