000026302 - How to recover a file that was sent via FTP using RSA NetWitness

Document created by RSA Customer Support Employee on Jan 10, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026302
Applies ToRSA NetWitness NextGen
RSA NetWitness Investigator
IssueHow to recover a file that was sent via FTP using RSA NetWitness.
Resolution

Recovering a file that was sent via FTP is unique to a file sent over other Ports or Protocols e.g. SMTP/25, SSH/22, HTTP/80 etc, because FTP sends the file over higher ports that create a new and unique Session ID.

Port 21/tcp FTP Command Session
Port 20/tcp FTP Data Session

In the attached PDF document, Session ID 171651750 negotiates a FTP session tcp.dstport 21 will use tcp.srcport 46736 to transmit the file.
This creates a New Session ID 171653117 using port 46737 to Port 27327 as agreed in the first session.

Legacy Article IDa59820

Attachments

    Outcomes