picoCTF Solutions
PathPart of the Digital Forensics path · Step 4 of 5: Disk and File System Forensics
picoCTF 2022ForensicsMedium

Sleuthkit Intro

Published: July 20, 2023

Description

Given a disk image, run `mmls` to determine the Linux partition size. Provide that number to the checker service to receive the flag.

Setup

Download disk.img.gz

Unzip the image and run `mmls disk.img` to display the partition table.

Note the size (in sectors) of the Linux partition.

Connect to the checker (`nc saturn.picoctf.net 52472`) and submit the size when prompted.

gunzip disk.img.gz
mmls disk.img
nc saturn.picoctf.net 52472

Solution

  1. Step 1Use Sleuth Kit's mmls
    `mmls` prints a partition map showing the start/length of each slice. The challenge specifically asks for the Linux partition length.
    Learn more

    The Sleuth Kit (TSK) is a collection of open-source command-line tools for forensic analysis of disk images and filesystems. The name prefix mm stands for "media management" - these tools operate at the partition layer, below the filesystem. mmls reads the partition table and lists each partition with its start sector, end sector, and length.

    A partition table (MBR or GPT) lives at the very start of a disk and describes how storage is divided. Each partition entry records the starting sector, size in sectors, and partition type. Common Linux partition types: 0x83 (Linux filesystem), 0x82 (Linux swap), 0x8e (Linux LVM). Sectors are typically 512 bytes each on traditional drives.

    Understanding partition layout is foundational for disk forensics: to mount a specific partition from an image, you need its byte offset (start_sector × 512). For example: sudo mount -o loop,offset=1048576 disk.img /mnt/part. The mmls output provides exactly the information needed to calculate this offset.

  2. Step 2Report the size
    Connect to the provided netcat service and enter the numeric length-if correct, it returns the flag.
    Learn more

    This challenge pattern - where you must submit a forensic finding to a remote verification service - simulates the evidence-gathering workflow in real investigations. You analyze an artifact (disk image), extract a specific piece of information (partition size), and report it accurately.

    Partition sizes are measured in sectors (logical blocks, typically 512 bytes). The total size in bytes is length_sectors × sector_size. Modern drives use 4096-byte physical sectors (4K sectors or "Advanced Format"), but still present 512-byte logical sectors for compatibility - this distinction is important for alignment calculations in forensic mounting.

    The Sleuth Kit tool family includes: mmls (partition listing), fsstat (filesystem statistics), fls (file listing including deleted files), icat (extract file by inode number), and blkcat (read raw blocks). Together they provide complete filesystem analysis without needing to mount the image, which is important when preserving evidence integrity.

Flag

picoCTF{mm15_f...}

Getting comfortable with Sleuth Kit tools is foundational for disk forensics challenges.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Forensics

Related reading

Do these first

What to try next