Description
If you can find the flag on this disk image, we can close the case for good! Download the disk image here.
π§ Step-by-Step Breakdown:
π₯ 1. Download and Extract the Disk Image
wget https://artifacts.picoctf.net/c_titan/63/disk.flag.img.gz
gunzip disk.flag.img.gz
π΅οΈ 2. Open with Autopsy (Forensic Tool)
-
Autopsy is a digital forensics platform that lets you:
-
Mount and explore disk images
-
Recover deleted files
-
View metadata, file content, etc.
π 3. Explore the Root Directory
Once loaded into Autopsy, the disk image showed 3 files in the root directory:
force-wait.sh
innocuous-file.txt
its-all-in-the-name
At first, these look ordinary β especially innocuous-file.txt.
𧩠4. Key Clue: “its-all-in-the-name”
This filename is a hint:
The name of the file matters.
So even if innocuous-file.txt seems unimportant, it’s probably significant because of its name.
π 5. open the disk.flag.img in vs code and also download hex editor extension
- search for innocuous
- and you find 14 file the the bits give you the flag in part
𧡠6. Reconstructing the Flag
By piecing together the ASCII fragments found in different instances of innocuous-file.txt, you assembled the full flag:
picoCTF{1_533_n4m35_80d24b30} (You might have seen the full flag in your actual run β this is just the partial given in your write-up.)
π What You Learned From This CTF
Skill/Concept What You Gained π§ Disk Forensics How to inspect and analyze raw disk images. 𧱠File Fragmentation Some files are split across disk sectors and can appear multiple times. 𧩠Pattern Recognition You practiced identifying and assembling partial data into a coherent result. π Clue Interpretation The filename its-all-in-the-name gave you a useful nudge β CTFs often hide clues this way. π οΈ Autopsy Usage You got hands-on with a real forensic analysis tool used by professionals.
π Final Takeaway: Even the most βinnocentβ looking files (like innocuous-file.txt) may hide secrets β especially when forensic clues are scattered and fragmented across a disk.z