picoCTF Solutions
picoCTF 2026ForensicsEasy

DISKO 4

Published: March 20, 2026

Description

Can you find the flag in this disk image? This time I deleted the file! Let's see you get it now!

Setup

Download disko-4.dd.gz

Download and decompress the disk image.

The flag file has been deleted -- use file carving or inode recovery to retrieve it.

gunzip disko-4.dd.gz

Solution

  1. Step 1Decompress the image
    Extract the raw disk image from the gzip archive.
    gunzip disko-4.dd.gz
  2. Step 2List deleted files
    Use fls with the -d flag to list deleted (unallocated) files still present in the filesystem metadata.
    fls -r -d disko-4.dd
  3. Step 3Recover the deleted file
    Use the inode number from fls to extract the deleted file's contents with icat.
    icat disko-4.dd <inode>

Flag

picoCTF{...}

The flag is in the deleted file recovered via inode carving.