**2. Background literature**

Industrial Control Systems in critical infrastructures support monitoring, administering, and controlling essential services. Therefore, by design architecture, components, and environments in CI, allow forensic capabilities to be implemented and to further mitigate the potential risk of security failure. Industrial Control System Architecture is deployed based on Service Oriented Architecture [11]. Hence, three different designs are found according to the architecture of the system. First, Supervisory Control and Data Acquisition (SCADA) systems apply central administration by using a central computer to communicate remotely through a Remote Terminal Unit (RTU). A Human Machine Interface (HCI) is linked to SCADA and facilitates the process of displaying, and monitoring processes. The typical uses

**79**

*The Role of Penetration Testing in Forensic Multimedia Retrieval Process*

**Level Information System Media Type**

0 Sensor Networks, Internet of Things, and so on Data, streams of text and digits

2 Supervisory Control and Data Acquisition Ladder logics, objects, words, text and

4 Enterprise Resource Planning Files, directories, all manner of media type

digits

Structured data, text, frames, objects

Images, videos, text, files, directories

for SCADA are in natural gas, electricity, and water distribution [12]. Second, Distributed Control Systems (DCS) distribute processes that have been controlled to devices for execution [13]. The typical uses of DCS are in manufacturing, chemical and electric power plants. Third, Non-Centralised System design allows for a number of control systems that do not require centralised administration. Accordingly, Programmable Logic Controllers (PLC) or any other control devices can be implemented and configured as a combination of Control System, Data Historian and Human Machine Interface [13]. This type of configuration is usually designed for

The distribution of media type is found spread evenly through the layers of an industrial control system for CI [14]. These layers are often described as starting at layer 0 where the sensors of the system and primitive data are found, through to layer 4 which is the enterprise level where the business applications and rich media reside [15]. In **Table 1** these layers and media types are described and elaborated to identify the data types and the diversity of media type a digital investigator must review in discovery processes. Discovery processes hence require extreme multimedia processing capabilities that can span the scope of data type and format found in a CI environment. This requires critical tool selection and the designing of staged and sequenced tool use for comprehensive discovery. The task is difficult and is challenged by the constant innovation and adoption of new data type and structures that come with new versions of software and new applications. The multimedia processing capability an investigator chooses reflects the design and scope of an investigation, and the professional capacity to adapt and acquire the necessary tools

Primarily an investigator requires a systematized process framework to effectively guide an investigation through the known and unknown media types found in a CI investigation. The design proceeds through a phased approach outlined in **Figure 1**. A digital forensic investigation in engineering workstations or control rooms in CIs includes all electronic devices that are interconnected with each other for sending/receiving messages or two-way communications, such as, mobile phones, laptops, computers, tablets, PDAs, programmable logic controllers, human machine interfaces, and supervisory control and data acquisition systems [16]. These systems and devices have their own storage systems. Either physical storage systems or virtual technologies such as cloud computing for logging all activities, incidents, and events [18–21]. Conducting a forensic investigation on engineering

*DOI: http://dx.doi.org/10.5772/intechopen.94934*

1 Programmable Logic Controller, Picture Archiving and Communication

3 Management Expert and Management Information Systems

manufacturing processes.

*CI Media types at organization levels.*

**Table 1.**

and techniques [16, 17].

**3. Designing a framework**

*The Role of Penetration Testing in Forensic Multimedia Retrieval Process DOI: http://dx.doi.org/10.5772/intechopen.94934*


**Table 1.**

*Multimedia Information Retrieval*

penetration testing techniques.

that provides corrective actions [3]. In such a situation the system of work and the targeting of the work objectives are critical to the deliverable and the viability of an investigation. In this Chapter we derive a framework for investigation in an intensive multimedia environment and then demonstrate the targeting power of

static and live data, and a full range of multimedia data types [7].

designed and become functional in an investigation process.

Industrial Control Systems in critical infrastructures support monitoring, administering, and controlling essential services. Therefore, by design architecture, components, and environments in CI, allow forensic capabilities to be implemented and to further mitigate the potential risk of security failure. Industrial Control System Architecture is deployed based on Service Oriented Architecture [11]. Hence, three different designs are found according to the architecture of the system. First, Supervisory Control and Data Acquisition (SCADA) systems apply central administration by using a central computer to communicate remotely through a Remote Terminal Unit (RTU). A Human Machine Interface (HCI) is linked to SCADA and facilitates the process of displaying, and monitoring processes. The typical uses

