Skip to content
  • There are no suggestions because the search field is empty.

How to recover a file that was sent via FTP using RSA NetWitness

Issue

How to recover a file that was sent via FTP using RSA NetWitness.


Resolution

Recovering a file that was sent via FTP is unique to a file sent over other Ports or Protocols e.g. SMTP/25, SSH/22, HTTP/80 etc, because FTP sends the file over higher ports that create a new and unique Session ID.

Port 21/tcp FTP Command Session
Port 20/tcp FTP Data Session

In the attached PDF document, Session ID 171651750 negotiates a FTP session tcp.dstport 21 will use tcp.srcport 46736 to transmit the file.
This creates a New Session ID 171653117 using port 46737 to Port 27327 as agreed in the first session.


Internal Comments

UserName:hawkir
10/2/2012 3:35:30 PM - Recovering an FTP'd file
Solution 645

UserName:shurtj
8/12/2014 7:57:50 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Salma Sadek -- 4 May 2024
​​​​​​​Requesting archive as version is not longer supported.

Product Details

RSA NetWitness NextGen
RSA NetWitness Investigator

Approval Reviewer Queue

Technical approval queue