Home‎ > ‎CIS 77‎ > ‎

Nelab: Lab 3

In this lab you'll use the NetLab+ system. The link to our NetLab+ system is posted on the class page and below:


In the NetLab+ lab you'll use Linux-based tools to explore Linux and Windows filesystems. The lab will help you understand how hex editors work and make you more familiar with looking at raw binary data. Thats a good skill for finding hidden things. NetLab+ tracks the time you spend in the labs. You must complete the lab for full credit on this assignment. After you do the lab you should be able to complete the following challenges.

Finding a Good Hex Editor 

You will need a hex editor that can write files. WinHEX can only do that if you pay for it. In class I used HXD for Windows. You can download that here: 

On Linux I use bless, which can be installed by apt or yum. I have not tested a good hex editor on MacOS but I would like recommendations if you have one.  

Hiding in Plain Sight

Download this VHD file and load it into a hex editor: 

The VHD contains a secret message hiding in plain sight. The secret message is added to the unused space at the end of an HTML file. There may be other secret messages but only one counts for credit. You can find it if you know what's at the end of every HTML file. Hint: Use your browser's ability to view the source of an HTML page to see what's at the end of this one. Your hex editor's search function will help you find the end of the file. Take a screenshot of the message. 

Missing Bytes

The DOS partition in the VHD was intentionally corrupted. But, you can recover it because you know that DOS partitions should start with the bytes: 

    EB 3C 90 4D 

If you can restore those bytes and save your VHD you will be able to import it into your favorite forensics program (e.g. ProDiscover or OSForensics) and a deleted file. The deleted file has a secret message. Take a screenshot of the contents of the message. 

Turn In

  1. Complete the NetLab+ Lab (there's no need to do anything on Canvas, the time is kept in NetLab)
  2. A screenshot of the hidden message at the end of the HTML file
  3. A screenshot of the hidden message in the deleted file.  
Submit your homework on canvas.


  • 10 points for NetLab+
  • 5 points for each screenshot.
Michael Matera,
Feb 28, 2017, 9:10 PM