picoCTF Solutions
picoCTF 2026ForensicsMedium

Timeline 1

Published: March 20, 2026

Description

Can you find the flag in this disk image? Wrap what you find in the picoCTF flag format.

Setup

Download partition4.img.gz

Download and decompress the disk image.

Mount or analyze the image to explore the filesystem and its metadata.

gunzip partition4.img.gz
sudo mount -o loop partition4.img /mnt/disk

Solution

  1. Step 1Decompress the image
    Extract the raw partition image from the gzip archive.
    gunzip partition4.img.gz
    Learn more

    Raw disk partition images are forensically complete snapshots of a storage partition. Unlike filesystem-level copies (like cp -r), they capture every bit on the partition: live files, deleted files, slack space (unused space within file clusters), unallocated space (sectors not belonging to any file), filesystem journal entries, and all metadata structures. This completeness is essential for forensic analysis where evidence may exist in unexpected locations.

    Timeline-1 is the second part of the timeline challenge series and uses a different disk image than Timeline-0 (note the different URL hash). While both challenges use the same methodology (fls + mactime), the specific filesystem content differs, meaning the flag is in a different location or encoded differently. Treating each disk image as an independent investigation is the correct approach.

  2. Step 2Build a filesystem timeline
    Use fls -m to produce a body file with MAC timestamps for every inode, then pass it to mactime to produce a sorted timeline CSV.
    fls -m '/' -r partition4.img > body.txt
    mactime -b body.txt -d > timeline.csv
    Learn more

    The Sleuth Kit (TSK) supports multiple filesystem types: ext2/3/4 (Linux), NTFS (Windows), FAT12/16/32 (USB drives, older Windows), HFS+ and APFS (macOS), and more. fls automatically detects the filesystem type from the image headers. The body file format is filesystem-agnostic, so the same mactime command works regardless of the underlying filesystem type, making TSK a universal forensic analysis toolkit.

    Inode-based filesystems (ext4, NTFS) store file metadata (timestamps, permissions, owner) separately from directory entries (name-to-inode mapping). This separation is forensically significant: when a file is deleted, its directory entry is often cleared first, but the inode (with timestamps) may persist longer. fls -r enumerates both allocated and deallocated inodes, recovering metadata for deleted files. The -m flag formats this as a body file where each line represents one inode's timestamps.

    In a real forensic investigation, the timeline CSV might contain millions of entries for a typical system disk. Analysts use date filters (mactime -b body.txt -d -z UTC -i hour 2024-01-01T00:00:00 2024-01-02T00:00:00) to focus on specific time windows around known events. For this challenge, the flag is likely to be immediately visible when searching for "picoCTF" in the timeline output.

  3. Step 3Search the timeline for the flag
    Grep the generated timeline for 'picoCTF'. The flag is embedded as a filename or path visible in the timeline output.
    grep picoCTF timeline.csv
    cat timeline.csv | grep -i flag
    Learn more

    The mactime CSV output includes columns for: date/time of the MAC event, size in bytes, the MAC type (M/A/C/B for Modified/Accessed/Changed/Born), permissions, UID, GID, inode number, and the full file path. Searching for picoCTF in this output will find any filename containing that string, regardless of which column it appears in.

    Filename-based evidence is particularly valuable in forensics because filenames survive in specific scenarios where file content does not. Even if a file is deleted and its blocks overwritten, if the directory entry was not reused, the filename remains recoverable. TSK's fls marks recovered deleted file entries with an asterisk (*) before the filename, distinguishing them from currently allocated files. In this challenge, the flag might appear in either an active or deleted file entry.

  4. Step 4Wrap in picoCTF{...} format
    Take the string found in the timeline and wrap it in picoCTF{...} as the challenge instructs.
    Learn more

    The wrapping instruction distinguishes this challenge from challenges where the full flag (including picoCTF{}) is directly embedded. When the challenge says to wrap the found string, it means the filesystem contains an intermediate artifact (a filename, a text string in a file, or a path component) that represents just the inner content of the flag. You must recognize which discovered string is the flag content and manually construct the complete flag.

    This type of challenge builds the important skill of artifact interpretation in forensics - not every piece of data found in an investigation is directly useful; analysts must identify which artifacts are significant and interpret them correctly in context. In real cases, evidence might be a username in a log file, a timestamp, a file path, or a command argument that needs to be combined with other artifacts to reconstruct the complete picture.

Flag

picoCTF{...}

The flag is encoded as a filename or path in the filesystem timeline. Build with fls -m + mactime, then grep for picoCTF.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for Forensics

More Forensics