Pitter, Patter, Platters (picoCTF2020)
The challenge is categorized in Digital Forensics , as said “Suspicious” is written all over this disk image. This might be a big hint according to how the challenge title is and how the description is!
Download the file “suspicious.dd.sda1”
The first thing was to download the file and followed by investigating on the file, coming back to the challenge the hint says “It may help to analyze this image in multiple ways: as a blob, and as an actual mounted disk.” According to the hint given the only tool I could think of would be Autopsy ! know more about Autopsy.
Launch Autopsy & Investigate
Then after creating the case and the host , which is the first steps of setting up a case in autopsy , then you will have to open the case ,After opening the case, I clicked on Analyze then I clicked on File Analysis which allowed me to observe the directories which were in the partition! and at the directory list there is a file written “suspicious-file.txt” and its inode number is 12 , I went to meta data option from the top panel and inserted the inode number, after observing it for a few seconds I saw a Direct block with Fragment number 2049
There is a fascinating ASCII text that appeared after I chose to view on the display block:
ASCII Contents of Fragment 2049 in suspicious.dd.sda1-0-0
Nothing to see here! But you may want to look here -->
}.6.f.a.0.9.2.5.f._.3.<._.|.L.m._.1.1.1.t.5._.3.b.{.F.T.C.o.c.i.p........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................It looks like a flag from the following string “}.6.f.a.0.9.2.5.f._.3.<._.|.L.m._.1.1.1.t.5._.3.b.{.F.T.C.o.c.i.p” but it’s reversed so what is to be done here is basically simple and easy ,as I am pretty sure it is the flag so I am going to reverse it by typing it backward which is an easy simple methodology ……..
Just like that and the flag was captured !
NOTE: The Flag Changes , tho the steps and methodologies used here can also be used to obtain the flag!
