recovering-deleted-files-with-photorec▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage.
| name | recovering-deleted-files-with-photorec |
| description | Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage. |
| domain | cybersecurity |
| subdomain | digital-forensics |
| tags | - forensics - file-recovery - photorec - file-carving - data-recovery - evidence-recovery |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_ai_rmf | - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 |
| atlas_techniques | - AML.T0070 - AML.T0066 - AML.T0082 |
| nist_csf | - RS.AN-01 - RS.AN-03 - DE.AE-02 - RS.MA-01 |
Recovering Deleted Files with PhotoRec
When to Use
- When recovering deleted files from a forensic disk image or storage device
- When the file system is corrupted, formatted, or overwritten
- During investigations requiring recovery of documents, images, videos, or databases
- When file system metadata is unavailable but raw data sectors remain intact
- For recovering files from memory cards, USB drives, and hard drives
Prerequisites
- PhotoRec installed (part of TestDisk suite)
- Forensic disk image or direct device access (read-only)
- Sufficient output storage space (potentially larger than source)
- Write-blocker if working with original media
- Root/sudo privileges for device access
- Knowledge of target file types for focused recovery
Workflow
Step 1: Install PhotoRec and Prepare the Environment
# Install TestDisk (includes PhotoRec) on Debian/Ubuntu
sudo apt-get install testdisk
# On RHEL/CentOS
sudo yum install testdisk
# On macOS
brew install testdisk
# Verify installation
photorec --version
# Create output directory structure
mkdir -p /cases/case-2024-001/recovered/{all,documents,images,databases}
# Verify the forensic image
file /cases/case-2024-001/images/evidence.dd
ls -lh /cases/case-2024-001/images/evidence.dd
Step 2: Run PhotoRec in Interactive Mode
# Launch PhotoRec against a forensic image
photorec /cases/case-2024-001/images/evidence.dd
# Interactive menu steps:
# 1. Select the disk image: evidence.dd
# 2. Select partition table type: [Intel] for MBR, [EFI GPT] for GPT
# 3. Select partition to scan (or "No partition" for whole disk)
# 4. Select filesystem type: [ext2/ext3/ext4] or [Other] for NTFS/FAT
# 5. Choose scan scope: [Free] (unallocated only) or [Whole] (entire partition)
# 6. Select output directory: /cases/case-2024-001/recovered/all/
# 7. Press C to confirm and begin recovery
# For direct device scanning (with write-blocker)
sudo photorec /dev/sdb
Step 3: Run PhotoRec with Command-Line Options for Targeted Recovery
# Non-interactive mode with specific file types
photorec /d /cases/case-2024-001/recovered/documents/ \
/cmd /cases/case-2024-001/images/evidence.dd \
partition_table,options,mode,fileopt,search
# Recover only specific file types using photorec command mode
photorec /d /cases/case-2024-001/recovered/documents/ \
/cmd /cases/case-2024-001/images/evidence.dd \
options,keep_corrupted_file,enable \
fileopt,everything,disable \
fileopt,doc,enable \
fileopt,docx,enable \
fileopt,pdf,enable \
fileopt,xlsx,enable \
search
# Recover only image files
photorec /d /cases/case-2024-001/recovered/images/ \
/cmd /cases/case-2024-001/images/evidence.dd \
fileopt,everything,disable \
fileopt,jpg,enable \
fileopt,png,enable \
fileopt,gif,enable \
fileopt,bmp,enable \
fileopt,tif,enable \
search
# Recover database files
photorec /d /cases/case-2024-001/recovered/databases/ \
/cmd /cases/case-2024-001/images/evidence.dd \
fileopt,everything,disable \
fileopt,sqlite,enable \
fileopt,dbf,enable \
search
Step 4: Organize and Catalog Recovered Files
# PhotoRec outputs files into recup_dir.1, recup_dir.2, etc.
ls /cases/case-2024-001/recovered/all/
# Count recovered files by type
find /cases/case-2024-001/recovered/all/ -type f | \
sed 's/.*\.//' | sort | uniq -c | sort -rn > /cases/case-2024-001/recovered/file_type_summary.txt
# Sort recovered files into directories by extension
cd /cases/case-2024-001/recovered/all/
for ext in jpg png pdf docx xlsx pptx zip sqlite; do
mkdir -p /cases/case-2024-001/recovered/sorted/$ext
find . -name "*.$ext" -exec cp {} /cases/case-2024-001/recovered/sorted/$ext/ \;
done
# Generate SHA-256 hashes for all recovered files
find /cases/case-2024-001/recovered/all/ -type f -exec sha256sum {} \; \
> /cases/case-2024-001/recovered/recovered_hashes.txt
# Generate file listing with metadata
find /cases/case-2024-001/recovered/all/ -type f \
-printf "%f\t%s\t%T+\t%p\n" | sort > /cases/case-2024-001/recovered/file_listing.txt
Step 5: Validate and Filter Recovered Files
# Verify file integrity using file signatures
find /cases/case-2024-001/recovered/all/ -type f -exec file {} \; \
> /cases/case-2024-001/recovered/file_signatures.txt
# Find files with mismatched extension/signature
while IFS= read -r line; do
filepath=$(echo "$line" | cut -d: -f1)
filetype=$(echo "$line" | cut -d: -f2-)
ext="${filepath##*.}"
if [[ "$ext" == "jpg" ]] && ! echo "$filetype" | grep -qi "JPEG"; then
echo "MISMATCH: $filepath -> $filetype"
fi
done < /cases/case-2024-001/recovered/file_signatures.txt > /cases/case-2024-001/recovered/mismatches.txt
# Filter out known-good files using NSRL hash comparison
hashdeep -r -c sha256 /cases/case-2024-001/recovered/all/ | \
