Hi,
It's a detailed science. However, very broadly, the main phases are
sometimes considered to be: secure the subject system (from tampering
during the operation); take a copy of hard drive (if applicable);
identify and recovery all files (including those deleted); access/copy
hidden, protected and temporary files; study 'special' areas on the
drive (eg: residue from previously deleted files); investigate
data/settings from installed applications/programs; assess the system
as a whole, including its structure; consider general factors relating
to the users activity; create detailed report. Throughout the
investigation, it is important to stress that a full audit log of your
activities should be maintained.
--
jonewoo