**4.1 The five phases of investigation**

The framework design centers the five phases of digital investigation between the two challenges in the CI environment – the media complexity and the data volumes. An investigator proceeds through the five phases described in Section 3 to assure completion and compliance with standardized procedures. The systematic and sequenced approach allows concentration on the system in focus and the completion of the professional activities associated. The investigator has the deliverable and the budget in mind at all times. Different types of evidence require different treatment and handling while data format and media type determine adequate access for imaging. By staging the investigation phases in the center of the framework the work system is established and the challenges of the environment are managed, phase by phase. On the left hand side the complexities of the CI workstation context and on the right hand side the strategy for managing large data quantities, are specified. The investigator can hence branch left and right to effectively acquire evidence, while maintaining the phased requirements for due processes.

**83**

*The Role of Penetration Testing in Forensic Multimedia Retrieval Process*

The workstations and control rooms context requires structured and planned entry. The control for investigation comes from the central digital investigation phases and the management constraints. At any step acquired evidence can include different types of forensic data such as pictures, audios, videos, text, files, directories, and so on. The multi layered challenge of the environment has to be addressed by strategy and tools that have proven effectiveness for data identification, time matching, multi-tenancy acquisition, data ownership differentiation, live forensic acquisition, privacy and privilege compliance, operating systems variation, media variation, format variations, and cloud compatibility. Sophisticated tools such as those that copy processes, examine evidence, analyze programs for generating checksums in order to complete the verification may not fit perfectly to some of control systems technologies. Control system technologies are also time stamped by the history of the system emergence and some data formats and operating systems may not be current. Consequently, many digital forensic tools demonstrate limited scope and require careful matching and mapping to the CI contexts to assure

Importantly penetration tests are featured for the workstations and control rooms between the 'Search & Data Collection', and the 'Initial Assessment' phases. The penetration tests can confirm and limited the scope of further investigation. They can also provide vulnerability clues that redeploy of the 'Search & Data Collection' is done again for efficient targeting of areas for further investigation. This is a core component any CI forensic investigation. The major function of each one of these core components is to make sure that environments have correctly disclosed all the media for collection, and assurance is gained that complete analysis may proceed. The overall performance of an investigation will be limited unless the

The Hadoop context requires structured and planned entry for execution. The control for investigation comes from the central digital investigation phases and the management constraints. At any step acquired evidence can include different types of forensic data but the strategy is to organize the data into category and class nodes, and also data nodes. This organization and technical capability structures the data fields to optimize access at each phase of the central investigation plan. Live and dead nodes are discovered in a Hadoop architecture. They both contribute the necessary information needed to complete the digital forensic investigation on big data volumes. Nodes information is identified based on the different levels described in **Table 1**, such as node name with port number and IP address, last contact, admin state and additional information related to the data management and storage time and structure features. The scope includes all the logs created and stored on the cluster which contain the log files of data nodes, name nodes, secondary name nodes, the history server, user logs, the node manager, and the resource manager for all nodes. These files are vital for the process of hypotheses examination. To examine the Hadoop cluster, multimedia data acquisition techniques are used for the search and data collection. Data acquisition comes as a bit-by-bit copy of the content such as journal status, storage, log files, images, directories and logical database objects. The forensic examination is conducted through extracting system and nodes information using a range of proprietary and open source tools that are all selected and customized for the media type and performance. In this

CI environmental and context variations can are fully addressed.

way the investigation phases can be executed in the big data context.

*DOI: http://dx.doi.org/10.5772/intechopen.94934*

compatibility and effectiveness.

**4.3 Big data investigation**

**4.2 Workstation and control room investigation**

**Figure 2.** *A CI Investigation Framework.*
