Evidence: VMware Drag and Drop Files
Description: Collect VMware Drag and Drop Files
Category: Applications
Platform: windows
Short Name: vmdd
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
VMware temporarily caches files dragged and dropped between the host and guest virtual machines in the VMwareDnD directory. These files remain cached during the VM session.
Data Collected
This collector gathers structured data about vmware drag and drop files.
Collection Method
This collector gathers VMware drag-and-drop cache directories from temporary directories containing files transferred between host and VM.
Forensic Value
VMware drag-and-drop files reveal data transfers between host and virtual machines, which can identify malware analysis activities, data staging, or file exfiltration through VMs.
