✅ What Is fdisk?
fdisk is a classic Linux command-line utility used to:
- Inspect disk partition tables
- View sector offsets and sizes
- Identify filesystem types
- Detect hidden or corrupted partitions
- Modify or create partitions (rarely used in CTFs)
In CTF forensics, fdisk is most commonly used to:
- Identify partition boundaries
- Extract partitions from a raw disk image
- Find hidden partitions or data
- Help calculate offsets for tools like
dd,sleuthkit, orbinwalk
It works for disk images like:
disk.img drive.dd forensics.raw memory_card.img
🛠️ Basic fdisk Commands You Need for CTFs
1. View partition layout
The most important command:
fdisk -l disk.img
It shows:
- Partition table type (MBR or GPT)
- Partition number (e.g., /dev/sda1)
- Start sector
- End sector
- Sector size
- Filesystem type
Sample output:
Device Boot Start End Sectors Size Id Type disk.img1 2048 526335 524288 256M 83 Linux disk.img2 526336 41943039 41416704 19.8G 83 Linux
This output is gold in CTFs.
2. View partitions directly on a device
sudo fdisk -l /dev/sda
(Not typically needed for CTF unless on a real disk.)
3. Enter interactive mode (rare for CTF)
fdisk disk.img
This is mostly for real disk management, not forensic work.
🎯 How fdisk Is Used in CTF Challenges
🔍 Pattern 1 — Extracting a Partition Using dd
Once fdisk -l shows start sector + size, you can extract it like this:
Example:
Start: 2048 Sector size: 512 bytes
Calculate offset:
2048 * 512 = 1048576
Extract partition:
dd if=disk.img of=partition1.img bs=512 skip=2048 count=524288
This is one of the most common CTF forensic tasks.
🔍 Pattern 2 — Finding Hidden or Unexpected Partitions
CTF creators often add:
- Hidden partitions
- Strange filesystem types
- Overlapping sectors
- Partitions marked as “unknown”
Example:
Id 7f Unknown Start 409600
This often contains:
- Encrypted containers
- Hidden flags
- Fragmented data
Then you extract and analyze it with:
dd if=disk.img of=hidden.img bs=512 skip=409600 count=<end-start>
🔍 Pattern 3 — Discovering Unallocated Space
fdisk often reveals gaps between partitions.
Example:
Partition 1: 2048 – 1026047 Partition 2: 1052672 – 2097151
That gap (1026048–1052671) may contain:
- Hidden data
- Deleted files
- A fragmented filesystem
You can extract it:
dd if=disk.img of=gap.bin bs=512 skip=1026048 count=$((1052672-1026048))
Then analyze:
strings gap.binbinwalk gap.bin- Attach it as a disk in Autopsy
🔍 Pattern 4 — Identifying Filesystem Types
fdisk might show:
Id 83 Linux Id 82 Swap Id 07 NTFS Id ef EFI System
In CTF:
- Swap partitions may contain remnants of flags
- NTFS partitions may hide MFT-based artifacts
- EFI partitions sometimes store staging data
- Linux partitions contain home directories, logs, scripts, SSH keys
🔍 Pattern 5 — Detecting Corrupted Partition Tables
Some challenges break the partition table:
- Wrong sector size
- Partition overlaps
- Missing boot signature
- Zeroed-out partition fields
You might see:
Partition table entries are not in disk order
or
invalid flag 0x0000 in partition table
This hints that:
- A hidden partition exists
- You may need manual extraction
- Sleuthkit tools like
mmlsorfsstatwill be required
🚀 Recommended CTF Workflow With fdisk
- Check the disk image
fdisk -l disk.img - Identify:
- Partition start sectors
- Sector sizes
- Gaps
- Unknown partition types
- Extract partitions:
dd if=disk.img of=partX.img bs=512 skip=<start> count=<length> - Mount or analyze:
sudo mount -o loop partX.img /mnt/partOr use tools:- Autopsy
- Sleuth Kit (fls, icat, mmls)
- binwalk
- strings
- Inspect for flags:
- Files
- Logs
- Deleted data
- Hidden metadata
📌 Tips & Tricks
- Always note sector size (not always 512 bytes).
- Use
mmls(TSK) for more forensic-accurate partition mapping. - Explore unallocated sectors — flags often hide there.
- Use
file part.imgafter extraction to auto-detect filesystem. - Combine with
dd,strings, and Autopsy for deeper analysis.
Leave a Reply