**4. The framework**

Digital forensic investigation frameworks have typically been developed for specialist areas of investigation by selecting standardized and repeatable process steps. In the former section we have described such phased steps for the generation of an investigation guideline for CI. However, what has yet to be addressed is the unique system and architectures of CI designs. A CI divides into work stations and control rooms. These are the two areas in which evidence must be collected by an investigator. The workstations interface at each of the CI levels described in Section 2 and **Table 1** and carry live data and stored data that can include volatile components such as RAMs and Flash memory. The digital investigator has to strategically plan

for the full range of devices and media types, and to tactically deploy capability to act effectively and efficiently in these environments. The digital investigator is also faced with enormous volumes of data and not just the variability of formats. To cope with volumes our modelling proposes deployment of Hadoop architectures to manage the big data volumes, and the selection of relevant evidences. **Figure 2** is designed to include these features and to deliver sufficient guidance to a digital investigator that they can manage the challenges of a CI environment. The framework provides control of the investigation from the five central phases where each phase appropriately connects to the big data issues on the right, and the workstation and control room issues on the left.
