picoCTF Solutions
picoCTF 2026ForensicsMedium

Timeline 0

Published: March 20, 2026

Description

Can you find the flag in this disk image? Wrap what you find in the picoCTF flag format.

Setup

Download partition4.img.gz

Download and decompress the disk image.

Mount or analyze the image to explore the filesystem.

gunzip partition4.img.gz
sudo mount -o loop partition4.img /mnt/disk

Solution

  1. Step 1Decompress the image
    Extract the raw partition image from the gzip archive.
    gunzip partition4.img.gz
    Learn more

    gzip is a lossless compression format based on the DEFLATE algorithm, commonly used to compress files for distribution. The .gz extension indicates a gzip-compressed file. gunzip decompresses it in place, removing the .gz extension. The resulting .img file is a raw byte-for-byte copy of a disk partition, including all filesystem structures, file data, and unallocated space.

    Disk images (raw, dd-format) capture everything on a storage device - not just the files, but also filesystem metadata (inodes, directory entries, timestamps), deleted files (data still present in unallocated sectors), and filesystem journal entries that record recent changes. This makes raw disk images the gold standard for digital forensics: they preserve all the evidence that a live filesystem might hide or modify during access.

  2. Step 2Build a filesystem timeline
    Use fls -m to produce a body file with all file metadata (MAC times), then pass it to mactime to generate a human-readable timeline sorted by timestamp.
    fls -m '/' -r partition4.img > body.txt
    mactime -b body.txt -d > timeline.csv
    Learn more

    fls (file listing) is part of The Sleuth Kit (TSK), an open-source digital forensics toolkit. Unlike the standard ls command which shows live filesystem state, fls reads the raw disk image and extracts metadata for all files - including deleted files whose directory entries still exist but whose inode has been marked as free. The -m '/' flag outputs in body file format (pipe-delimited), and -r recurses through all directories.

    The body file format records each file's MAC times: Modified (file content last changed), Accessed (file last read), and Changed (inode metadata last changed, also called "ctime"). mactime takes a body file and produces a chronological timeline sorted by these timestamps. This timeline is a core artifact in forensic investigations: it shows the sequence of file system activity, making it possible to reconstruct what happened and when.

    Filesystem timeline analysis is fundamental to digital forensics investigations. In real incidents, analysts build timelines to correlate file creation, modification, and access events with known attack timestamps, log entries, and user activity. The challenge author hid the flag as a filename so it appears directly in the timeline output - in real forensics, analysts look for suspicious file names, unusual timestamps (files modified in the future, or at exactly midnight), and patterns of activity that indicate automated malware behavior.

  3. Step 3Search the timeline for the flag
    Grep the timeline for 'picoCTF' to find the filename or path that contains the flag. The flag text is embedded in a filename or file path visible in the timeline.
    grep picoCTF timeline.csv
    cat timeline.csv | grep -i flag
    Learn more

    Hiding data in filenames and directory names is a clever forensic challenge technique: the data exists in the filesystem metadata (directory entries) rather than file content, so tools that only extract file contents will miss it. The timeline approach works because fls reads directory entries directly from the disk image structure and outputs the full path of every file, including its name. This is the same reason filesystem timeline analysis can recover evidence even after files are deleted - the filename remains in the directory entry until that space is overwritten.

    In real forensic investigations, unusual filenames are significant indicators. Malware often creates files with names designed to blend in (e.g., svchost32.exe mimicking the legitimate svchost.exe) or to hide in plain sight in system directories. Exfiltration tools sometimes store collected data in files with innocuous names in temp directories. The timeline makes it easy to spot newly created files in unusual locations at suspicious times.

  4. Step 4Wrap in picoCTF{...} format
    The challenge says to wrap what you find in picoCTF{...} format. Take the string from the timeline output and wrap it.
    Learn more

    The challenge instructs you to "wrap what you find" because the actual flag content appears in the timeline without the picoCTF{} wrapper - the filename or path contains just the inner content. This is a common CTF convention where challenges tell you the flag format explicitly when the discovered string needs wrapping. It prevents ambiguity about which part of the output constitutes the flag.

    This pattern of encoding information in filesystem metadata (filenames, timestamps, extended attributes, or directory structure) rather than file content is a real-world data hiding technique. Alternate Data Streams (ADS) on NTFS filesystems, extended attributes on Linux filesystems, and resource forks on macOS HFS+ are all metadata storage locations that can hide data from casual inspection while being visible to forensic tools. Digital forensics practitioners must know to look beyond file contents into all available metadata channels.

Flag

picoCTF{...}

The flag is encoded as a filename or path visible in the filesystem timeline. Build it with fls -m + mactime, then grep for picoCTF.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for Forensics

More Forensics