Dear Diary

Description

Solution

1. Step 1Index the evidence
   In Autopsy, add disk.flag.img as a data source. The root directory contains force-wait.sh, innocuous-file.txt, and a file literally named its-all-in-the-name. Take the hint.
   Learn more

   Autopsy is an open-source digital forensics platform built on top of The Sleuth Kit (TSK). It ingests disk images and provides a GUI for browsing file systems, running keyword searches, viewing deleted files, and analyzing file metadata - all without modifying the evidence.

   A disk image (.img) is a sector-by-sector copy of a storage device. The .gz extension means it's gzip-compressed to save space; gunzip decompresses it before analysis. Disk images preserve everything: file contents, metadata, slack space, deleted file remnants, and even data in unallocated sectors - making them richer evidence than a simple file copy.

   The hint file named its-all-in-the-name is a common CTF technique: the solution method is encoded in the file name itself. Paying attention to file and directory names is always part of a thorough forensic survey. In real investigations, unusual file names (especially ones that look like system names) are flagged for further examination.

   Autopsy's data source ingest runs automated modules: hash calculation, EXIF extraction, keyword indexing, and more. Waiting for ingest to complete before diving in ensures all the data is available for searching. In time-sensitive investigations, analysts sometimes start examination while ingest runs in the background.

2. Step 2Search for innocuous-file
   Use Autopsy's keyword search for "innocuous-file.txt". You'll find ~14 hits scattered across the image. Each hit shows ASCII data with small chunks of the flag.
   Learn more

   Keyword search in forensics tools scans every byte of the disk image - including file contents, file names, metadata fields, and unallocated space - for matching strings. This is why forensics software can find data even from deleted files: the bytes remain on disk until overwritten, and keyword search finds them regardless of whether the file system still references them.

   Finding 14 hits for a single filename across a disk image is a classic slack space and inode reuse pattern. When a file is deleted, its directory entry and inode may be reused for new files, but the old data blocks often remain. The multiple hits represent different generations of the file that were created, deleted, and partially overwritten over time.

   The ASCII "chunks of the flag" appear because the flag was written incrementally or was split across multiple writes. This is a realistic forensics scenario: investigators often find sensitive data fragmented across a disk, requiring manual or automated reassembly to recover the complete artifact.

   In real digital forensics, keyword search hits must be carefully contextualized. The same string appearing 14 times might indicate file copies, backup snapshots, swap file entries, or journal entries from a journaling file system. Each hit's surrounding context (sector offset, file system path, timestamps) helps determine which is the authoritative copy.

3. Step 3Reassemble the fragments
   Copy the text from each occurrence in order (the fourth hit starts with "pic", the fifth with "oCT", etc.). Concatenate the fragments to form the complete picoCTF flag.
   Learn more

   Data carving is the technique of extracting files or data from a disk image based on content patterns rather than file system metadata. Here, you're manually carving by identifying flag fragments and reassembling them - a process that automated carvers like foremost, scalpel, and PhotoRec perform for known file types.

   The fragment ordering (hit 4 starts with "pic", hit 5 with "oCT") means the fragments are interleaved with other data in the correct logical order. This pattern suggests the flag was written to a file that was repeatedly updated, with each update creating a new on-disk fragment while the previous one remained in unallocated space.

   Manual fragment reassembly is a realistic forensics skill. In real cases, deleted chat messages, document revisions, or database records are recovered by finding their fragments scattered across a disk and stitching them together using known delimiters or format headers. Tools like EnCase and FTK Imager provide visual hex viewers that make this process easier.

   This challenge also illustrates why secure deletion matters. Simply deleting a file leaves its data on disk. Secure deletion tools overwrite the data blocks with zeros or random data, preventing recovery. On SSDs, wear leveling and TRIM commands complicate both secure deletion and data recovery, making flash storage forensics a specialized field.

Flag

picoCTF{1_533_n4m35_80d2...}

Piecing together the innocuous-file fragments spells out the flag.