{"id":13612483,"url":"https://github.com/stuxnet999/MemLabs","last_synced_at":"2025-04-13T12:32:01.316Z","repository":{"id":38405730,"uuid":"203713308","full_name":"stuxnet999/MemLabs","owner":"stuxnet999","description":"Educational, CTF-styled labs for individuals interested in Memory Forensics","archived":false,"fork":false,"pushed_at":"2021-03-08T15:54:40.000Z","size":562,"stargazers_count":1512,"open_issues_count":0,"forks_count":196,"subscribers_count":49,"default_branch":"master","last_synced_at":"2024-02-14T05:34:37.782Z","etag":null,"topics":["ctf","ctf-challenges","cybersecurity","dfir","digital-forensics","forensics","memory-forensics","security","windows"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stuxnet999.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-08-22T04:18:14.000Z","updated_at":"2024-02-12T20:47:01.000Z","dependencies_parsed_at":"2022-07-12T17:28:53.827Z","dependency_job_id":null,"html_url":"https://github.com/stuxnet999/MemLabs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuxnet999%2FMemLabs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuxnet999%2FMemLabs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuxnet999%2FMemLabs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stuxnet999%2FMemLabs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stuxnet999","download_url":"https://codeload.github.com/stuxnet999/MemLabs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248714606,"owners_count":21149926,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","ctf-challenges","cybersecurity","dfir","digital-forensics","forensics","memory-forensics","security","windows"],"created_at":"2024-08-01T20:00:30.620Z","updated_at":"2025-04-13T12:32:01.293Z","avatar_url":"https://github.com/stuxnet999.png","language":"Shell","funding_links":[],"categories":["CTFs","Learn Forensics","Learn forensics","Shell (473)","Shell","Datasets","cybersecurity","Forensics"],"sub_categories":["CTFs and Challenges","Challenges","DFRWS EU 2020","Volatility"],"readme":"\u003cimg src=\"./Images/MemLabs.png\" alt=\"MemLabs\" class=\"center\"\u003e\r\n\r\n---\r\n\r\n## **Table of contents**\r\n\r\n1. [About MemLabs](https://github.com/stuxnet999/MemLabs#About-MemLabs-mag)\r\n2. [Motivation](https://github.com/stuxnet999/MemLabs#motivation-dart)\r\n3. [Structure of Repository](https://github.com/stuxnet999/MemLabs#structure-of-repository)\r\n4. [Tools and Frameworks](https://github.com/stuxnet999/MemLabs#tools-and-frameworks-hammer_and_wrench)\r\n5. [Flag Submission](https://github.com/stuxnet999/MemLabs#flag-submission-triangular_flag_on_post)\r\n   - [Email Format](https://github.com/stuxnet999/MemLabs#email-format)\r\n6. [Resources](https://github.com/stuxnet999/MemLabs#resources-rocket)\r\n7. [Feedback \u0026 suggestions](https://github.com/stuxnet999/MemLabs#feedback--suggestions)\r\n8. [Usage](https://github.com/stuxnet999/MemLabs#usage)\r\n9. [Author](https://github.com/stuxnet999/MemLabs#author-bust_in_silhouette)\r\n\r\n## **About MemLabs** :mag:\r\n\r\nMemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of **Memory Forensics**.\r\n\r\n## **Motivation** :dart:\r\n\r\nThe main goal of creating this repository was to provide a reliable platform where individuals can learn, practice and enhance their skills in the field of memory forensics. As of the CTF-style, well, what better \u0026 interesting way to learn security than by playing CTFs?\r\n\r\nI also believe these labs can be used by anyone to help others become good with the essentials and fundamentals of memory forensics.\r\n\r\n## **Structure of repository**\r\n\r\n| Directory | Challenge Name | Level Of Difficulty |\r\n|:----:|:----:|:----:|\r\n|Lab 0 | [Never Too Late Mister](./Lab%200) | Sample challenge |\r\n|Lab 1 | [Beginner's Luck](./Lab%201) | Easy |\r\n|Lab 2 | [A New World](./Lab%202) | Easy |\r\n|Lab 3 | [The Evil's Den](./Lab%203) | Easy - Medium |\r\n|Lab 4 | [Obsession](./Lab%204) | Medium |\r\n|Lab 5 | [Black Tuesday](./Lab%205) | Medium - Hard |\r\n|Lab 6 | [The Reckoning](./Lab%206) | Hard |\r\n\r\nTo aid first-timers to understand how to approach CTF challenges \u0026 usage of volatility, please refer [Lab 0](https://github.com/stuxnet999/MemLabs/tree/master/Lab%200) which comes with a elaborate walkthrough \u0026 I hope it will be a great way to start MemLabs!