Forensics

This is a forensics challenge from picoCTF (challenge ID 519). The goal is to recover a corrupted image file and extract the flag. The walkthrough includes exact commands, outputs, and common pitfalls encountered during solving. Challenge Setup Platform: picoCTF Practice Category: Forensics Difficulty: Beginner-Intermediate File: Download the provided “file” (no extension) Work in a fresh directory: mkdir picoctf-519 && cd picoctf-519 Initial File Analysis Run the basic file type check: $ file file file: data The “data” result indicates the file command cannot identify the format. Use hexdump for deeper inspection: ...

Challenge: Hidden in Plainsight Short summary: the image contains a Base64-encoded hint in its JPEG comment. That hint decodes to a string which itself is Base64-encoded — the result is the passphrase for steghide. Use steghide to extract flag.txt, then cat the file to read the flag. Fetch the challenge file If you haven’t downloaded the file yet, use curl or wget: # with curl curl -O https://challenge-files.picoctf.net/c_saffron_estate/25925d893c04723f46e8d1412559b15ef58509751801aac366c65441fed3e40e/img.jpg # or with wget wget https://challenge-files.picoctf.net/c_saffron_estate/25925d893c04723f46e8d1412559b15ef58509751801aac366c65441fed3e40e/img.jpg What this does: ...

Challenge: Log Hunt Short version: a plain text server log contained the flag split across repeated log entries. A few simple POSIX utilities (grep, awk, uniq, head, tr) and a tiny bit of shell plumbing reveal the flag. Below is a clean, reproducible walk-through with explicit command explanations so you know not only what to run, but why each step works. Setup and file inspection Download the provided file: https://challenge-files.picoCTF.net/c_saffron_estate/1a0b2a2a67149850cd0e6d34da005c381bbbed4c558e529fec8b3be3f8619046/server.log Open a terminal and inspect the file with some basics: ...

Challenge: Riddle Registry Every digital file has a story to tell — some louder than others. In this picoCTF forensics challenge, our mission was simple on paper (pun intended): find the flag hidden inside a PDF file. Of course, as any seasoned Linux user knows, “simple” often means “prepare for several hours of creative command-line archaeology.” The Setup Challenge: A suspicious-looking PDF file Goal: Find the flag Category: Forensics Opening the file showed nothing but Lorem Ipsum text and some odd blank spaces. That’s usually a hint in CTFs — if you can’t see it, it’s probably hidden somewhere else. ...

PicoCTF Writeup – Forensics Disk Image Challenge: Disk, disk, sleuth! Description: Can you find the flag in this disk image? Download the disk image here. First Thoughts This challenge was tagged forensics, which usually means poking around filesystems, memory dumps, or raw disk images. The goal is to extract hidden information — in this case, the flag. I grabbed the disk image (disko-1.dd) and started experimenting. Initial Attempts My first instinct was to take a look at the raw hex using xxd: ...