picoCTF Solutions
picoCTF 2021ForensicsMedium

Disk, disk, sleuth! II picoCTF 2021 Solution

Published: April 2, 2026

Description

All we know is the file is called 'down-at-the-bottom.txt'. Use Sleuth Kit inode tools on dds2-alpine.flag.img.gz to find and read it.

Setup

Download and decompress the disk image.

bash
wget <url>/dds2-alpine.flag.img.gz
bash
gunzip dds2-alpine.flag.img.gz

Solution

Walk me through it
  1. Step 1Find the partition offset with mmls
    Run mmls to print the partition table. The Linux partition's starting sector is what you'll feed to -o on the next commands.
    bash
    mmls dds2-alpine.flag.img
    Learn more

    Sample mmls output on this image:

    DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000262143   0000260096   Linux (0x83)

    The Linux partition starts at sector 2048, so every subsequent TSK command needs -o 2048.

  2. Step 2Find the file's inode number with fls
    Use fls to list filesystem entries in the image. The -r flag recurses, -p prints full paths, -o 2048 is the partition offset from mmls. Grep for the filename and read the inode column.
    bash
    fls -r -p -o 2048 dds2-alpine.flag.img | grep down-at-the-bottom
    Learn more

    Reading fls output. A typical line looks like this; the inode number is the second column:

    r/r 18582:	root/down-at-the-bottom.txt
^   ^         ^
|   |         path (full because of -p)
|   inode (this is what you pass to icat)
type (regular file / regular file)

    Inodes are the data structures in Unix filesystems (ext2/3/4, UFS) that store file metadata: permissions, timestamps, owner, and pointers to the data blocks. Every file and directory has an inode number. The filename is stored in the directory entry, which maps names to inode numbers.

    fls (file listing) from The Sleuth Kit lists directory entries directly from the raw disk image without mounting it. The partition offset -o 2048 tells TSK where the filesystem starts within the disk image (in 512-byte sectors), exactly the value mmls reported.

  3. Step 3Extract the file contents with icat
    Use icat with the inode number found in the previous step to extract and print the file contents. icat reads file data blocks directly from the raw image given just the inode number.
    bash
    icat -o 2048 dds2-alpine.flag.img <inode_number>
    Learn more

    icat (inode cat) extracts the content of a file given its inode number, reading directly from the raw disk image. This works even for deleted files (whose directory entries have been removed but whose inode and data blocks have not yet been overwritten). It is a key tool in deleted file recovery.

    The workflow of fls (find inode) followed by icat (extract content) is the standard TSK pattern for targeted file recovery from disk images, equivalent to find plus cat on a live filesystem but operating on the raw image. For memory-side forensics with a similar inspect-without-mounting workflow, see Volatility 3 for memory forensics.

Flag

picoCTF{...}

fls lists filesystem entries (including deleted files) by inode; icat extracts a file's content given its inode number - critical for deleted file recovery.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Forensics

What to try next