**2. Background literature**

In this research we designed and tested an investigation framework for multimedia data types to address the challenges of evidence collection in CIs. The volume and complexity issues influence the evidence collection phase but also each environment has unique features from organizational cultures, administration designs, recovery tools, record structures, logging systems, and general usage patterns that all impact the scope and success of an investigation [8]. In addition, there are further challenges such as automation, volatility of data, and data mingling. Automation creates key information resources in order to handle the data and abstract data from its context. Volatility makes the process of collecting data difficult because the data within the collection process is removed, deleted, or overwritten [9]. Furthermore, Data Mingling is a serious problem of data mixing and the types being indistinguishable. Often, the sample of total data investigated in the forensic process comprises of both data related to the incident and data unrelated to the incident [10]. Forensic investigators require help to make sense of the complex multimedia contexts in which they have to work. An investigation framework that is responsive to CI complexities and has targeting features to make workloads manageable is required. The following sections describe how these requirements are

Critical infrastructures (CI) involve complex systems for the control and protection of assets, and the production and distribution of services to detect suspicious activities [4]. Any unplanned disturbance to these facilities seriously affects the quality of life and economic wellbeing of humans. Modern society depends on digital infrastructures to provide their management of services and the fair and timely distribution. For example, one day of disrupted power supply to a region of users stops work of all kinds and prevents the usual activities that support daily living [5]. Extended power failure causes long-term destruction of economic relationships and negatively affects the necessities for daily life. These systems require protection and one of the ways to do this is to use forensic investigation of events, and to do penetration testing before anything unplanned occurs [6]. In addition to other security provisions, forensic techniques are commonly implemented to document baseline configurations in order to detect abnormal activities, such as unauthorized access into network infrastructure. However, the challenge is to gain a fair estimation of the data provisions in the systems that are chaotically fill of large volumes of

**78**

*CI Media types at organization levels.*

for SCADA are in natural gas, electricity, and water distribution [12]. Second, Distributed Control Systems (DCS) distribute processes that have been controlled to devices for execution [13]. The typical uses of DCS are in manufacturing, chemical and electric power plants. Third, Non-Centralised System design allows for a number of control systems that do not require centralised administration. Accordingly, Programmable Logic Controllers (PLC) or any other control devices can be implemented and configured as a combination of Control System, Data Historian and Human Machine Interface [13]. This type of configuration is usually designed for manufacturing processes.

The distribution of media type is found spread evenly through the layers of an industrial control system for CI [14]. These layers are often described as starting at layer 0 where the sensors of the system and primitive data are found, through to layer 4 which is the enterprise level where the business applications and rich media reside [15]. In **Table 1** these layers and media types are described and elaborated to identify the data types and the diversity of media type a digital investigator must review in discovery processes. Discovery processes hence require extreme multimedia processing capabilities that can span the scope of data type and format found in a CI environment. This requires critical tool selection and the designing of staged and sequenced tool use for comprehensive discovery. The task is difficult and is challenged by the constant innovation and adoption of new data type and structures that come with new versions of software and new applications. The multimedia processing capability an investigator chooses reflects the design and scope of an investigation, and the professional capacity to adapt and acquire the necessary tools and techniques [16, 17].

## **3. Designing a framework**

Primarily an investigator requires a systematized process framework to effectively guide an investigation through the known and unknown media types found in a CI investigation. The design proceeds through a phased approach outlined in **Figure 1**. A digital forensic investigation in engineering workstations or control rooms in CIs includes all electronic devices that are interconnected with each other for sending/receiving messages or two-way communications, such as, mobile phones, laptops, computers, tablets, PDAs, programmable logic controllers, human machine interfaces, and supervisory control and data acquisition systems [16]. These systems and devices have their own storage systems. Either physical storage systems or virtual technologies such as cloud computing for logging all activities, incidents, and events [18–21]. Conducting a forensic investigation on engineering

#### **Figure 1.**

*The Five Phases.*

workstations and applying physical and remote data acquisition will discover evidence in the different media that can be used for legal, employment, and other purposes [22]. In this type of investigation, physical and remote data acquisition are an advantage, and hence the investigation equipment must have the capacity to manage volumes, data complexities and multimedia types.

