DFIR LABS is a compilation of challenges that aims to provide practice in simple to advanced concepts in the following topics: Digital Forensics, Incident Response, Malware Analysis and Threat Hunting.
This is aimed at Professionals, Security Researchers, Students, CTF Players as well as DFIR & Malware Analysis Enthusiasts in the field of Cyber Security who want to practice or have an interest in the aforementioned topics.
Though the final goal of the challenges is CTF-styled flags, most of the challenges are in the traditional and effective learning method of answering an incident response scenario.
The first release of DFIR LABS is focused primarily on Windows-based challenges. Future and upcoming editions will broaden the scope to include Linux, MacOS, and Android, offering a comprehensive range of DFIR challenges across diverse platforms.
Our vision is to create a comprehensive resource that grows with the community, incorporating modern threats and techniques, and fostering collaboration across diverse cybersecurity domains. Whether you're a beginner or an expert, DFIR LABS offers a unique opportunity to sharpen your skills and stay ahead in this ever-evolving field.
Individuals are strongly advised against executing any executables or binaries provided in the challenge files, as they may contain potentially malicious software. Authors of DFIR LABS holds no responsibility for any consequences resulting from the use of these files, including but not limited to system compromise, data loss, or operational disruptions. To mitigate risks, all activities should be conducted within a secure, isolated environment such as a virtual machine or sandboxed setup. Ensure your testing infrastructure is robust and appropriately configured to handle potential threats.
Warning
The challenges in DFIR LABS are designed to simulate real-world scenarios and may contain potentially harmful softwares like ransomware, trojan, stealers, c2, etc., Always exercise caution and use a secure, isolated environment when working with these challenges.
| Chall-Name | Difficulty | Author(s) |
|---|---|---|
| Gotham Hustle | Easy | Azr43lKn1ght |
| Trinity Of Secrets | Easy | rudraagh, kr4z31n, __ m1m1 __ |
| 2-layer security | Easy | bquanman |
| Winserpart | Easy | Azr43lKn1ght,jl_24, gh0stkn1ght, sp3p3x |
| Kn1ghtfl4r3 | Medium | kr4z31n, __ m1m1 __, rudraagh |
| Verboten | Medium | sp3p3x, jl_24, gh0stkn1ght, hrippi.x_ |
| Covid Crime Scenario | Medium | ws1004 |
| pf-ing | Medium | k.eii |
| The Malware Crusade | Medium | Azr43lKn1ght, sp3p3x, jl_24 , gh0stkn1ght, 5h4rrk |
| Compromised | Medium | Abdelrhman |
| Famous AMOS | Medium | warlocksmurf |
| The Saint Bat | Medium | Azr43lKn1ght |
| ReAL File System | Hard | 5h4rrk |
| Stealth | Hard | bquanman |
| Thugs on a boat | Hard | bquanman |
| Batman Investigation I | Hard | Azr43lKn1ght |
| Master of DFIR - Phishing | Hard | crazyman, F0rest, yuro |
| Master of DFIR - Coffee | Hard | crazyman, F0rest |
| Hidden Gem Mixtape | Hard | bquanman |
| Kn1ghtF4LL | Hard | Azr43lKn1ght, sp3p3x, jl_24, gh0stkn1ght |
| Batman Investigation II | Insane | Azr43lKn1ght |
| Batman Investigation III | Insane | Azr43lKn1ght |
| Kn1ghtw4r3 | Insane | Azr43lKn1ght, gh0stkn1ght, jl_24, sp3p3x, hrippi.x_ |
| Kn1ghtm4r3 | Insane | Azr43lKn1ght |
| Batman Investigation IV | Insane | Azr43lKn1ght, jl_24, sp3p3x, gh0stkn1ght |
Note
The difficulty level of each challenge is subjective and may vary based on individual experience and skill level. The challenges are designed to be completed in a specific order, with each challenge building upon the previous one. However, participants are free to attempt the challenges in any order they prefer.
To ensure a secure and efficient analysis environment, follow these steps:
-
Isolated Virtual Machine: Use a dedicated virtual machine (VM) for DFIR LABS challenges. Recommended platforms include VMware, VirtualBox, or Hyper-V. Ensure the VM is configured with sufficient resources (CPU, memory, and disk space) for smooth operation.
-
Operating System: Install a clean version of Windows or any favourable OS. Apply all security patches and updates.
-
Network Configuration: Disable internet access on the VM to prevent unintended data exfiltration or malware communication. Use a host-only or internal network configuration.
-
Forensic Tools: Install industry-standard forensic tools, such as Autopsy, Volatility, or FTK Imager, depending on the nature of the challenge. Ensure all tools are updated to their latest stable versions.
-
Snapshot Management: Take an initial snapshot of the VM after setup and before beginning any analysis. This allows for easy rollback in case of system compromise or misconfiguration.
-
Secure Storage: Store challenge files and findings in an isolated container.
Any and all feedbacks, suggestions or improvements are welcome! We would appreciate any feedbacks from the community.
Send your feedback on X: Azr43lKn1ght
If you are interested in contributing to DFIR LABS, please refer to the CONTRIBUTING.md file for more information.
DFIR Labs is absolutely free for anyone to use. If you wish/want to use DFIR Labs in your workshops, Sessions or anywhere else, Please always use the original links to the labs and also mention the author's name and the labs as well. For any other queries, please contact me via email or twitter/X : Azr43lKn1ght
We extend our deepest gratitude to everyone who has played a part in the success of DFIR LABS. This project thrives on the passion, expertise, and unwavering dedication of our core contributors and supporters. A special acknowledgment goes to the incredible teams that have supported and enriched this initiative:
We are profoundly grateful for the continued encouragement, insightful feedback, and inspiration from the global DFIR and cybersecurity community. Your support fuels the growth and evolution of DFIR LABS, and we are honored to have you alongside us on this journey!
Here are some of the most used open-source tools that will help you in solving the challenges:
Here are some of the most used resources that will help you in solving the challenges:
- Azr43lKn1ght's Blog
- ws1004's Blog
- crazymaan's Blog
- warlocksmurf's Blog
- Abdelrhman Shaban's Blog
- cyber5w
- Ashemery
- Stuxn3t's Blog
- G4rud4's Blog
- This Week in 4n6
- frsecure
- Sans Blog
- DFIR training
Join our Discord server to connect with the DFIR community, share insights, and collaborate on cybersecurity challenges. The server is open to all cybersecurity enthusiasts, students, professionals, and researchers. We welcome diverse perspectives and encourage active participation in discussions, workshops, and CTF events.
Also join the Digital Forensics Discord server for more discussions and resources on DFIR topics.