picoCTF Solutions
picoCTF 2024ForensicsMedium

Dear Diary

Published: April 3, 2024Updated: December 9, 2025

Description

If you can find the flag on this disk image, we can close the case for good! Download the disk image here.

Setup

Disk forensics

Download and decompress the disk image, then ingest it into Autopsy (or another tool that can search across the file system).

Start by surveying the root directory; note the hints left in files like its-all-in-the-name.

wget https://artifacts.picoctf.net/c_titan/63/disk.flag.img.gz && \ gunzip -d disk.flag.img.gz

Solution

  1. Step 1Index the evidence
    In Autopsy, add disk.flag.img as a data source. The root directory contains force-wait.sh, innocuous-file.txt, and a file literally named its-all-in-the-name. Take the hint.
  2. Step 2Search for innocuous-file
    Use Autopsy's keyword search for "innocuous-file.txt". You'll find ~14 hits scattered across the image. Each hit shows ASCII data with small chunks of the flag.
  3. Step 3Reassemble the fragments
    Copy the text from each occurrence in order (the fourth hit starts with "pic", the fifth with "oCT", etc.). Concatenate the fragments to form the complete picoCTF flag.

Flag

picoCTF{1_533_n4m35_80d2...}

Piecing together the innocuous-file fragments spells out the flag.