Each investigation requires phases that develop the focus for evidence collection and then pass the findings to the next phase for further refinement. Planning and Identification is a starting point for a structured investigation. At this stage, the incident has to be verified in order to collect fact sheets and plan for a capability handling strategy for the particular case. The major objective of this phase is to boost the productivity of gathering the necessary information about the incident and facilitate the process of data acquisition [23]. Critically the acceptance of multimedia types by the acquisition tools allows credibility to be established and documented against the brief scope. If media types cannot be collected then the performance and adequacy of the investigation are brought into question. Furthermore, obtaining authorizations and authentications are also compulsory, when the case needs an authorized access to the system for media acquisition. System settings are one of most important facts required to be obtained by investigators for determining the device's system state when the incident occurred. System settings can include the system specifications of all machines that are under investigation, and the time or date. Moreover, conducting a network reconnaissance is the last step to obtain IP addresses of all machines and their mac addresses and any other information that could lead to personal ownership identification or related activities [23]. At each of the context levels in **Table 1** different evidence is located and each data and media type must be accommodated in the framework design.

The search and data collection stage employs discovery techniques that allow all information in the multiplicity of media types present to be collected. The investigation process requires detailed information about the daily events for the users in the systems and machines or devices. All information that is collected, will be taken into consideration and preserved for relevancy determination. The collected data goes in to a complex process to determine whether the data acquired is compliant to evidentiary standards and the acquisition process and the deliverable are reproducible by others. If the data is admissible, then it will go to further analysis for case relevancy and positioning in the data log. If not, the data will be stored for a specific period of time and reserved for analysis later when the circumstances may have changed. This stage aims to prepare all potential credible data to go through a parsing process, which is a more detailed analysis and sieving of the data. All necessary data is available to construct and to reconstruct a walkthrough of the control room.

A penetration testing phase is useful to target and to identify weaknesses in the system under investigation [24]. It is conducted remotely for acquiring live data on the system often when the users have not been formally informed that their machines are going through forensic investigation [25]. This step will assist in

**81**

*The Role of Penetration Testing in Forensic Multimedia Retrieval Process*

preserving live data before the digital evidence gets damaged or corrupted. The aim of this step is to combat the anti-forensic tools used by advanced persistent threat (APT) attackers and professional hackers in critical infrastructures [26]. Dead or static acquisition will be confirmed as the second step when relevant evidence is found. At this step, screenshots can be taken as a credible evidence of weaknesses

The data examination stage features methodical assessment of all data, fact sheets, system settings, parsed data, data that came from the initial assessment, and media. Further processes of data analysis and examination also assure each media type is correctly processed and tools are found to process any irregular types. Timeline analysis and other perspectives allow systematic categorization and documentation of the relevant elements of information for the case [27]. This is a vital stage and beneficial as it comprises evidence history such as what time the files have been accessed, modified, created and changed, in a clear format that humans can understand. The data is collected using a diversity of applications and is released from the layer of metadata from the file system regardless of the operating system or format, and then analyzed. The timeline is fixed and application data reconstructed if required as a part of the data analysis and examination. Media and artefact analyses is addressed by, for example, what applications have been executed, which archives have been opened or downloaded, which documents have been clicked on, which records were checked, which files were deleted, where did the user browse, and many other properties. Another type of analysis, which is necessary for finding indirect paths of information is at the signature level. This analysis is where forensic investigators implement techniques and practices that will search for byte signatures of known folders, files and regular expressions that lead to the cookies. Link analysis is employed to find the relationships and trusted links to other entities, servers, domains, email, images, audio, people, and other relevant

objects that can be traced to identify all possible communications [28].

employment or administrative purpose.

**4. The framework**

Finally reporting and presentation is the stage that contains reporting the results of the analysis and then presenting it to requested recipients. This step includes stating potential risks, clarifying the actions taken, specifying what other arrangements are required for completion; also suggestions for enhancing procedures, guidelines, policies, applications, and other aspects of the forensic process investigations required in the target infrastructure [29]. This step is essential as it is important for the stakeholders in order to determine what strategies they must think about for future preparation. It includes a capability statement with respect to the investigation ability to process all multimedia formats or otherwise. The report has to be formulated in a form that is acceptable to the court or for any legal,

Digital forensic investigation frameworks have typically been developed for specialist areas of investigation by selecting standardized and repeatable process steps. In the former section we have described such phased steps for the generation of an investigation guideline for CI. However, what has yet to be addressed is the unique system and architectures of CI designs. A CI divides into work stations and control rooms. These are the two areas in which evidence must be collected by an investigator. The workstations interface at each of the CI levels described in Section 2 and **Table 1** and carry live data and stored data that can include volatile components such as RAMs and Flash memory. The digital investigator has to strategically plan

*DOI: http://dx.doi.org/10.5772/intechopen.94934*

and potential vulnerabilities to the work system.

