picoCTF Solutions
PathPart of the Digital Forensics path · Step 4 of 5: Disk and File System Forensics
picoCTF 2022ForensicsMedium

Sleuthkit Apprentice

Published: July 20, 2023

Description

A full disk image hides the flag in `/root/my_folder/flag.uni.txt`. Load the image in Autopsy (or another forensic suite), locate the file, and read its contents.

Setup

Download disk.flag.img.gz

Decompress the image and add it to Autopsy (New Case → Add Host → Add Image File).

Navigate to `/root/my_folder/flag.uni.txt` via File Analysis.

Export or view the file; the flag appears at the bottom of the Unicode text.

gunzip disk.flag.img.gz
sudo autopsy & # load disk.flag.img via the web UI

Solution

  1. Step 1Index the image
    Autopsy (or Sleuth Kit) lets you explore the entire filesystem. Expanding the root directory reveals a suspicious `my_folder` containing `flag.uni.txt`.
    Learn more

    Autopsy is an open-source digital forensics platform built on top of The Sleuth Kit(TSK). It provides a graphical interface for analyzing disk images, recovering deleted files, examining file metadata, and searching content. It's widely used in law enforcement, incident response, and forensic competitions.

    A disk image (like .img) is a sector-by-sector copy of a storage device. It captures not just the visible files but also the filesystem metadata, slack space, deleted file remnants, and unallocated clusters. Working with an image rather than the live device is important - it preserves evidence integrity and allows repeated analysis without altering the source.

    The workflow in Autopsy: create a case, add the image as a data source, wait for ingest modules to run (keyword search, file type identification, hash calculation), then navigate the file tree or use the search interface. For CTF challenges, the "File Analysis" tree view lets you browse the full directory structure of any supported filesystem (ext4, NTFS, FAT, etc.).

  2. Step 2Read the Unicode file
    Open or export `flag.uni.txt`-despite the extension, it's plain text with the picoCTF flag embedded near the end.
    Learn more

    The .uni.txt extension hints at Unicode encoding - specifically UTF-16, which stores each character in 2 bytes (vs. UTF-8's 1-4 bytes). Many Windows text files use UTF-16 with a Byte Order Mark (BOM) at the start. Some text editors and tools may display garbled output if they assume UTF-8, but the content is still readable with the right tool or encoding setting.

    In Autopsy, files can be viewed in their raw hex form or as decoded text. The "Text" view handles common encodings automatically. Alternatively, exporting the file and opening it with a hex editor (like wxHexEditor or 010 Editor) lets you inspect the raw bytes and choose the right encoding manually.

    Even without Autopsy, you can mount the disk image on Linux: sudo mount -o loop,ro disk.flag.img /mnt/image (adjusting the partition offset if needed using mmls to find it). Then navigate the filesystem normally with ls and cat, or use strings to quickly scan for readable content.

Flag

picoCTF{by73_5urf3r_3497...}

Even without Autopsy, you could mount the image read-only and inspect the same path via standard Linux utilities.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Forensics

Related reading

Do these first

What to try next