A challenge which is supposed to be solved in 10 min, and I took almost 4 hours to solve 😦 When I recovered all the deleted files in the partition, I got a PDF file, a JPEG image file, and a PNG image file. The flag was in the PNG image and unfortunately I wasted around 4 hours without noticing it 😦 . Anyway the issue was, I didn’t download the partition image properly. After realizing it, I downloaded the image again and then I got the proper flag.
Our goal was to find the name of the exam sheet, which was stolen by the student. We were given a image file to analyze. The first step would be identifying the type of image file.
h1dd3ntru7h@shadows:~/Desktop/SUCTF/100$ file examtheft.img examtheft.img: Linux rev 1.0 ext2 filesystem data (mounted or unclean), UUID=93d1bff8-0373-45e6-90da-e8d0d02e85e1
I found a hidden directory named .Trash-3067, after mounting the Ext2 partition in my Autopsy tool. If you are new to Autopsy Check my article to install the tool.
After saving the 000000693.png image file, I got a Chemistry exam paper, in Persian.
And the flag for the challenge is : chemistry
Euphoria Reload3d 
Persian exam sheet not Arabic!
Ooops! Sorry! I changed it 😀