grep -vFf /opt/nsrl/nsrl_sha256.txt > /cases/case-2024-001/recovered/unknown_files.txt
# Remove zero-byte and corrupted files
find /cases/case-2024-001/recovered/all/ -type f -empty -delete
find /cases/case-2024-001/recovered/all/ -name "*.jpg" -exec jpeginfo -c {} \; 2>&1 | \
grep "ERROR" > /cases/case-2024-001/recovered/corrupted_images.txt
Key Concepts
| Concept | Description |
|---|---|
| File carving | Recovering files from raw data using file header/footer signatures |
| File signatures | Magic bytes at the start of files identifying their type (e.g., FF D8 FF for JPEG) |
| Unallocated space | Disk sectors not assigned to any active file; may contain deleted data |
| Fragmented files | Files stored in non-contiguous sectors; harder to carve completely |
| Cluster/Block size | Minimum allocation unit on a file system; affects carving granularity |
| File footer | Byte sequence marking the end of a file (not all formats have footers) |
| Data remanence | Residual data remaining after deletion until sectors are overwritten |
| False positives | Carved artifacts that match signatures but contain corrupted or partial data |
Tools & Systems
| Tool | Purpose |
|---|---|
| PhotoRec | Open-source file carving tool supporting 300+ file formats |
| TestDisk | Companion tool for partition recovery and repair |
| Foremost | Alternative file carver originally developed by US Air Force OSI |
| Scalpel | High-performance file carver based on Foremost |
| hashdeep | Recursive hash computation and audit tool |
| jpeginfo | JPEG file integrity verification |
| file | Unix utility identifying file types by magic bytes |
| exiftool | Extract metadata from recovered image and document files |
Common Scenarios
Scenario 1: Recovering Deleted Evidence from a Suspect's USB Drive Image the USB drive with dcfldd, run PhotoRec targeting document and image formats, organize by file type, hash all recovered files, compare against known-bad hash sets, extract metadata from images for GPS and timestamp information.
Scenario 2: Formatted Hard Drive Recovery Run PhotoRec in "Whole" mode against the entire formatted partition, recover all file types, expect higher false positive rate due to file fragmentation, validate recovered files with signature checking, catalog and hash for evidence chain.
Scenario 3: Memory Card from a Surveillance Camera Recover deleted video files (AVI, MP4, MOV) from the memory card image, use targeted file type selection to speed recovery, verify video files are playable, extract frame timestamps, document recovery in case notes.
Scenario 4: Corrupted File System on Evidence Drive When file system metadata is destroyed, PhotoRec bypasses the file system entirely and carves from raw sectors, recover maximum possible data, accept that file names and directory structure will be lost, rename files based on content during review.
Output Format
PhotoRec Recovery Summary:
Source Image: evidence.dd (500 GB)
Partition: NTFS (Partition 2)
Scan Mode: Free space only
Files Recovered: 4,523
Documents: 234 (doc: 45, docx: 89, pdf: 67, xlsx: 33)
Images: 2,145 (jpg: 1,890, png: 198, gif: 57)
Videos: 34 (mp4: 22, avi: 12)
Archives: 67 (zip: 45, rar: 22)
Databases: 12 (sqlite: 8, dbf: 4)
Other: 2,031
Data Recovered: 12.4 GB
Corrupted Files: 312 (flagged for review)
Output Directory: /cases/case-2024-001/recovered/all/
Hash Manifest: /cases/case-2024-001/recovered/recovered_hashes.txt
How to use recovering-deleted-files-with-photorec on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add recovering-deleted-files-with-photorec
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches recovering-deleted-files-with-photorec from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate recovering-deleted-files-with-photorec. Access the skill through slash commands (e.g., /recovering-deleted-files-with-photorec) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★63 reviews- ★★★★★Mei Shah· Dec 16, 2024
We added recovering-deleted-files-with-photorec from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Dhruvi Jain· Dec 12, 2024
I recommend recovering-deleted-files-with-photorec for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Mei Sethi· Dec 12, 2024
Useful defaults in recovering-deleted-files-with-photorec — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Chen Agarwal· Dec 8, 2024
Solid pick for teams standardizing on skills: recovering-deleted-files-with-photorec is focused, and the summary matches what you get after install.
- ★★★★★Aanya Perez· Dec 4, 2024
Keeps context tight: recovering-deleted-files-with-photorec is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Aanya Okafor· Nov 27, 2024
recovering-deleted-files-with-photorec has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Chen Sethi· Nov 23, 2024
We added recovering-deleted-files-with-photorec from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Mei Khanna· Nov 11, 2024
recovering-deleted-files-with-photorec fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Chen Torres· Nov 7, 2024
Keeps context tight: recovering-deleted-files-with-photorec is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Xiao Agarwal· Nov 7, 2024
Registry listing for recovering-deleted-files-with-photorec matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 63