#### *The Role of Penetration Testing in Forensic Multimedia Retrieval Process DOI: http://dx.doi.org/10.5772/intechopen.94934*

*Multimedia Information Retrieval*

**Figure 1.** *The Five Phases.*

workstations and applying physical and remote data acquisition will discover evidence in the different media that can be used for legal, employment, and other purposes [22]. In this type of investigation, physical and remote data acquisition are an advantage, and hence the investigation equipment must have the capacity to

Each investigation requires phases that develop the focus for evidence collection and then pass the findings to the next phase for further refinement. Planning and Identification is a starting point for a structured investigation. At this stage, the incident has to be verified in order to collect fact sheets and plan for a capability handling strategy for the particular case. The major objective of this phase is to boost the productivity of gathering the necessary information about the incident and facilitate the process of data acquisition [23]. Critically the acceptance of multimedia types by the acquisition tools allows credibility to be established and documented against the brief scope. If media types cannot be collected then the performance and adequacy of the investigation are brought into question. Furthermore, obtaining authorizations and authentications are also compulsory, when the case needs an authorized access to the system for media acquisition. System settings are one of most important facts required to be obtained by investigators for determining the device's system state when the incident occurred. System settings can include the system specifications of all machines that are under investigation, and the time or date. Moreover, conducting a network reconnaissance is the last step to obtain IP addresses of all machines and their mac addresses and any other information that could lead to personal ownership identification or related activities [23]. At each of the context levels in **Table 1** different evidence is located and each data and media type must be accommodated in the

The search and data collection stage employs discovery techniques that allow all information in the multiplicity of media types present to be collected. The investigation process requires detailed information about the daily events for the users in the systems and machines or devices. All information that is collected, will be taken into consideration and preserved for relevancy determination. The collected data goes in to a complex process to determine whether the data acquired is compliant to evidentiary standards and the acquisition process and the deliverable are reproducible by others. If the data is admissible, then it will go to further analysis for case relevancy and positioning in the data log. If not, the data will be stored for a specific period of time and reserved for analysis later when the circumstances may have changed. This stage aims to prepare all potential credible data to go through a parsing process, which is a more detailed analysis and sieving of the data. All necessary data is available to construct and to reconstruct a walkthrough of the

A penetration testing phase is useful to target and to identify weaknesses in the system under investigation [24]. It is conducted remotely for acquiring live data on the system often when the users have not been formally informed that their machines are going through forensic investigation [25]. This step will assist in

manage volumes, data complexities and multimedia types.

**80**

control room.

framework design.

preserving live data before the digital evidence gets damaged or corrupted. The aim of this step is to combat the anti-forensic tools used by advanced persistent threat (APT) attackers and professional hackers in critical infrastructures [26]. Dead or static acquisition will be confirmed as the second step when relevant evidence is found. At this step, screenshots can be taken as a credible evidence of weaknesses and potential vulnerabilities to the work system.

The data examination stage features methodical assessment of all data, fact sheets, system settings, parsed data, data that came from the initial assessment, and media. Further processes of data analysis and examination also assure each media type is correctly processed and tools are found to process any irregular types. Timeline analysis and other perspectives allow systematic categorization and documentation of the relevant elements of information for the case [27]. This is a vital stage and beneficial as it comprises evidence history such as what time the files have been accessed, modified, created and changed, in a clear format that humans can understand. The data is collected using a diversity of applications and is released from the layer of metadata from the file system regardless of the operating system or format, and then analyzed. The timeline is fixed and application data reconstructed if required as a part of the data analysis and examination. Media and artefact analyses is addressed by, for example, what applications have been executed, which archives have been opened or downloaded, which documents have been clicked on, which records were checked, which files were deleted, where did the user browse, and many other properties. Another type of analysis, which is necessary for finding indirect paths of information is at the signature level. This analysis is where forensic investigators implement techniques and practices that will search for byte signatures of known folders, files and regular expressions that lead to the cookies. Link analysis is employed to find the relationships and trusted links to other entities, servers, domains, email, images, audio, people, and other relevant objects that can be traced to identify all possible communications [28].

Finally reporting and presentation is the stage that contains reporting the results of the analysis and then presenting it to requested recipients. This step includes stating potential risks, clarifying the actions taken, specifying what other arrangements are required for completion; also suggestions for enhancing procedures, guidelines, policies, applications, and other aspects of the forensic process investigations required in the target infrastructure [29]. This step is essential as it is important for the stakeholders in order to determine what strategies they must think about for future preparation. It includes a capability statement with respect to the investigation ability to process all multimedia formats or otherwise. The report has to be formulated in a form that is acceptable to the court or for any legal, employment or administrative purpose.