\r\n\r\nAll the memory dumps are that of a Windows system.\r\n\r\n\u003e **Note**: The level of difficulty specified may not be fully accurate as it depends on the individual. I've tried my best to categorize them after receiving feedback from beginners to the field.\r\n\r\n## **Tools and frameworks** :hammer_and_wrench:\r\n\r\nI'd suggest everyone use [**The Volatility Framework**](https://github.com/volatilityfoundation/volatility/) for analysing the memory images.\r\n\r\nPlease execute the [**setup.sh**](./setup.sh) file to install all the required dependencies in your system.\r\n\r\n\u003e **Note**: Windows users can download the executable file from [here](https://www.volatilityfoundation.org/26).\r\n\r\nAs these labs are quite introductory, there is no need for installing more tools. However, if the user wishes, they can install many other forensic tools.\r\n\r\nThe preferred OS would be Linux. However, you can also use Windows (WSL) or macOS.\r\n\r\n## **Flag submission** :triangular_flag_on_post:\r\n\r\nPlease mail the flags of each lab to \u003cmemlabs.submit@gmail.com\u003e\r\n\r\nPlease have a look at the following example to better understand how to submit the solution.\r\n\r\nSuppose you find 3 flags in a particular lab,\r\n\r\n+ flag{stage1_is_n0w_d0n3}\r\n+ flag{stage2_is_n0w_d0n3}\r\n+ flag{stage3_is_n0w_d0n3}\r\n\r\nConcatenate all the flags like this: **flag{stage1_is_n0w_d0n3} flag{stage2_is_n0w_d0n3} flag{stage3_is_n0w_d0n3}**\r\n\r\n**Note**: Place the flags in the right order. The content inside the flags indicates their place. The flags must be space-separated.\r\n\r\nAll the labs will follow the same flag format unless specified otherwise.\r\n\r\n### **Email format**\r\n\r\nPlease follow the following guidelines when sending the solution. Below is a sample:\r\n\r\n**Email Subject**: [MemLabs Solution Submission] [Lab-x]\r\n\r\n\u003e **x** indicates the Lab number. Ex: 1,2,3 etc..\r\n\r\n![Email-Picture](./Images/Submission.png)\r\n\r\nEmail your solution to memlabs.submit@gmail.com\r\n\r\nIf the solution is correct, then the participant will receive a confirmation mail.\r\n\r\n## **Feedback \u0026 suggestions**\r\n\r\nI'd love the community's feedback regarding these labs. Any suggestions or improvements are always welcome. Please email it to me or contact my via Twitter: [@_abhiramkumar](https://www.twitter.com/_abhiramkumar).\r\n\r\n## **Resources** :rocket:\r\n\r\nThis section contains resources which I've composed myself and some others which I have used when I learnt memory forensics. I hope this resources will help everyone in not only solving these labs but also in exploring more areas in memory forensics.\r\n\r\n+ [**Basics of Memory Forensics**](https://stuxnet999.github.io/volatility/2020/08/18/Basics-of-Memory-Forensics.html)\r\n+ [**Volatility Windows Command Reference**](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference)\r\n+ [**Sans DFIR Memory Forensics cheat sheet**](https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf)\r\n\r\nIf you're interested to play more CTFs or want to try more challenges,\r\n+ [**AboutDFIR - Challenges \u0026 CTFs**](https://aboutdfir.com/education/challenges-ctfs/)\r\n+ [**CTFtime.org**](https://ctftime.org/)\r\n\r\nIf you are interested in knowing how to write plugins for Volatility framework,\r\n\r\n+ https://stuxnet999.github.io/volatility/2020/07/04/Writing-Plugins-Volatility.html\r\n+ https://stuxnet999.github.io/volatility/2020/08/08/Writing-Plugins-Volatility-Part2.html\r\n\r\n## **Usage**\r\n\r\nMemLabs is completely free to anyone to use. If you wish to use MemLabs in your workshops, classes or use the labs anywhere else, it is my humble request to you to use the original links to the labs and please mention my name as well. For any other queries, please contact me.\r\n\r\n## **Author** :bust_in_silhouette:\r\n\r\nP. Abhiram Kumar\r\n\r\nDigital Forensics, [**Team bi0s**](https://www.twitter.com/teambi0s)\r\n\r\n+ Mail: **abhiram1999@gmail.com**\r\n+ Twitter: [**@_abhiramkumar**](https://www.twitter.com/_abhiramkumar)\r\n+ Personal Blog: [**stuxnet999.github.io**](https://stuxnet999.github.io)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstuxnet999%2FMemLabs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstuxnet999%2FMemLabs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstuxnet999%2FMemLabs/lists"}