Disk, disk, sleuth! picoCTF 2021 Solution

Description

1. Step 1Search for the flag string in the raw disk image
   Use srch_strings to extract all printable strings from the raw image, filter for the picoCTF prefix, and de-duplicate. The 8-byte prefix picoCTF{ is specific enough that false positives are rare; sort -u handles the case where the flag string appears in multiple sectors (file plus slack copy).
   bash

   srch_strings dds1-alpine.flag.img | grep -F 'picoCTF{' | sort -u

   Copied!
   Learn more

   The Sleuth Kit (TSK) is an open-source digital forensics toolkit. srch_strings is TSK's equivalent of the Unix strings command, designed specifically for disk images. Unlike strings, it understands filesystem structures and can report which file system partition each string came from.

   Searching the raw image with strings/srch_strings finds text in files, deleted file remnants, and filesystem metadata - all without mounting the image or parsing the filesystem. This makes it effective for quick triage when you know what pattern you are looking for.

   The disk image is an Alpine Linux installation. The flag was placed somewhere in the filesystem as a text file, and its contents are directly recoverable as a printable string from the raw image bytes.

   How disk forensics works at a low level: A disk image is a sector-by-sector copy of the original storage device. Each sector is typically 512 bytes. The filesystem (ext4, FAT32, NTFS, etc.) organizes these sectors into blocks, inodes, directory entries, and file data. When you run srch_strings on the raw image, it ignores all filesystem structure and simply scans every byte for sequences of printable ASCII characters - typically four or more consecutive printable bytes count as a "string."

   This raw-string approach is powerful because it finds text even in deleted files, filesystem slack space (unused bytes at the end of the last block allocated to a file), and unallocated clusters (disk space not currently assigned to any file). Traditional file system browsing would miss all of these locations. In real digital forensics investigations, this technique is used to recover deleted documents, chat logs, and credential files even after a user has attempted to erase them.

   The Sleuth Kit also provides higher-level forensic tools: fls lists all files including deleted ones, icat extracts a file by inode number, fsstat prints filesystem statistics, and mmls reads partition tables from disk images. For this challenge, the raw-string search is the fastest path - but in a more complex investigation you might need to reconstruct deleted files using icat on orphaned inodes found with ifind.

   If srch_strings is not available on your system, the standard Unix strings command works similarly: strings dds1-alpine.flag.img | grep -F 'picoCTF{' | sort -u. The key difference is that srch_strings can report file system context (which partition, which inode), making it more useful for attribution in a full investigation. For more on the Linux command-line forensics toolbox, see Linux CLI for CTF.

Flag

srch_strings from The Sleuth Kit extracts printable strings from raw disk images - the disk-forensics equivalent of strings.