Skip to content
AIR Knowledge Base

VMware Drag and Drop Files

Overview

Section titled “Overview”

Evidence: VMware Drag and Drop Files
Description: Collect VMware Drag and Drop Files
Category: Applications
Platform: windows
Short Name: vmdd
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes

Background

Section titled “Background”

VMware temporarily caches files dragged and dropped between the host and guest virtual machines in the VMwareDnD directory. These files remain cached during the VM session.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about vmware drag and drop files.

Collection Method

Section titled “Collection Method”

This collector gathers VMware drag-and-drop cache directories from temporary directories containing files transferred between host and VM.

Forensic Value

Section titled “Forensic Value”

VMware drag-and-drop files reveal data transfers between host and virtual machines, which can identify malware analysis activities, data staging, or file exfiltration through VMs.