In a virtualization environment using VMWare, one method of introducing a file onto a guest virtual machine is to simply copy and paste the file from the host system into the VMWare window. From the user’s perspective, this is a typical copy-and-paste operation, resulting in a new file in the context of the guest system that the user can then manipulate normally from inside the guest system.
Of interest to the forensic examiner, however, is the fact that a host-to-guest copy-and-paste operation in the VMWare Player environment leaves a temporary copy of the source file in %tmp%\VMWareDnD on the guest. This temporary file may be valuable in recovering the prior contents of the copied file after the live file is manipulated by the user. In addition, the temporary file retains the file creation timestamp of the original file on the host machine, potentially providing valuable information for timeline reconstruction. The temporary file persists when the guest is suspended or shut down. It is cleared when the guest is booted up.