This chapter covered many primary Hadoop concepts that a forensic investigator needs to understand. Successful forensic investigations involve properly identifying and collecting data, which requires the investigator to know how to locate the sources of information in Hadoop as well as understand data structures and the methods for extracting that information. Forensic investigations also involve analyzing the data that has been collected, which in turn requires knowing how to extract information from the Hadoop file structures.

The next chapter discusses how to identify evidence. This process involves standard investigative skills such as conducting interviews as well as applying technical knowledge about Hadoop to identify relevant evidence.