# Forensics

### information \[10 pts]

> **Description**
>
> &#x20;Files can always be changed in a secret way. Can you find the flag? [cat.jpg](https://mercury.picoctf.net/static/a614a27d4cb251d04c7d2f3f3f76a965/cat.jpg)

**Solution**

Started out with looking at the image and running `cat cat.jpg` with no results. Then I got something with ExifTool.&#x20;

![](https://980792987-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Md9Bzo_DCKomMglV10a%2F-MfZxyiL373egunzbLFC%2F-MfZzJn5l1_KaT4P9BXm%2Fimage.png?alt=media\&token=02f6aca6-10d6-46fb-8e02-8c8b4a85965a)

putting into cyber chef the License I would get through some magic the flag.&#x20;

**Flag: picoCTF{the\_m3tadata\_1s\_modified}**

### Matryoshka doll \[30 pts] <a href="#matryoshka-doll" id="matryoshka-doll"></a>

> **Description**
>
> Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: [this](https://mercury.picoctf.net/static/f6cc2560a70b1ea811c151accba5390f/dolls.jpg)

**Solution**

One inside of another hmmm. Sounds like binwalk to me. I use the first command of `binwalk -e dolls.jpeg` and it returns files, which is a good sign. I go to the basic folder and `binwalk -e` that jpeg (2nd doll). Then the third doll. Then the fourth doll, and inside that one is something different. It is the flag. What a relief.

**Flag: picoCTF{ac0072c423ee13bfc0b166af72e25b61}**

### tunn3l v1s10n \[40 pts] \[Not Solved]

> **Description**
>
> We found this [file](https://mercury.picoctf.net/static/06a5e4ab22ba52cd66a038d51a6cc07b/tunn3l_v1s10n). Recover the flag.

**Solution**

By looking at the file signature, it seems we are given a BMP file. Knowing most of you are in Linux, you can't default to that image viewer. The one I would use is imageMagick to view the image. It has a fake flag and it seems there are two parts to this image. One is a negative view of an image and the other one is positive.

**Flag:**&#x20;

### Wireshark doo dooo do doo \[50 pts] \[Not Solved]

> **Description**
>
> &#x20;Can you find the flag? [shark1.pcapng](https://mercury.picoctf.net/static/b44842413a0834f4a3619e5f5e629d05/shark1.pcapng).

**Solution**

Opened in Wireshark and went to Statistics -> Conversations -> TCP (It had 17 so best guess). From there I checked all the streams and of them, only 1 was readable (stream 5).

**Flag:**&#x20;

### MacroHard WeekEdge \[60 pts] \[Not Solved]

> **Description**
>
> &#x20;I've hidden a flag in this file. Can you find it? [Forensics is fun.pptm](https://mercury.picoctf.net/static/52da699e0f203321c7c90ab56ea912d8/Forensics%20is%20fun.pptm)

**Solution**

a

**Flag:**&#x20;

### Trivial Flag Transfer Protocol \[90 pts] \[Not Solved]

> **Description**
>
> &#x20;Figure out how they moved the [flag](https://mercury.picoctf.net/static/b686a99ec088f10b324cfe963bd32dab/tftp.pcapng).

**Solution**

a

**Flag:**&#x20;

### Wireshark twoo twooo two twoo \[100 pts] \[Not Solved]

> **Description**
>
> &#x20;Can you find the flag? [shark2.pcapng](https://mercury.picoctf.net/static/0fe13a33318e756f71c35cb490e64c81/shark2.pcapng).

**Solution**

a

**Flag:**&#x20;

### Disk, disk, sleuth! \[110 pts] \[Not Solved]

> **Description**
>
> &#x20;Use \`srch\_strings\` from the sleuthkit and some terminal-fu to find a flag in this disk image: [dds1-alpine.flag.img.gz](https://mercury.picoctf.net/static/a734f18939e0aaea9d27bc7a243a0ed0/dds1-alpine.flag.img.gz)

**Solution**

a

**Flag:**&#x20;

### Milkslap \[120 pts] \[Not Solved]

> **Description**
>
> &#x20;[🥛](http://mercury.picoctf.net:58537/)

**Solution**

a

**Flag:**&#x20;

### Disk, disk sleuth! II \[130 pts] \[Not Solved]

> **Description**
>
> &#x20;All we know is the file with the flag is named \`down-at-the-bottom.txt\`... Disk image: [dds2-alpine.flag.img.gz](https://mercury.picoctf.net/static/9061ae8456a4ff51098c5183d910a080/dds2-alpine.flag.img.gz)

**Solution**

a

**Flag:**&#x20;

### Surfing the Waves \[250 pts] \[Not Solved]

> **Description**
>
> &#x20;While you're going through the FBI's servers, you stumble across their incredible taste in music. One [main.wav](https://mercury.picoctf.net/static/5364e0af6624277dd734d6d77097580c/main.wav) you found is particularly interesting, see if you can find the flag!

**Solution**

a

**Flag:**&#x20;

### Very very very hidden \[300 pts] \[Not Solved]

> **Description**
>
> &#x20;Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure. [try\_me.pcap](https://mercury.picoctf.net/static/fc6ef3c00e52d2ea4c812112276f8ab8/try_me.pcap)

**Solution**

a

**Flag:**&#x20;