Blog >> FileZilla

Investigating FileZilla

20/10/2022 Thursday

FileZilla was initially released in 2001 and it is very common among IT community. It is a free open-source, cross-platform file transfer protocol (FTP) application. FileZilla has client and server versions. The client version support connections to FTP and FTPS and SFTP servers while the server version establishes FTP server on the installed platform.


Digital Forensics Value of FileZilla


After installing FileZilla, server connection details and user configurations are stored in XML files. By analyzing FileZilla artifacts, we can collect valuable information about how the user used FileZilla, details about client connected servers, and files transferred between client and server.


Location and Structure of FileZilla Artifacts


FileZilla artifacts including username, password and file transfer queue are stored in XML files at the following location:

C:\Users\[UserProfile]\AppData\Roaming\FileZilla


Analyzing Windows FileZilla Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract FileZilla artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select FileZilla artifacts:






Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of FileZilla artifacts in ArtiFast.


FileZilla Client Log Artifact:

FileZilla Server Log Artifact:

FileZilla Server Information Artifact:

FileZilla Client Recent Servers Artifact:

FileZilla Client Trusted Certificates Artifact:

FileZilla Client File Transfer Queue Artifact:



For more information or suggestions please contact: [email protected]