ajeel
← all write-ups

picoCTF 2026 - Forensics: Git 2

June 1, 2026 · picoCTF 2026 · forensics

forensicsgitautopsydisk-imageincident-response

picoCTF 2026 - Forensics: Git 2

Challenge Information

Category: Forensics Points: 400 Author: LT “syreal” Jones

Description

The agents interrupted the perpetrator’s disk deletion routine. Can you recover this git repo?

Hint

We think the deletion was interrupted before any git objects were touched.

Initial Analysis

The hint strongly suggests that the Git repository’s object database was not deleted.

Git stores most of its important information inside:

.git/objects

These objects contain:

  • Commits
  • Trees
  • Blobs (file contents)

Even if the working directory or repository metadata was partially deleted, the repository can often be reconstructed as long as the objects remain intact.

Step 1 - Open the Disk Image in Autopsy

Create a new case in Autopsy and add the provided disk image as a data source.

After processing completes, navigate through the filesystem and search for Git artifacts.

Useful files and directories include:

.git
.git/objects
.git/refs
.git/logs
.git/HEAD
.git/config

The entire .git directory was recovered from the image.

Step 2 - Rebuild the Repository

Create a new folder and place the recovered .git directory inside it.

Example:

mkdir git2-recovered

Resulting structure:

git2-recovered/
└── .git/

Move into the repository:

cd git2-recovered

Step 3 - Inspect Git History

Since the challenge hint stated that Git objects were untouched, the repository history was expected to remain intact.

Checking the recovered reflog revealed the commit history:

0000000000000000000000000000000000000000 2c0a9b2b15dce92f800393d5030c7454efc278ae commit (initial): Add netcat scripts

2c0a9b2b15dce92f800393d5030c7454efc278ae 26b809e0c41d8421f1126ed3a4eb06ad66e6d90a commit: Add video game chat log

26b809e0c41d8421f1126ed3a4eb06ad66e6d90a 5827632e046a80a1e0d7b4fc5c7800dd539baeaf commit: Add TV show chat log

5827632e046a80a1e0d7b4fc5c7800dd539baeaf e80b38b3322a5ba32ac07076ef5eeb4a59449875 commit: Add secret hideout chat log

e80b38b3322a5ba32ac07076ef5eeb4a59449875 2151ef0ccc15aed1ab88e1afdc7484aaeff211c4 commit: Remove secret hideout log

2151ef0ccc15aed1ab88e1afdc7484aaeff211c4 01533f718556a0e59f1467dae4fa462eed82c2a1 commit: Add random chat log

One commit immediately stood out:

Add secret hideout chat log

followed by:

Remove secret hideout log

This strongly suggested that the flag was hidden inside the deleted chat log.

Step 4 - Inspect the Suspicious Commit

View the commit:

git show e80b38b3322a5ba32ac07076ef5eeb4a59449875

Output:

commit e80b38b3322a5ba32ac07076ef5eeb4a59449875
Author: ctf-player <ctf-player@example.com>

    Add secret hideout chat log

diff --git a/logs/3.txt b/logs/3.txt
new file mode 100644
index 0000000..7178644

--- /dev/null
+++ b/logs/3.txt

+Rex: Meet at the old arcade basement for the secret hideout.
+Jay: Ask Rusty at the door and use password picoCTF{g17_r35cu3_16ac6bf3}.
+Rex: Bring the decoder map so we can plan the route.

The flag was embedded directly in the recovered file contents.

Flag

picoCTF{g17_r35cu3_16ac6bf3}

Lessons Learned

  • Git stores all historical versions of files inside .git/objects.
  • Deleted files can often be recovered through Git history.
  • Reflogs provide valuable forensic evidence even when files are removed.
  • Commit messages can reveal where to focus analysis.
  • Recovering the .git directory is often enough to fully reconstruct a repository.

Useful Commands

git log --all --oneline
git show <commit>
git ls-tree -r <commit>
git checkout <commit> -- .
git fsck --full --no-reflogs --unreachable
git cat-file -p <object>