DFIR ATT&CK Investigation Labs

DFIR investigation labs in your browser. One question per stage; the ATT&CK technique is revealed after the finding.

Self-contained HTML No installation Mobile-friendly Free / MIT

๐ŸŽฏ Available Labs

The Black Window Case โ€” Memory Forensics
A sister's PC crashed mid-drawing after a black window popped up ยท Windows 7 SP1 x64
JUNIOR / INTERMEDIATE

A sister's PC crashed mid-session and her family recovered the memory image. Eight stages walking the ATT&CK kill chain โ€” investigate, then map your findings.

TA0007 Discovery TA0001 Initial Access TA0002 Execution TA0005 Stealth TA0006 Credential Access TA0009 Collection TA0010 Exfiltration
8 stages Investigation-driven 60โ€“90 min typical playtime
โ–ถ Play Now ๐Ÿ“„ Read the report ๐Ÿ“š Answer sheet

๐Ÿ“ฑ Playing on Mobile

This site works on iOS Safari and Android Chrome. For the cleanest experience, after opening a lab, use your browser's Add to Home Screen (Safari Share menu / Chrome menu โ†’ Install app) โ€” the CTF then runs fullscreen offline like a native app.

๐Ÿ› ๏ธ Want to Build Your Own?

The labs in this pack were generated by a Claude Code skill called ctf-builder that converts forensic artefacts (memory images, disk images, pcap, EVTX corpus) into ATT&CK-organised CTFs with three deliverables โ€” interactive game, DFIR report, and analyst training guide. Grab the skill from the repo.

๐Ÿ™ Attribution

The DFIR challenges referenced here derive from publicly available CTFs created by their original authors. The CTF wrapper, ATT&CK kill-chain methodology, analyst training guides, and ctf-builder skill in this repository are derivative educational content released under MIT.

The Black Window Case โ€” memory image and case scenario from stuxnet999/MemLabs Lab 1 ยท github.com/stuxnet999/MemLabs/tree/master/Lab%201