Description
Use Sleuth Kit to find the flag in the disk image dds1-alpine.flag.img.gz.
Setup
Download and decompress the disk image.
wget <url>/dds1-alpine.flag.img.gzgunzip dds1-alpine.flag.img.gzSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Search for the flag string in the raw disk imageObservationI noticed the challenge provided a raw disk image and named The Sleuth Kit as the intended toolkit, which suggested using srch_strings (or the equivalent strings command) to scan every byte of the image for the picoCTF{ prefix without needing to mount or parse the filesystem.Use strings to extract all printable strings from the raw image, then grep for the picoCTF prefix. The 8-byte prefix picoCTF{ is specific enough that false positives are rare.bashstrings dds1-alpine.flag.img | grep 'picoCTF'bash# Alternatively with Sleuth Kit's srch_strings:bashsrch_strings dds1-alpine.flag.img | grep -F 'picoCTF{' | sort -uExpected output
picoCTF{f0r3ns1c4t0r_n30phyt3_...}What didn't work first
Tried: Mount the disk image with 'sudo mount -o loop dds1-alpine.flag.img /mnt' and then search for files manually with find or ls.
Mounting works but adds unnecessary steps - you need to know the filesystem offset (use mmls or fdisk -l to find the start sector), supply '-o offset=X' to mount, and then unmount afterward. Running strings or srch_strings directly on the raw .img file bypasses all of that and finds the flag in the same scan, making mounting the slow path for this specific task.
Tried: Run 'file dds1-alpine.flag.img' or 'xxd dds1-alpine.flag.img | grep picoCTF' to find the flag without using strings.
xxd prints every byte as hex and ASCII side-by-side, but grep on its output matches only within each 16-byte line, so a flag string that crosses a line boundary will not match. 'file' only identifies the image type and gives no string content. The strings command specifically collects consecutive printable bytes across arbitrary offsets, which is why it (not xxd grep) reliably extracts the flag.
Learn more
The Sleuth Kit (TSK) is an open-source digital forensics toolkit.
srch_stringsis TSK's equivalent of the Unixstringscommand, designed specifically for disk images. Unlikestrings, it understands filesystem structures and can report which file system partition each string came from.Searching the raw image with
strings/srch_stringsfinds text in files, deleted file remnants, and filesystem metadata - all without mounting the image or parsing the filesystem. This makes it effective for quick triage when you know what pattern you are looking for.The disk image is an Alpine Linux installation. The flag was placed somewhere in the filesystem as a text file, and its contents are directly recoverable as a printable string from the raw image bytes.
How disk forensics works at a low level: A disk image is a sector-by-sector copy of the original storage device. Each sector is typically 512 bytes. The filesystem (ext4, FAT32, NTFS, etc.) organizes these sectors into blocks, inodes, directory entries, and file data. When you run
srch_stringson the raw image, it ignores all filesystem structure and simply scans every byte for sequences of printable ASCII characters - typically four or more consecutive printable bytes count as a "string."This raw-string approach is powerful because it finds text even in deleted files, filesystem slack space (unused bytes at the end of the last block allocated to a file), and unallocated clusters (disk space not currently assigned to any file). Traditional file system browsing would miss all of these locations. In real digital forensics investigations, this technique is used to recover deleted documents, chat logs, and credential files even after a user has attempted to erase them.
The Sleuth Kit also provides higher-level forensic tools:
flslists all files including deleted ones,icatextracts a file by inode number,fsstatprints filesystem statistics, andmmlsreads partition tables from disk images. For this challenge, the raw-string search is the fastest path - but in a more complex investigation you might need to reconstruct deleted files usingicaton orphaned inodes found withifind.If
srch_stringsis not available on your system, the standard Unixstringscommand works similarly:strings dds1-alpine.flag.img | grep -F 'picoCTF{' | sort -u. The key difference is thatsrch_stringscan report file system context (which partition, which inode), making it more useful for attribution in a full investigation. For more on the Linux command-line forensics toolbox, see Linux CLI for CTF.
Interactive tools
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{f0r3ns1c4t0r_n30phyt3_...}
srch_strings from The Sleuth Kit extracts printable strings from raw disk images - the disk-forensics equivalent of strings.