Forensic FTP / SFTP acquisition — remote server copy

C.E.R.T.O.'s FTP/SFTP module performs the forensic copy of the contents of a remote server via FTP, FTPS or SFTP: it connects in read-only mode — without modifying, deleting or altering any file — and recursively downloads the filesystem, preserving its tree map and computing the hashes of every file. Everything is sealed as digital evidence with a double RFC 3161 timestamp and an Ed25519 signature. It is the tool for court-appointed and party experts, lawyers and law enforcement who must freeze the contents of a website or a server.

Key features

What this module does.

FTP, FTPS and SFTP support with unified recursive walker.
Optional snapshot of the server tree (server-snapshot.json).
Integrity verification with a hash for each downloaded file.
Safety caps on depth, file count, time and size.
BagIt 1.0 bundle signed with Ed25519, double RFC 3161 timestamp and CASE/UCO.

Final forensic report: the interactive dashboard of the FTP bundle — summary, server tree, acquired files, hash inventory, connection and protocol, network and system information, chain of custody and integrity check.

Non-invasive

Read-only, recursive copy.

C.E.R.T.O. connects to the server as an observer: it reads and copies, never writing. It reconstructs the entire remote structure and preserves its map, file by file.

Read-only access

The system does not modify, delete or alter any file on the remote server: it only reads and copies them, preserving the original state — an essential requirement for the genuineness of the evidence.

Recursive filesystem copy

Recursive scan and download from the chosen path: you can acquire everything, or select individual folders and files. Each item is downloaded with its own path and timestamps.

Server tree map

The complete server structure (folders, files, sizes, dates) is reconstructed and preserved as a tree: a snapshot of how the remote filesystem was organised at acquisition time.

FTP · FTPS · SFTP

Connection over FTP, FTPS (TLS) or SFTP (SSH). Host, port, protocol, server software, IP and network information are documented in the bundle. Flat rate, independent of size and number of files.

The remote browser: the operator explores the server folders (with sizes and dates), enables the “Recursive” and “Server snapshot” options and selects what to acquire — or leaves it empty to copy everything.

Forensic pipeline

How the module operates.

A repeatable, documented procedure: from the read-only connection to the cryptographic seal, every copied file leaves a verifiable trace inside the bundle.

01 · NTP

Synchronised time

Multi-source NTP sync with documented offset: the acquisition window is anchored.

02 · CONNECT

Read-only connection

FTP/FTPS/SFTP connection in read-only access; host, port, protocol, server software and network information (DNS, WHOIS, traceroute) are recorded.

03 · TREE

Server map

Recursive enumeration of the remote filesystem: folders, files, sizes and dates are collected to build the server tree map.

04 · MIRROR

File copy

Download of the selected files (or everything) preserving the folder structure: a faithful mirror of the remote content, with no writing on the server.

05 · HASH

Fingerprints

MD5/SHA-1/SHA-256/SHA-512 (FIPS 180-4) cryptographic hashes of every copied file, inventoried: the basis for an integrity check file by file.

06 · REPORT

Report & timestamp

Generation of the forensic report (PDF + TXT) with the server map and RFC 3161 timestamp — free cascade, optional qualified eIDAS InfoCert.

07 · SEAL

Signature & double timestamp

manifest.json signed with Ed25519 + double RFC 3161 timestamp, packaging into a BagIt 1.0 bundle with a CASE/UCO description and verify.sh / verify.bat verifiers.

Bundle contents

Everything that gets generated.

Each acquisition produces a coordinated set of artefacts, each with a precise forensic role, organised into clearly-named folders inside data/.

