How to Recover a FTP'd file using Netwitness

Blog Post created by mike.daly on Sep 11, 2012

Like • Show 0 Likes0
Comment • 0

Recovering a file that was sent via FTP is unique to a file sent over other Ports or Protocols e.g. SMTP/25, SSH/22, HTTP/80 etc, because FTP sends the file over higher ports that create a new and unique Session ID.

Port 21/tcp FTP Command Session

Port 20/tcp FTP Data Session

In the attached document we follow a session between two hosts that use multiple ports and session ID's to recover the PDF document that was transmitted.

Attachments

Recovering-an ftpd-file.pdf1.5 MB

How to Recover a FTP'd file using Netwitness

Recovering a file that was sent via FTP is unique to a file sent over other Ports or Protocols e.g. SMTP/25, SSH/22, HTTP/80 etc, because FTP sends the file over higher ports that create a new and unique Session ID.

Attachments

Outcomes

Related Content

Recommended Content