**1. Introduction**

Forensic Investigators conduct forensic examinations in order to identify evidence and to prevent future compromises of a system. The increasing volume of digital data to be managed and the diversity of media type is a contemporary challenge. The diversity of devices, operating systems, media and services present obstacles that require solution for efficient and effective professional practice. The variety of data sources, formats and styles poses a multimedia problem that requires working solutions for information access and content documentation. The acquired evidence can include different types of forensic data such as pictures, audios, videos, files, directories, and texts [1]. The systems for extraction are either live and functioning or static and stored. In either situation due processes, methods, standards and guidelines must be complied to achieve a repeatable practice for later auditing. In many instances copies are taken of the various media so analysis proceeds on identical images and not the original media. Investigation processes are segregated into phases to assure the best deployment of specialist skills and the preservation of the evidence [2]. Segregation is usually divided into preparation, acquisition, analysis, and reporting phases and sequenced towards a deliverable

that provides corrective actions [3]. In such a situation the system of work and the targeting of the work objectives are critical to the deliverable and the viability of an investigation. In this Chapter we derive a framework for investigation in an intensive multimedia environment and then demonstrate the targeting power of penetration testing techniques.

Critical infrastructures (CI) involve complex systems for the control and protection of assets, and the production and distribution of services to detect suspicious activities [4]. Any unplanned disturbance to these facilities seriously affects the quality of life and economic wellbeing of humans. Modern society depends on digital infrastructures to provide their management of services and the fair and timely distribution. For example, one day of disrupted power supply to a region of users stops work of all kinds and prevents the usual activities that support daily living [5]. Extended power failure causes long-term destruction of economic relationships and negatively affects the necessities for daily life. These systems require protection and one of the ways to do this is to use forensic investigation of events, and to do penetration testing before anything unplanned occurs [6]. In addition to other security provisions, forensic techniques are commonly implemented to document baseline configurations in order to detect abnormal activities, such as unauthorized access into network infrastructure. However, the challenge is to gain a fair estimation of the data provisions in the systems that are chaotically fill of large volumes of static and live data, and a full range of multimedia data types [7].

In this research we designed and tested an investigation framework for multimedia data types to address the challenges of evidence collection in CIs. The volume and complexity issues influence the evidence collection phase but also each environment has unique features from organizational cultures, administration designs, recovery tools, record structures, logging systems, and general usage patterns that all impact the scope and success of an investigation [8]. In addition, there are further challenges such as automation, volatility of data, and data mingling. Automation creates key information resources in order to handle the data and abstract data from its context. Volatility makes the process of collecting data difficult because the data within the collection process is removed, deleted, or overwritten [9]. Furthermore, Data Mingling is a serious problem of data mixing and the types being indistinguishable. Often, the sample of total data investigated in the forensic process comprises of both data related to the incident and data unrelated to the incident [10]. Forensic investigators require help to make sense of the complex multimedia contexts in which they have to work. An investigation framework that is responsive to CI complexities and has targeting features to make workloads manageable is required. The following sections describe how these requirements are designed and become functional in an investigation process.
