Has anyone acquired the contents of an FTP share before?
I have the credentials for an FTP server and want to acquire the data but am loathe to simply use an FTP client to download as this will give me new time stamps on the downloaded files.
I was hoping F-Response had some functionality to work here but doesn't appear so.
Any thoughts?
If you, or whomever you're working for, don't own the server, then using something like F-Response is not going to be answer. F-Response has a great deal of functionality, but it does not deploy via FTP.
Why not access the server and use FTP commands to list the files, and record the time stamps that way?
I would try (on Windows) FTPuse
http//
Once you have the FTP repository mounted as local drive, you can use "normal" copy/replicating tools.
jaclaz
Yes I can access and record the time stamps manually that way and it's certainly something I will be doing anyway, but ultimately I like to have the evidence independently verifiable.
There is always the question lawyers like to ask and if the only evidence I have is my own notes and screen shots of the FTP software in use, well sometimes with certain lawyers and judges this may not be enough. But if I can have my notes, screenshots and the forensic download corroborating that information, then that should be sufficient for the most suspicious legal mind…one would hope )
Jaclaz FTPUSE looks promising but thus far I have been unable to get it to connect. I'm not sure if I have the syntax mixed up or if the corporate firewall may be blocking the attempt as I get socket 11004 errors when ever I try to connect.
I will continue playing around in case it's my syntax that's the problem.
Thanks gents.
Edit yep it was just my syntax D
Edit yep it was just my syntax D
Let us know how it goes )
jaclaz
Yes I can access and record the time stamps manually that way and it's certainly something I will be doing anyway, but ultimately I like to have the evidence independently verifiable.
Well, if you don't control the FTP Server itself, and you have to access it via ftp.exe (or another tool), then how are you going to prevent others from accessing it?
This is similar to the question about acquiring memory as "evidence"…how're you going to be able to allow for independent verification of memory, as memory will change before the acquisition process is even complete?
Do those same lawyers and judges require that the defense go get their own blood and DNA samples, and photographs, from a crime scene?
Yes I can access and record the time stamps manually that way and it's certainly something I will be doing anyway, but ultimately I like to have the evidence independently verifiable.
Well, if you don't control the FTP Server itself, and you have to access it via ftp.exe (or another tool), then how are you going to prevent others from accessing it?
This is similar to the question about acquiring memory as "evidence"…how're you going to be able to allow for independent verification of memory, as memory will change before the acquisition process is even complete?
Yep. )
Maybe one could call the thingy a "snapshot of a FTP site" (at a given date/time) instead of "acquisition" and call it a day?
I can see the reason to have the contents of a saved snapshot as alike to the "original" as possible, i.e. files and folders with the "right" dates/times (though here there could still be issues with daylight savings and timezones, depending on a number of factors/settings, some of which on the server side and possibly "unknown").
It IMHO simply sounds "better" to say wink
I took special care to download/copy the files through this specific method that allows to keep untouched the date/time stamps, however I additionally made a list of the date/time stamps of the remote view.
than roll
I downloaded the files and folders with the first FTP tool I had handy, so all files and folders have date/times reflecting the time I downloaded them, but I have made made a list of the date/time stamps of the remote view.
A FTP directory is *anyway* VERY likely to be subject to changes, just think of the FTP access to a "http" site root, there will be log files (logins/users connected/stats/counters etc.) that will be changed by the mere act of accessing it, be it through HTTP or FTP .
jaclaz
Valid points and I agree, the snapshot in a given point of time would be more correct.
FTPUse worked perfectly by the way D
Valid points and I agree, the snapshot in a given point of time would be more correct.
FTPUse worked perfectly by the way D
Good. )
jaclaz