|Applies To||RSA NetWitness NextGen|
RSA NetWitness Investigator
|Issue||How to recover a file that was sent via FTP using RSA NetWitness.|
Recovering a file that was sent via FTP is unique to a file sent over other Ports or Protocols e.g. SMTP/25, SSH/22, HTTP/80 etc, because FTP sends the file over higher ports that create a new and unique Session ID.
In the attached PDF document, Session ID 171651750 negotiates a FTP session tcp.dstport 21 will use tcp.srcport 46736 to transmit the file.
|Legacy Article ID||a59820|