International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 07 Issue: 04 | Apr 2020 www.irjet.net p-ISSN: 2395-0072 © 2020, IRJET | Impact Factor value: 7.34 | ISO 9001:2008 Certified Journal | Page 1390 Digital Forensics Analysis for Network Related Data Mr. Abhishek Doshi 1 , Dr. Priyanka Sharma 2 1 Student, School of Information Technology & Cyber Security, Raksha Shakti University, Gujarat, India 2 Director, Research & Development, Raksha Shakti University, Gujarat, India ----------------------------------------------------------------------***--------------------------------------------------------------------- Abstract: With the increase in the field of digital crime and data theft; the law enforcement agencies and investigators needs to have efficient tools scripts & methodologies to collect the required evidences and reproduce the data in understandable form. Network plays a vital role in communication process amongst the digital devices; where the data packets and requests are transferred. The main goal of the research is to extract and analyse digital evidences for network artefacts like IP addresses (Version 4 & 6), event & network log files of system, open source and proprietary tools/software/scripts, to help the law enforcement agencies and investigators with their investigation process in efficient manner and extract desired data. Here various open source tools and software are used to analyse and extract various evidences; moreover EnScript has been modified and redesigned to fetch relevant data. The results conclude with network related data set obtained from various networks. Keywords: Digital forensics, EnCase, FTK, Networking, Investigation. 1. INTRODUCTION The word forensics is derived from a combination of Latin words forensic “on the forum” & Scientia “knowledge”. Forensic science is referred to the process of applying scientific standard methods & techniques to criminal and civil proceedings. A forensic scientist or investigator collects, preserves, and analyses evidences during an investigation. Over time, the technical aspects of forensic investigations have evolved into sub-fields relating to the special conditions of the evidence involved, like digital forensics, hardware analysis, etc. with computer forensics being the branch of forensic science encompassing the examination and investigation of data & information found in digital Network forensics is sub-domain of digital forensics associated with tracking and analysing of computer devices and network traffic for the purpose of data and information collection, required files or intrusion detection within a network. Till date, it was enough to look at individual systems as objects containing digital evidences and files. Computing was centred based where collecting a computer and several disks and peripherals would assure collection of all relevant digital evidence and data. Today, however, computing and communication has become network-centred and distributed as more people rely on email, clouds and other network based platforms. It is no longer adequate to think about computers as an isolated object as many of them are connected together using various network technologies and topologies. 1.1. CHAIN OF CUSTODY The Chain of Custody is the process of validating the collection, storage, movement and protection of evidence. The investigator must document the characteristics of the evidence to distinguish comparable devices and to identify the evidence. For digital evidence a hash value (MD5 and SHA) should be taken, if hardware devices are there, then proper sealed packing in faradays bag should be done. The location, date and time of the seizure of the evidence should be noted. Every minute detail and process from acquisition to final result as evidence; should be well noted and followed properly. 1.2. DIGITAL EVIDENCES The following are the categorized devices and files analysed during the research to obtain artefacts and relevant network based data. Table-I: Types of Evidences Category Digital Evidence Live systems C.P.U (Windows based), Live Network, Broadband Router. Image files of Hard disks and Memory devices Image file of a Hard-disk. Log files Log files of remote desktop connections, web servers. Mobile Phones Android based Cellular mobile phone. Captured network data Network packets and data. 2. ACQUISITION & ANALYSIS OF THE EVIDENCE AND DATA The evidences may be acquired from the crime location or may be captured with various tools and processes as discussed below. The integrity and nature of the evidence collected should be maintained as mentioned in chain of custody; for that various hash calculations, preservation process during data/hardware transfer and transport should be strictly followed. The analysis of the acquired evidence and data plays a key role in the investigation process; as the case mainly depends on the produced on the basis of the analysis. Thus, the analysis process should be fast, efficient, easy-to-use and standard; which should comply with the international standards and