Article Content
Article Number | 000026302 |
Applies To | RSA NetWitness NextGen RSA NetWitness Investigator |
Issue | How to recover a file that was sent via FTP using RSA NetWitness. |
Resolution | Recovering a file that was sent via FTP is unique to a file sent over other Ports or Protocols e.g. SMTP/25, SSH/22, HTTP/80 etc, because FTP sends the file over higher ports that create a new and unique Session ID.
In the attached PDF document, Session ID 171651750 negotiates a FTP session tcp.dstport 21 will use tcp.srcport 46736 to transmit the file. |
Legacy Article ID | a59820 |