picoCTF Solutions
picoGym ExclusiveForensicsEasy

DISKO 1

Published: March 5, 2024Updated: December 9, 2025

Description

A compressed disk image is hiding something. Decompress it and search for the flag stored as a plain string inside the FAT32 filesystem.

Setup

Download `disko-1.dd.gz` from the picoGym challenge page (requires a picoCTF account).

Decompress the image and verify its type.

gunzip disko-1.dd.gz
file disko-1.dd

Solution

  1. Step 1Decompress and identify the disk image
    Run `gunzip disko-1.dd.gz` to produce the raw `.dd` image. Running `file disko-1.dd` reports a DOS/MBR boot sector with a FAT32 filesystem - a straightforward layout with no hidden partitions.
    gunzip disko-1.dd.gz
    file disko-1.dd
    Learn more

    Disk images are bit-for-bit copies of storage media stored as regular files. The .dd format is a raw binary dump produced by the dd utility (or forensic equivalents like dcfldd). Compressing disk images with gzip is standard practice because raw images often contain large regions of zero bytes that compress dramatically. The gunzip command decompresses in place, replacing the .gz archive with the original file.

    The file command identifies file formats by reading magic bytes - a fixed byte signature at the start of the file that identifies its type, independent of the filename extension. For disk images, file reports the partition table type (MBR or GPT) and the filesystem of the first partition. Knowing the filesystem type (FAT32, ext4, NTFS, etc.) tells you which forensic tools can parse it and what kind of metadata structures to expect.

  2. Step 2Search for the flag with strings
    Run `strings` on the raw disk image and pipe through `grep -i pico`. The flag is stored as a plain ASCII string directly inside the filesystem and is visible immediately - no mounting or filesystem tools needed.
    strings disko-1.dd | grep -i pico
    Learn more

    The strings command scans a binary file for sequences of printable ASCII characters of a minimum length (default 4). It works directly on raw disk images without mounting, making it a fast first-pass tool in forensics. Any file content, filesystem metadata, directory entries, or deleted fragments that contain readable text appear in the output.

    In a real forensic investigation, strings alone is insufficient because it provides no context about which file contained the text or its location on disk. For deeper analysis, The Sleuth Kit tools - fls to list files by inode, icat to extract a file by inode number, and fsstat for filesystem statistics - give complete visibility into the file structure. For DISKO 1, the flag is embedded as a plain string with no obfuscation, so strings | grep is all that is needed.

    The -i flag to grep makes the search case-insensitive. Always use it when searching for pico because some challenges embed flags in all-caps metadata or filenames that picoCTF alone would miss.

Flag

picoCTF{1t5_ju5t_4_5tr1n9...}

The flag lives as a plain string in the FAT32 image. `strings disko-1.dd | grep -i pico` finds it on the first try.

Want more picoGym Exclusive writeups?

Browse picoGym ExclusiveFull library

Useful tools for Forensics

More Forensics