MEMLABS
Introduction
MemoryForensic website aims to be the #1 website on the Internet for anyone who wants to learn and be adept in memory forensics field. Thus, we must list valuable resources that already exist, but people may not aware of. One of these resources is MEMLABS.
Credit
This work is done by Abhiram Kumar, and this article is based on his work
About MemLabs
MemLabs is an educational series of challenges styled after Capture The Flag (CTF), designed to inspire students, security enthusiasts, and CTF players to delve into the realm of Memory Forensics.
Labs’ Structure
| Directory | Challenge Name | Level Of Difficulty | Link |
| Lab 0 | Never Too Late Mister | Sample challenge | Download |
| Lab 1 | Beginner’s Luck | Easy | Download |
| Lab 2 | A New World | Easy | Download |
| Lab 3 | The Evil’s Den | Easy – Medium | Download |
| Lab 4 | Obsession | Medium | Download |
| Lab 5 | Black Tuesday | Medium – Hard | Download |
| Lab 6 | The Reckoning | Hard | Download |
Start with Lab 0 (sample with solution) to know more about the usage of Volatility and better understand the analysis logic, then go further~
Note: All the memory dumps are Windows-based.
Tools and frameworks
I’d suggest everyone use The Volatility Framework for analysing the memory images.
Please execute the setup.sh file to install all the required dependencies in your system.
Note: Windows users can download the executable file from here.
As these labs are quite introductory, there is no need for installing more tools. However, if the user wishes, they can install many other forensic tools.
The preferred OS would be Linux. However, you can also use Windows (WSL) or macOS.
Flag submission
Please send the flags for each lab to memlabs.submit@gmail.com.
Please refer to the example below to understand how to submit your solution.
Suppose you discover 3 flags in a specific lab:
- flag{stage1_is_n0w_d0n3}
- flag{stage2_is_n0w_d0n3}
- flag{stage3_is_n0w_d0n3}
Concatenate all the flags like this: flag{stage1_is_n0w_d0n3} flag{stage2_is_n0w_d0n3} flag{stage3_is_n0w_d0n3}
Ensure the flags are arranged in the correct order, and separate them with spaces. The content within the flags indicates their position.
Email format & Successful Submission
Please follow the following guidelines when sending the solution. Below is a sample:
Email Subject: [MemLabs Solution Submission] [Lab-x]
x indicates the Lab number. Ex: 1,2,3 etc..
Email your solution to memlabs.submit@gmail.com
If the solution is correct, then the participant will receive a confirmation mail.
Conclusion
MemLabs is a memory forensics learning series put in a ctf-style challenges, where you can learn and enhance your memory analysis skills.
~ Cya till the next one 🙂
Related Posts
Linux Memory Forensics Challenge
Inside Cridex – Memory Analysis Case Study
