VMware Drag and Drop Files

Overview

Evidence: VMware Drag and Drop Files Description: Collect VMware Drag and Drop Files Category: Applications Platform: windows Short Name: vmdd Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

VMware temporarily caches files dragged and dropped between the host and guest virtual machines in the VMwareDnD directory. These files remain cached during the VM session.

Data Collected

This collector gathers structured data about vmware drag and drop files.

Collection Method

This collector gathers VMware drag-and-drop cache directories from temporary directories containing files transferred between host and VM.

Forensic Value

VMware drag-and-drop files reveal data transfers between host and virtual machines, which can identify malware analysis activities, data staging, or file exfiltration through VMs.