Disk, disk, sleuth! picoCTF 2021 Solution

Published: April 2, 2026

Description

Use Sleuth Kit to find the flag in the disk image dds1-alpine.flag.img.gz.

Download and decompress the disk image.

bash
wget <url>/dds1-alpine.flag.img.gz
bash
gunzip dds1-alpine.flag.img.gz

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Search for the flag string in the raw disk image
    Observation
    I noticed the challenge provided a raw disk image and named The Sleuth Kit as the intended toolkit, which suggested using srch_strings (or the equivalent strings command) to scan every byte of the image for the picoCTF{ prefix without needing to mount or parse the filesystem.
    Use strings to extract all printable strings from the raw image, then grep for the picoCTF prefix. The 8-byte prefix picoCTF{ is specific enough that false positives are rare.
    bash
    strings dds1-alpine.flag.img | grep 'picoCTF'
    bash
    # Alternatively with Sleuth Kit's srch_strings:
    bash
    srch_strings dds1-alpine.flag.img | grep -F 'picoCTF{' | sort -u

    Expected output

    picoCTF{f0r3ns1c4t0r_n30phyt3_...}
    What didn't work first

    Tried: Mount the disk image with 'sudo mount -o loop dds1-alpine.flag.img /mnt' and then search for files manually with find or ls.

    Mounting works but adds unnecessary steps - you need to know the filesystem offset (use mmls or fdisk -l to find the start sector), supply '-o offset=X' to mount, and then unmount afterward. Running strings or srch_strings directly on the raw .img file bypasses all of that and finds the flag in the same scan, making mounting the slow path for this specific task.

    Tried: Run 'file dds1-alpine.flag.img' or 'xxd dds1-alpine.flag.img | grep picoCTF' to find the flag without using strings.

    xxd prints every byte as hex and ASCII side-by-side, but grep on its output matches only within each 16-byte line, so a flag string that crosses a line boundary will not match. 'file' only identifies the image type and gives no string content. The strings command specifically collects consecutive printable bytes across arbitrary offsets, which is why it (not xxd grep) reliably extracts the flag.

    Learn more

    The Sleuth Kit (TSK) is an open-source digital forensics toolkit. srch_strings is TSK's equivalent of the Unix strings command, designed specifically for disk images. Unlike strings, it understands filesystem structures and can report which file system partition each string came from.

    Searching the raw image with strings/srch_strings finds text in files, deleted file remnants, and filesystem metadata - all without mounting the image or parsing the filesystem. This makes it effective for quick triage when you know what pattern you are looking for.

    The disk image is an Alpine Linux installation. The flag was placed somewhere in the filesystem as a text file, and its contents are directly recoverable as a printable string from the raw image bytes.

    How disk forensics works at a low level: A disk image is a sector-by-sector copy of the original storage device. Each sector is typically 512 bytes. The filesystem (ext4, FAT32, NTFS, etc.) organizes these sectors into blocks, inodes, directory entries, and file data. When you run srch_strings on the raw image, it ignores all filesystem structure and simply scans every byte for sequences of printable ASCII characters - typically four or more consecutive printable bytes count as a "string."

    This raw-string approach is powerful because it finds text even in deleted files, filesystem slack space (unused bytes at the end of the last block allocated to a file), and unallocated clusters (disk space not currently assigned to any file). Traditional file system browsing would miss all of these locations. In real digital forensics investigations, this technique is used to recover deleted documents, chat logs, and credential files even after a user has attempted to erase them.

    The Sleuth Kit also provides higher-level forensic tools: fls lists all files including deleted ones, icat extracts a file by inode number, fsstat prints filesystem statistics, and mmls reads partition tables from disk images. For this challenge, the raw-string search is the fastest path - but in a more complex investigation you might need to reconstruct deleted files using icat on orphaned inodes found with ifind.

    If srch_strings is not available on your system, the standard Unix strings command works similarly: strings dds1-alpine.flag.img | grep -F 'picoCTF{' | sort -u. The key difference is that srch_strings can report file system context (which partition, which inode), making it more useful for attribution in a full investigation. For more on the Linux command-line forensics toolbox, see Linux CLI for CTF.

Interactive tools
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{f0r3ns1c4t0r_n30phyt3_...}

srch_strings from The Sleuth Kit extracts printable strings from raw disk images - the disk-forensics equivalent of strings.

Key takeaway

Raw disk images are sector-by-sector copies that preserve every byte written to storage, including the content of deleted files, filesystem slack space, and unallocated regions that the operating system no longer tracks. Scanning the raw image with strings or srch_strings bypasses all filesystem parsing and finds text anywhere on the physical media, which is why this triage step comes first in real forensic investigations before mounting or structural analysis. The same principle applies to memory dumps and firmware images: pattern-searching the raw bytes surfaces artifacts that file-system-aware tools would never enumerate.

Related reading

Want more picoCTF 2021 writeups?

Useful tools for Forensics

What to try next