FTP stands for File Transfer Protocol. His name reveals the purpose for which it was designed: it is used to transfer files over the Internet or generally over the TCP/IP networks.
Its popularity has declined in recent years due to the success that had HTTP, which can also transfer files. But it is rather used as one of the very old protocols has become a “classic” protocol, each operating system having a client or server. In addition, much information gathered over the Internet history is only available on the FTP servers.
Current HTTP browsers are capable to use FTP also, so it is very easy for the user to benefit from this protocol.
It can be seen that surfing is like for a file system on a local disk. URLs begin with ftp://, its structure being identical to that web addresses.
FTP uses two ports (21, 20) and two connections for communication. A connection is used for interactive transmission of commands and one for data transfer.
Generally at the entry in systems authentication is required using a username and a password. There are many servers that offer anonymous access to their resources without the need for authentication.
The easiest way to gather evidence from a FTP server is to investigate its directory structure and to download the files with access rights.
FTP servers have logs that record all connections and transfers made. For example, registration of the transfer of a file containing an illegal copy of the movie Casablanca, would have the following form:
Feb 19 23:32:42 ftp proftpd: connect from 18.104.22.168
Feb 19 23:32:48 ftp proftpd: ANONYMOUS FTP login as ‘anonymous’ from 22.214.171.124
Feb 19 23:33:10 ftp proftpd: 126.96.36.199 /opt/filme/Casablanca-DvX.avi 687094582b
Feb 20 02:17:22 ftp proftpd: ftp connection to 188.8.131.52 closed
On the client side, the investigations are difficult because not all client applications have logs of transfers. You can check the browsing history, temporary storage on the computer or favorite links on the investigated computer.