PicoCTF – Disko-1
DISKO 1
Challenge_Author: Darkraicg492
Category : Forensics
Description
Can you find the flag in this disk image?Download the disk image here.
Process
- Download the file from the PicoCTF website ,or click the above link which says “here”.
Inspect the format of the file using the “file” command.
1 2
#Determining the file type file disko1.dd.gz
Upon the results it is clear that it is compressed using “gzip”, to uncompress it I used the “gzip” command.
1 2
#Decompressing the file using Gzip gzip -d disko1.dd.gz
After decompression, I checked the file format once again to see any changes.
- Now from the above results I observed the changes, which is a “raw disk image”, now these files can either be “opened” by mounting them as a “virtual drive” or by using “forensic analysis tools” (autopsy).
- Since this kind of challenge was new to me, I researched common methods for analyzing raw disk images. One suggested approach was to search for readable strings within the file to locate potential flags.
In order to execute the step I used the following command.
1
strings disko-1.dd | grep picoCTF{
The command successfully revealed the flag.
1
picoCTF{1t5_ju5t_4_5tr1n9_c63b02ef}
Conclusion
This challenge demonstrated a straightforward yet effective forensic technique for analyzing disk images. By identifying the file type, properly decompressing it, and using basic string extraction, the hidden flag was easily discovered. This approach is especially useful when dealing with simple forensic challenges where the data is not heavily obfuscated.
Thank you for taking the time to read this write-up. I hope it was helpful and informative. Happy hacking and good luck with your future CTF challenges! 🚀