picoCTF Solutions
picoCTF 2026ForensicsMedium

DISKO 4 picoCTF 2026 Solution

Published: March 20, 2026

Description

Can you find the flag in this disk image? This time I deleted the file! Let's see you get it now!

Setup

Download disko-4.dd.gz

Download and decompress the disk image.

The flag file has been deleted - use file carving or inode recovery to retrieve it.

bash
gunzip disko-4.dd.gz

Solution

Walk me through it
  1. Step 1Decompress the image
    Extract the raw disk image from the gzip archive.
    bash
    gunzip disko-4.dd.gz
    Learn more

    A .dd file (named after the dd Unix utility) is a raw sector-by-sector copy of a disk or partition. Unlike archive formats, it preserves every byte including deleted data, slack space, and filesystem metadata. This makes it the standard format for digital forensics - it captures the disk's complete state at the moment of acquisition.

    gzip is a lossless compression format. gunzip file.gz decompresses and removes the .gz file, leaving the raw image. The resulting .dd file is often several gigabytes even for small disk images, because raw disk images include all sectors whether or not they contain data. Use ls -lh disko-4.dd to check the decompressed size.

    Tools for working with disk images include The Sleuth Kit (TSK) suite (mmls, fls, icat), Autopsy (a GUI frontend to TSK), and mount -o loop for read-only filesystem access. For CTF forensics, the TSK command-line tools are preferred for their scriptability.

  2. Step 2List deleted files and find the inode
    Use fls -r -d to enumerate deleted files, then grep for the flag filename to map it to its inode number.
    bash
    fls -r -d disko-4.dd | grep -i flag
    bash
    # Validate the inode before carving:
    bash
    istat disko-4.dd <inode>
    Learn more

    fls (file listing) is a TSK tool that lists files and directories from a filesystem image by reading its metadata structures directly - bypassing the OS. The -d flag shows only deleted files (those with a deallocated inode), and -r recurses into subdirectories. The output includes the inode number, which is needed for the next step.

    When a file is deleted in most filesystems (ext2/3/4, FAT, NTFS), the OS marks the inode as free and removes the directory entry, but does not zero out the data blocks. The file's data persists on disk until those blocks are reallocated for a new file. This is why forensic tools can recover deleted files - the data is still physically present, just invisible to the normal filesystem layer.

    The ext4 filesystem specifically marks inodes with a deletion time (dtime) when they are unlinked. fls -d finds inodes where the deletion time is set. On some filesystems (NTFS), the MFT (Master File Table) retains entries for deleted files until the MFT slot is reused, providing additional metadata like original file name and timestamps.

    Run istat disko-4.dd <inode> before carving to validate the recovery is worth attempting. istat shows the deletion timestamp, file size, and the list of direct/indirect block pointers. If the block pointers are zeroed (some kernels clear them on unlink) or pointing to obviously reallocated blocks, icat will return zeros or garbage and you should switch to file carving (foremost, scalpel) instead.

  3. Step 3Recover the deleted file
    Pipe icat into strings or grep for picoCTF. Be aware: ext4 reallocates blocks aggressively, so if anything was written after the delete, the recovery may be truncated or contain another file's bytes.
    bash
    icat disko-4.dd <inode> | strings | grep picoCTF
    bash
    icat disko-4.dd <inode> > recovered.bin && file recovered.bin
    Learn more

    icat (inode concatenate) is a TSK tool that reads the data blocks pointed to by an inode and outputs them to stdout. Even for deleted files where the directory entry is gone, the inode may still contain valid block pointers if the blocks have not been overwritten. Running icat disko-4.dd 42 recovers the data of inode 42 regardless of its deletion status.

    The reliability of recovery depends on what happened after deletion. If the disk was idle after the file was deleted (as in most CTF challenges), all original data blocks are intact. If the system continued to run and create files, some blocks may have been reallocated and overwritten. In that case, partial recovery is possible using file carving tools like foremost or photorec, which scan raw disk data for file format signatures (magic bytes).

    This technique is used in real digital forensics investigations to recover evidence after suspects attempt to delete it. Simply deleting files, even emptying the recycle bin, is insufficient to destroy evidence. Full disk overwriting (multiple passes of random data, as specified by the DoD 5220.22-M standard) or physical destruction is required for secure deletion - and even then, forensic labs sometimes recover data from damaged drives using electron microscopy.

    For more on the surrounding command-line forensic workflow, see the Linux CLI for CTF post.

Flag

picoCTF{...}

The flag is in the deleted file recovered via inode carving.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for Forensics

Related reading

What to try next