**4.2 Workstation and control room investigation**

*Multimedia Information Retrieval*

and control room issues on the left.

**4.1 The five phases of investigation**

for the full range of devices and media types, and to tactically deploy capability to act effectively and efficiently in these environments. The digital investigator is also faced with enormous volumes of data and not just the variability of formats. To cope with volumes our modelling proposes deployment of Hadoop architectures to manage the big data volumes, and the selection of relevant evidences. **Figure 2** is designed to include these features and to deliver sufficient guidance to a digital investigator that they can manage the challenges of a CI environment. The framework provides control of the investigation from the five central phases where each phase appropriately connects to the big data issues on the right, and the workstation

The framework design centers the five phases of digital investigation between the two challenges in the CI environment – the media complexity and the data volumes. An investigator proceeds through the five phases described in Section 3 to assure completion and compliance with standardized procedures. The systematic and sequenced approach allows concentration on the system in focus and the completion of the professional activities associated. The investigator has the deliverable and the budget in mind at all times. Different types of evidence require different treatment and handling while data format and media type determine adequate access for imaging. By staging the investigation phases in the center of the framework the work system is established and the challenges of the environment are managed, phase by phase. On the left hand side the complexities of the CI workstation context and on the right hand side the strategy for managing large data quantities, are specified. The investigator can hence branch left and right to effectively acquire evidence, while maintaining the phased requirements for due

**82**

**Figure 2.**

*A CI Investigation Framework.*

processes.

The workstations and control rooms context requires structured and planned entry. The control for investigation comes from the central digital investigation phases and the management constraints. At any step acquired evidence can include different types of forensic data such as pictures, audios, videos, text, files, directories, and so on. The multi layered challenge of the environment has to be addressed by strategy and tools that have proven effectiveness for data identification, time matching, multi-tenancy acquisition, data ownership differentiation, live forensic acquisition, privacy and privilege compliance, operating systems variation, media variation, format variations, and cloud compatibility. Sophisticated tools such as those that copy processes, examine evidence, analyze programs for generating checksums in order to complete the verification may not fit perfectly to some of control systems technologies. Control system technologies are also time stamped by the history of the system emergence and some data formats and operating systems may not be current. Consequently, many digital forensic tools demonstrate limited scope and require careful matching and mapping to the CI contexts to assure compatibility and effectiveness.

Importantly penetration tests are featured for the workstations and control rooms between the 'Search & Data Collection', and the 'Initial Assessment' phases. The penetration tests can confirm and limited the scope of further investigation. They can also provide vulnerability clues that redeploy of the 'Search & Data Collection' is done again for efficient targeting of areas for further investigation. This is a core component any CI forensic investigation. The major function of each one of these core components is to make sure that environments have correctly disclosed all the media for collection, and assurance is gained that complete analysis may proceed. The overall performance of an investigation will be limited unless the CI environmental and context variations can are fully addressed.
