The first thing you would normally do in an investigation, is to enter a crime scene. That is if you are lucky enough to get an exciting job at a busy law enforcement office. In this entry I will be talking briefly on the overall important steps on how to move forward upon arriving at a crime scene.
First of all – you must secure the crime scene. Make sure there are no anti-forensics in place. This can be evaluated by the type of case. Are there any Linux or Python books in the shelfcase, or are you about to perform a live acquisition of a XBOX at a drug dealers hideout? In the latter you probably wont find much anti-forensics in place. Next, when initiating your process of gathering evidence you must make sure as little as possible is contaminated or overwritten.
The next phase is to do a System preservation phase. This is where you create an image of the devices and collect as much evidence you might get a hold of. Best is ofcourse to do a live acquisition with retrieval of any live data still in the RAM and such, but in many cases the devices will be turned off and you will have to do a “dead” acquisition.
Next phase is the Evidence searching phase, where you take your image and go through it. You might start by looking at the broader side of the image, like what type of file system, how many sectors and so on. You would then look at the image in a foresics tool like FTK or Autopsy, and go through the data stored there in trying to find interesting artefacts.
The last phase is the Event reconstruction phase, where you put the pieces together from all the interesting artefacts you found. Possibly build a timeline of events, or trying to find evidence that either supports or refutes the hypothesis.