Claude Code Plugins

Community-maintained marketplace

Feedback

password-recovery

@majiayu000/claude-skill-registry
4
0

Digital forensic skill for recovering passwords and sensitive data from disk images, deleted files, and binary data. This skill should be used when tasks involve extracting passwords from disk images, recovering deleted file contents, analyzing binary files for fragments, or forensic data recovery scenarios. Applies to tasks mentioning disk images, deleted files, password fragments, or data recovery.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name password-recovery
description Digital forensic skill for recovering passwords and sensitive data from disk images, deleted files, and binary data. This skill should be used when tasks involve extracting passwords from disk images, recovering deleted file contents, analyzing binary files for fragments, or forensic data recovery scenarios. Applies to tasks mentioning disk images, deleted files, password fragments, or data recovery.

Password Recovery

Overview

This skill provides guidance for digital forensic recovery tasks involving the extraction of passwords or sensitive data from disk images, deleted files, and binary data. It covers systematic approaches to environment assessment, file identification, pattern searching, fragment reconstruction, and result validation.

Environment Assessment (Critical First Step)

Before attempting any recovery operations, assess the working environment:

  1. Identify available tools: Run which strings hexdump xxd file binwalk to determine available forensic utilities
  2. Understand access boundaries: In containerized environments, host filesystems and block devices are typically inaccessible
  3. Map the working directory: Execute find /app -type f 2>/dev/null or equivalent to discover all available files
  4. Avoid premature exploration: Do not attempt to access /proc/kcore, raw block devices, or Docker overlay directories before confirming access permissions

File Discovery and Identification

Systematic File Location

To locate potential data sources:

  1. List all files recursively in the working directory first
  2. Identify binary files: Use file * on discovered files to determine types
  3. Look for obvious locations: Directory names like disks/, images/, backup/ often contain relevant data
  4. Check common extensions: .dat, .img, .bin, .raw, .dd files are primary candidates

File Type Analysis

Always run file type identification on unknown binary files:

file <filename>

Common indicators:

  • "data" - Generic binary, requires further analysis
  • "Zip archive" - May contain recoverable data, attempt extraction
  • "disk image" - Direct forensic target
  • Presence of "PK" bytes (hex: 50 4B) suggests ZIP archive structure

Pattern Searching Strategies

Initial Broad Search

Start with inclusive patterns to identify potential matches:

strings <file> | grep -E '[A-Z0-9]{8,}'

Refined Pattern Search

When password format is known, construct specific regex patterns:

# For alphanumeric passwords of specific length
strings <file> | grep -E '^[A-Z0-9]{23}$'

# For partial fragments
strings <file> | grep -E '[A-Z0-9]{10,15}'

Binary-Level Search

For data not extractable via strings:

# If xxd is available
xxd <file> | grep -i '<pattern>'

# Python fallback for hex analysis
python3 -c "
import sys
with open('<file>', 'rb') as f:
    data = f.read()
    # Search for patterns in raw bytes
    for i in range(len(data) - 10):
        chunk = data[i:i+20]
        if chunk.isalnum() or b'<pattern>' in chunk:
            print(f'Offset {i}: {chunk}')
"

Fragment Reconstruction

Identifying Fragments

Fragments may occur due to:

  • File system allocation boundaries
  • Compression artifacts
  • Partial file deletion
  • Archive structure overhead

Fragment Combination Strategy

When multiple potential fragments are found:

  1. Document all candidates with their byte offsets
  2. Check length requirements: If target length is known, verify fragment combinations sum correctly
  3. Test all orderings: Fragments may appear out of order in storage
  4. Validate each combination against known criteria before concluding

Combination Validation Checklist

Before accepting a combined result:

  • Total length matches expected value
  • Character set matches requirements (alphanumeric, special chars, etc.)
  • No duplicate characters if uniqueness required
  • Passes any provided validation criteria

Verification Strategies

Multi-Criteria Validation

When multiple conditions must be met, verify each explicitly:

password = "CANDIDATE_PASSWORD"
checks = {
    "length": len(password) == 23,
    "alphanumeric": password.isalnum(),
    "uppercase_letters": password.isupper(),
    # Add task-specific criteria
}
print(f"All checks passed: {all(checks.values())}")
for check, result in checks.items():
    print(f"  {check}: {result}")

Exhaustive Search Confirmation

After finding a candidate, verify no other matches exist:

# Confirm uniqueness of the pattern in the source
grep -c '<pattern>' <file>

Common Pitfalls to Avoid

Environment-Related Mistakes

  1. Assuming host access: Container environments restrict access to host filesystems
  2. Using unavailable tools: Verify tool availability before attempting complex commands
  3. Broad filesystem searches: Start with the working directory, not root-level exploration

Analysis Mistakes

  1. Ignoring file type identification: Always run file on unknown binaries
  2. Missing archive structures: Check for ZIP/archive signatures (PK headers) in binary data
  3. Single-pass searching: Use multiple search strategies; strings may miss embedded data

Reconstruction Mistakes

  1. Assuming fragment order: Storage order may not match original data order
  2. Incomplete validation: Verify all criteria, not just length or format
  3. Premature conclusion: Search for alternative fragment combinations before finalizing

Workflow Summary

  1. Environment Assessment: Identify tools, boundaries, and available data
  2. File Discovery: Map all files, identify types, prioritize candidates
  3. Initial Analysis: Run file, strings, and broad pattern searches
  4. Deep Analysis: Binary-level examination if initial search insufficient
  5. Fragment Collection: Document all potential fragments with offsets
  6. Reconstruction: Combine fragments, test orderings
  7. Validation: Verify against all known criteria
  8. Confirmation: Ensure no alternative matches exist