Disk, disk, sleuth! II

Description

Solution

1. Step 1Find the file's inode number with fls
   Use fls to list filesystem entries in the image. The -r flag recurses all directories, -p prints the full path, and -o 2048 specifies the partition offset in sectors. Pipe to grep to find down-at-the-bottom.txt and note its inode number.
   fls -r -p -o 2048 dds2-alpine.flag.img | grep down-at-the-bottomCopied!
   Learn more

   Inodes are the data structures in Unix filesystems (ext2/3/4, UFS) that store file metadata: permissions, timestamps, owner, and pointers to the data blocks. Every file and directory has an inode number. The filename is stored in the directory entry, which maps names to inode numbers.

   fls (file listing) from The Sleuth Kit lists directory entries directly from the raw disk image without mounting it. The partition offset -o 2048 tells TSK where the filesystem starts within the disk image (in 512-byte sectors). You can find this offset with mmls dds2-alpine.flag.img.

2. Step 2Extract the file contents with icat
   Use icat with the inode number found in the previous step to extract and print the file contents. icat reads file data blocks directly from the raw image given just the inode number.
   icat -o 2048 dds2-alpine.flag.img <inode_number>Copied!
   Learn more

   icat (inode cat) extracts the content of a file given its inode number, reading directly from the raw disk image. This works even for deleted files (whose directory entries have been removed but whose inode and data blocks have not yet been overwritten). It is a key tool in deleted file recovery.

   The workflow of fls (find inode) followed by icat (extract content) is the standard TSK pattern for targeted file recovery from disk images -- equivalent to find + cat on a live filesystem, but operating on the raw image.

Flag

picoCTF{...}

fls lists filesystem entries (including deleted files) by inode; icat extracts a file's content given its inode number -- critical for deleted file recovery.