This Memory Forensic CTF Challenge is made by 13Cubed.

What is CTF (Capture The Flag)?

If you are not familiar with the term, do not worry. A Capture the Flag (CTF) competition is a popular type of cybersecurity contest that involves participants solving various security-related challenges to earn points. These competitions are designed to test and enhance the participants’ skills in different areas of cybersecurity (such as memory forensics). It has different types such as Jeopardy-Style CTF and Attack-Defense CTF.

The winner (team or individual) is decided by having the highest number of points at the end of the competition. Points are earned by successfully solving challenges and capturing flags.

Common Elements in CTF Competitions:

  • Flags: These are pieces of information (usually a string of text) hidden in the challenges. Finding a flag and submitting it to the competition platform earns points.
  • Time Limit: CTF competitions are usually time-bound, ranging from a few hours to several days.
  • Teams: Participants often compete in teams, though individual competitions also exist (like this one).
  • Tools: Participants use various cybersecurity tools and techniques to solve challenges. These might include programming languages, debuggers, disassemblers, network analyzers, custom scripts, etc.
  • Domains: cryptography, digital forensics (such as memory forensics), reverse engineering, web security, OSINT, hardware, PWN, etc.

Challenge Scenario

There is no exact scenario for this CTF (Capture The Flag) challenge, but just questions to be answered.

Downloading the Memory Dump / Running on the Cloud Lab

You can download the challenge file directly from its official link here.

How It Works

  • There are 4 memory forensic questions you need to answer
  • Each answer in MD5 hash format
  • You can use any memory forensic tool such as Volatility, Rekall, etc.

CTF Challenge Questions

  • Question #1: Find the running rogue (malicious) process. The flag is the MD5 hash of its PID.
  • Question #2: Find the running rogue (malicious) process and dump its memory to disk. You’ll find the 32-character flag within that process’s memory.
  • Question #3: What is the MAC address of this machine’s default gateway? The flag is the MD5 hash of that MAC address in uppercase with dashes (-) as delimiters. Example: 01-00-A4-FB-AF-C2.
  • Question #4: Find the full path of the browser cache created when an analyst visited “” The path will begin with “Users\.” Convert the path to uppercase. The flag is the MD5 hash of that string.

CTF Challenge Video

You can check the related video made by the CTF author here!

Useful Resources Recommended by the Challenge’s Author

A YouTube playlist made by the author contains multiple videos only on memory forensics, check it out here.

A Walk-through from the Challenge’s Author Himself

I do not recommend checking it before trying to solve it yourself, but if you are really stuck, you can download it from here or directly from below:


In this blog, I briefly notified you about an amazing mini memory forensic CTF challenge in the wild to get some practice and get your hands dirty.

~ Cya in the Next One