منشور

InfoSec CTF – Trace

a silent mark left behind, barely visible yet holding the entire story for those patient enough to follow it.

نشّر حدّث
Preview Image
بواسطة Rakan Al-Tome
1 دقيقة قراءة
InfoSec CTF – Trace

Trace Forensics Write-up

Category: Forensics
Prompt: a silent mark left behind, barely visible yet holding the entire story for those patient enough to follow it.
Artifact: ⬇️ Trace.zip
Flag format: FlagY{…}

Intro

Small image, small filesystem, one quiet clue. The goal was to look past the empty root and follow the tiny marks left in unallocated space until the picture reveals itself.

Challenge Description

We are given a 50 MB disk image named Trace.img. There are no obvious files in the root. The task is to find what is hidden and recover the flag. The hint suggests a “silent mark,” so signature carving from unallocated space is the likely path.

Steps

1) Integrity and quick triage
• Compute hashes of Trace.img (SHA-256 and MD5) to preserve chain of custody.
• Note image size ≈ 50,000,000 bytes.

1
2
3

8691f83cd775630323c0a9ef1c4d190e557c91bb6eb3f9007a0cdf5cb4bb078f  Trace.img
9fb6475b562263fd00f7f2272c87e3e5  Trace.img

2) Identify the filesystem
• Use a filesystem stat tool to read the superblock.
• Result: ext filesystem (magic 0xEF53), block size 1024.
• Last mounted path: /home/kali/Desktop/forensic2.
• Last mounted at 2025-09-05 16:43:18 UTC; last written at 2025-09-05 16:47:09 UTC.

3) Check visible contents
• List the root directory.
• Only lost+found exists; nothing useful. Move to carving.

4) Switch to FTK Imager and hunt the “silent mark”
• Add Evidence Item → Image File → select Trace.img.
• In the tree, open the partition and go to Unallocated Clusters.
• Open the Hex view.

5) Find JPEG start
• Search Hex for FF D8 FF (JPEG SOI).
• First correct hit at decimal 8,653,824 (hex 0x00840C00).

6) Find JPEG end
• From there, search Hex for FF D9 (JPEG EOI).
• Match found at decimal 8,673,200 (hex 0x008457B0).

7) Select and carve
• Select from SOI (8,653,824) through EOI (8,673,200), inclusive.
• Save Selection as carved.jpg.
• Length is 19,377 bytes (hex 0x4BB1).

1
2
3
4

IMG="Trace.img"     
SOI=8653824 
SIZE=19377
dd if="$IMG" of=carved.jpg bs=1 skip="$SOI" count="$SIZE" status=none

• Open carved.jpg

Output

1

FlagY{a0aa6bcae3dd77dc2ff91eea45dbf32e}
Write-ups, Forensics
CTF InfoSec Forensics
هذا المنشور تحت ترخيص CC BY 4.0 بواسطة المؤلف.

الوسوم الشائعة

CTF InfoSec Crypto Cyberyard Forensics Reversing