File mirror

The faithful copy of the files downloaded from the server, kept with the original folder structure: it is the authoritative media of the bundle.

evidence/files/

Server tree

The complete map of the remote filesystem (folders, files, sizes, dates), including items not downloaded: a snapshot of the server structure.

reports/server-tree.txt

Hash inventory

The quadruple of cryptographic hashes (MD5/SHA-1/SHA-256/SHA-512) of every copied file: the basis for an integrity check repeatable by anyone.

hashes/file-hashes.json

Connection & network

The connection details (host, port, protocol, server software) and the network information: DNS, WHOIS, traceroute to the server.

network/connection-info.txt · whois.txt

System info & log

The snapshot of the operator environment and the chronological log of every step of the acquisition, for full traceability.

reports/system-info.txt · logs/acquisition-log.txt

Forensic report

The report in PDF and TXT (operator, server, file count, size, forensic statements) with its own RFC 3161 timestamp (report.tsr).

reports/report.pdf · report.txt · report.tsr

Self-validation

A bundle that proves itself.

The bundle does not need C.E.R.T.O. to be validated: anyone, even years from now, can verify its authenticity with standard tools. The BagIt 1.0 structure and the interactive dashboard make it self-explanatory.

interactive.html — the navigable offline dashboard: summary, server tree, acquired files, hash inventory, connection/protocol, network and system, and client-side integrity check.
manifest.json signed with Ed25519 (RFC 8032), bound to the identity of the device registered at first launch.
Double RFC 3161 timestamp: inner anchor on data/tsa.tsr and outer seal on tagmanifest-sha256.txt.tsr. Free cascade Sectigo→DigiCert→GlobalSign; optional qualified eIDAS InfoCert.
manifest-sha256.txt and tagmanifest-sha256.txt (RFC 8493): fixity of the payload and of the control files; no file can be added or altered without the check failing.
metadata/evidence.case.jsonld — CASE 1.3 / UCO 1.4 description of the evidence, and tsa-ca.pem for verifying the timestamp even offline.
verify.sh / verify.bat — standalone verifiers: they recompute the hashes, check the double timestamp and the signature, and declare “VALID BUNDLE”.

89029556…_bagit/
├─ bagit.txt  ·  bag-info.txt  ·  README.txt
├─ manifest-sha256.txt            payload fixity
├─ tagmanifest-sha256.txt(.tsr)  tag fixity + outer RFC 3161 seal
├─ tsa-ca.pem  ·  verify.sh  ·  verify.bat
├─ metadata/evidence.case.jsonld   CASE/UCO
└─ data/
   ├─ manifest.json  Ed25519-signed  ·  tsa.tsr  inner anchor
   ├─ interactive.html     offline dashboard
   ├─ evidence/files/   remote filesystem mirror
   ├─ reports/    report · server tree · system-info
   ├─ network/    connection · DNS · WHOIS · traceroute
   ├─ hashes/     quadruple hash inventory
   └─ logs/ · metadata/

FAQ

Frequently asked questions

Forensic FTP/SFTP acquisition, read-only access, recursive copy and bundle verification: the most common questions.

What is forensic FTP/SFTP server acquisition?

It is the forensic copy of the contents of a remote server reachable via FTP, FTPS or SFTP: the filesystem is recursively scanned and downloaded, every file is hashed and everything is sealed into a bundle verifiable by third parties, with a tree map of the server structure.

Does the acquisition modify the files on the server?

No. Access is read-only: the system does not modify, delete or alter any file on the remote server. It only reads and copies, preserving the original state — an essential requirement for the genuineness of the evidence.

Can you acquire the whole server or just a part?

Both: you can leave the selection empty to recursively acquire everything from the current folder, or select individual folders and files. The acquisition also records the server tree map and the scanned root path.

How much does it cost? Does it depend on size?

The rate is flat (5 slots, + 2 with a qualified eIDAS InfoCert timestamp), independent of the size and number of files acquired: whether you copy one file or an entire site, the cost does not change.

Is the acquisition valid as evidence in court?

The bundle follows recognised standards (ISO/IEC 27037, BagIt RFC 8493, RFC 3161, CASE/UCO) with an Ed25519 signature and a double timestamp; the authenticity and integrity of every file can be verified by anyone, even offline. The read-only access strengthens the evidentiary value; the final assessment rests with the adjudicating authority.

Which protocols are supported?

FTP, FTPS (FTP over TLS) and SFTP (over SSH). The connection, server, port and — where available — the server software are documented in the report together with the network information.

FTP / SFTP