Say you have a VMWare disk image (VMDK file) or a CD image (ISO file) on your desktop and would like to look at the files inside. Perhaps there are a couple of files you would like to extract. You could start the virtual machine to access its files (What was the administrator password again?), or install a bunch of utilities to let you mount the image as a filesystem. Or, you could use VMXRay, a pure HTML5 web app which requires no installation at all.
The OS Info function in the explorer gives you a summary of useful information extracted from the VM image. For instance, on Windows it reads the registry and displays the service pack number, registered organization and owner, etc.
You could also look at other filesystem dumps (FAT, ext2, NTFS) in various formats (qcow2, raw). We haven't tested all combinations.
In theory, you can recover deleted photos from raw dumps of your camera's SD card. It might be a little slow, though.
What about the privacy of my data?
No data from your files is ever sent over the network. The privacy of your data is assured for the simple reason that it never leaves your machine. VMXRay does all its magic completely inside your browser.
What browsers are supported?
VMXRay uses bleeding edge HTML5 features like the FileReader API to access local files. Not all browsers support it, and even in those which do, API support is evolving. Currently, we know of the following browsers on which browsing of images and preview of files work:
Google Chrome 13+ (Mac OS X, Ubuntu)
Firefox 7+ (Mac OS X, Ubuntu)
Opera 11+ (Mac OS X)
Downloading of files works properly only on Chrome.
What file formats are supported?
There are two formats to be aware of - the disk image format and the filesystem/volume manager. The unhelpful answer is: whatever disk image format is supported by QEMU and whatever filesystem format is supported by sleuthkit. A partial list of formats known to work is given below.
Disk image formats: Raw, VMWare single and multi-file VMDKs, QEMU/KVM QCOW2 (without encryption/compression), Virtualbox VDI, ISO.
Non-DOS partitions, FreeBSD filesystems are currently not supported. We hope to support many more formats in future.
How do I feed it multi-file VMDKs?
Select multiple files in the Select Disk Image dialog (Ctrl-click or Cmd-click). If your image is called WinXP, make sure you pick each and every one of the WinXP-s00n.vmdk files and the WinXP.vmdk file.
VMWare Fusion on the Mac represents the VM as a bundle, so you cannot use Select Disk Image for this purpose. Instead, use the Finder to locate and select your desired machine and use the Action menu (gear icon) to Show Package Contents. This will take you inside the bundle directory, where you can see the individual files (.vmdk, .vmx, .vmem etc.) which constitute the VM. You can now select all the VMDK components using Cmd-click. Now drag and drop them onto the vmxray.com page in your browser, on the welcome message or on the explorer window.
Drag and drop can be used on all platforms for single files as well.
Why is it so slow?
Actually, it is shockingly fast :) Think about it: an x86 emulator in Javascript booting a modern Linux kernel in under 10 seconds! Moore's law and Fabrice Bellard FTW!
But yes, moving data in and out of JSLinux is slow in wallclock terms. jlfs transfers data at around 420 KB/sec. Previewing and saving files are the slowest operations, since they require a roundtrip: image data goes into JSLinux, file data comes out. Speed also depends on the JS engine, browser and platform. Chrome on Mac OS appears to be the fastest.
Sleuthkit's implementation for some formats performs very slowly in a resource-starved environment like ours, though it does perfectly well in a standard x86 environment. Known issues include:
Directory loading time is proportional to number of entries. Regular directories load fast enough, but those with thousands of files (like /WINDOWS/SYSTEM32) can take tens of seconds.
ISO images with a large number of files taking very long to be read.
We have already made several performance tweaks to Sleuthkit's NTFS specific to our use case, and are working on a few more.
It doesn't make progress beyond "Starting Linux web appliance" / It gets stuck indefinitely at "Opening folder"
It is slow, but if there is no progress for a minute or more, it is likely a bug somewhere, or browser incompatibility. Look at the error console on the browser. Send us a screenshot of the page and the error console, or better still, a fix :)
Is it free?
All open source software modifications made by Coriolis are released under the same license as the original software, and under 2-clause BSD where new components were created.
A Linux virtual machine runs inside your browser. This is Fabrice Bellard'sJSLinux, an x86 emulator implemented in Javascript. We use a custom kernel and root filesystem.
We have developed a special filesystem, jlfs, runs on the Linux virtual machine, and its browser-side counterpart (jlfs.js) enable Linux applications to access files via the HTML5 FileReader API.
A fork of Sleuthkit, a filesystem forensics tool is run on the Linux virtual machine to provide directory and file data.
A fork of the beautiful elFinder is used to present a folder interface to the file system
There is no server-side processing; everything happens within the browser.