Pitter, Patter, Platters

Description

Solution

1. Step 1Load the disk image in Autopsy
   Open Autopsy and create a new case. Add suspicious.dd.sda1 as a disk image data source. Let the ingest modules complete their analysis.
   Learn more

   Autopsy is an open-source digital forensics platform built on top of The Sleuth Kit (TSK). It parses disk images in raw (.dd), E01, and other formats, reconstructing the file system structure and running automated analysis modules. The .sda1 extension indicates this is a raw image of a single partition (the first partition of the first SCSI/SATA disk).

   A disk image is a sector-for-sector copy of storage media. Because it captures every bit -- including deleted files, unallocated clusters, and slack space -- it preserves evidence that the operating system would normally hide or not show in a directory listing. Raw dd images are the forensic standard because they make no assumptions about the file system format and capture every byte exactly.

   In professional digital forensics, analysts always work from forensic images rather than the original media. This preserves the chain of custody and ensures that examination does not modify evidence. Autopsy's ingest modules run keyword searches, hash lookups, EXIF extraction, and file type identification automatically in the background.

2. Step 2Enable slack file display
   In Autopsy navigate to Tools > Options and uncheck 'Hide slack files'. Slack files are the unused space at the end of a file's last allocated cluster -- they are hidden by default because they are not normally part of any file.
   Learn more

   File system slack space (also called file slack) arises from how file systems allocate storage. Files are stored in fixed-size clusters (or blocks) -- typically 4 KB on modern FAT and NTFS volumes. When a file's size is not a perfect multiple of the cluster size, the remainder of the last cluster is unused. That unused space is called slack, and it retains whatever data was previously written there.

   There are two layers of slack: RAM slack is the space between the end of the file and the end of the sector (filled with zeros or old RAM contents by the OS), and drive slack is the remaining sectors in the cluster after that. Data hidden in slack is invisible to the operating system -- a directory listing shows only the file's declared size -- but it is fully preserved on disk and visible to forensic tools that read raw sector data.

   Anti-forensic tools deliberately use slack space to hide data from investigators. Forensic examiners must always check slack space when looking for hidden data. File slack is also a common source of accidental data leakage -- sensitive contents from one file can survive in the slack space of a file that was written later to the same cluster.

3. Step 3Locate the slack file
   In the file tree, find the file named suspicious-file.txt-slack. Its contents are the flag string but written in reverse order.
   Learn more

   Autopsy appends -slack to the name of the file whose last cluster contains the slack data, making it easy to correlate slack content with the file responsible for the cluster allocation. Without Autopsy, you would need The Sleuth Kit's blkcat command to dump the raw cluster contents and manually identify the slack region.

   The flag being stored in reverse is a simple obfuscation: someone manually wrote the data backwards to make a casual strings scan less likely to match recognizable patterns. It is a reminder that data found in forensic analysis is not always immediately readable -- encoding, compression, or deliberate obfuscation may require an extra processing step.

4. Step 4Reverse the string
   Copy the reversed flag text and reverse it with the rev command to get the correct flag.
   echo '<reversed_flag_text>' | revCopied!
   Learn more

   The Unix rev command reverses each line of its input character by character. It is a one-liner solution to the final step because the flag was stored as a complete reversed string. Equivalent Python would be print(s[::-1]) using Python's slice notation with a step of -1.

   This challenge demonstrates the forensic investigation workflow at a small scale: acquire the image, load it into analysis software, enable all visibility options, find the anomaly, and then process what you find. In real investigations, the same steps apply to multi-terabyte drives with thousands of files -- automation and triage become essential because manually examining every cluster is not feasible.

   Key forensic tools to know beyond Autopsy include FTK (Forensic Toolkit), Volatility (memory forensics), Wireshark (network forensics), and binwalk (firmware/embedded forensics). Each targets a different evidence type with similar "look at everything, including what the OS hides" philosophy.

Flag

picoCTF{...}

File system slack space is the unused space between a file's actual end and the end of its last cluster -- data hidden there is invisible to normal file browsing but fully preserved on disk.