picoCTF Solutions
picoCTF 2025ForensicsMedium

Bitlocker-2

Published: April 2, 2025Updated: December 9, 2025

Description

Jacky improved the BitLocker password, but you captured RAM while the drive was unlocked. Sift through the memory dump to recover the plaintext flag without brute-forcing the disk.

Setup

Disk imageRAM dump

Decompress the memory dump and search it for picoCTF strings (or use Volatility/Autopsy to locate flagged artifacts).

gunzip memdump.mem.gz
strings memdump.mem | grep picoCTF

Solution

  1. Step 1Scan the memory image
    Because the drive was mounted when the RAM dump was captured, plaintext copies of the flag remain in memory. `strings memdump.mem | grep picoCTF` reveals multiple hits.
  2. Step 2Optional: use Volatility
    Volatility 3’s windows.memory.string plugin (or Autopsy’s Volatility integration) can also search the dump for picoCTF, producing the same string.

Flag

picoCTF{B1tl0ck3r_dr1v3_d3crypt3d_902...}

No password cracking is necessary because the RAM capture already contains the decrypted flag.