Digital Forensics Report (DFIR)
Case Title: Secret of the Polyglot β picoCTF\ Author: syreal\ Date: August 23, 2025\ Investigator: Abdelwahab Shandy
1) Identification
Description:\
A suspicious file named flag2of2-final.pdf was identified. The file raised concerns because it appeared to contain multiple formats simultaneously (both PDF and PNG).
Indicators of Compromise (IOCs):
-
File Name:
flag2of2-final.pdf -
File Size: 3.3 KB
-
Suspicion: The file exhibits dual-format characteristics (Polyglot file).
2) Acquisition
- The file was downloaded from the challenge server using:
bash
wget https://artifacts.picoctf.net/c_titan/99/flag2of2-final.pdf
-
An exact copy was saved as
SecretofthePolyglot.pdf. -
An additional version was created as
SecretofthePolyglot.pngto ensure no data was lost during analysis.
3) Preservation
-
File permissions and integrity were verified to prevent accidental modification during analysis:
-
Permissions:
rw-rw-r-- -
A working copy was stored in a separate directory, leaving the original untouched.
-
Access and modification timestamps were documented:
-
Modify Date: 2024-03-12
-
Access Date: 2025-08-23
4) Analysis
File Type Examination:
-
fileutility identified the object as a PNG image (50Γ50). -
However, embedded PDF data was also detected.
Metadata Analysis (ExifTool):
-
Created using GIMP.
-
Comment field: βCreated with GIMP.β
-
Warning: βTrailer data after PNG IEND chunkβ β Indicates hidden data appended after the PNG image.
Binwalk Analysis:\ Revealed the following structures inside the file:
-
PNG image
-
PDF document version 1.4
-
Zlib compressed data
Data Extraction (binwalk -e):
-
Extraction produced a folder
_SecretofthePolyglot.png.extracted. -
Contents included:
-
47Dβ contained ASCII text:bash (1n_pn9_&_pdf_2a6a1ea8}) -
47D.zlibβ compressed data requiring further review.
Results:
- The first part of the flag was found directly in the PNG image:
bash
picoCTF{f1u3n7_
- The second part of the flag was found in the extracted ASCII text:
bash
1n_pn9_&_pdf_2a6a1ea8}
5) Reporting
Conclusion:\
The suspicious file was a Polyglot file containing PNG, PDF, and Zlib compressed segments. Using forensic tools (file, exiftool, and binwalk), both embedded and hidden content were successfully extracted.
Final Flag:
picoCTF{f1u3n7_1n_pn9_&_pdf_2a6a1ea8}
π¬ "Control the code, and you control the world." π From wiping metadata to gaining root access β every step is documented and my goal is to deeply understand the system, not just hack!
See You Soon
AS Cyber β)).