Disk, disk, sleuth!

Description

Solution

1. Step 1Search for the flag string in the raw disk image
   Use srch_strings from The Sleuth Kit to extract all printable strings from the raw disk image, then filter for the picoCTF flag pattern. This scans the entire disk -- including file system metadata and slack space -- for readable text.
   srch_strings dds1-alpine.flag.img | grep picoCTFCopied!
   Learn more

   The Sleuth Kit (TSK) is an open-source digital forensics toolkit. srch_strings is TSK's equivalent of the Unix strings command, designed specifically for disk images. Unlike strings, it understands filesystem structures and can report which file system partition each string came from.

   Searching the raw image with strings/srch_strings finds text in files, deleted file remnants, and filesystem metadata -- all without mounting the image or parsing the filesystem. This makes it effective for quick triage when you know what pattern you are looking for.

   The disk image is an Alpine Linux installation. The flag was placed somewhere in the filesystem as a text file, and its contents are directly recoverable as a printable string from the raw image bytes.

Flag

picoCTF{...}

srch_strings from The Sleuth Kit extracts printable strings from raw disk images -- the disk-forensics equivalent of strings.