Secure the computer system to prevent it from being altered or tampered with by the investigators, third parties or automated processes such as viruses or other types of malware. Unless you can't avoid it, never analyze data using the machine it was collected from.

Make exact, forensically sound copies of data storage devices, including all hard drives. Do not change date/time stamps or alter data itself. Do not overwrite unallocated space, which may happen when rebooting. Specialized equipment is available to speed and facilitate the forensic copying of hard drives.

Identify and discover all files on the system, including normal files, deleted-yet-remaining files, hidden files, password-protected files and encrypted files.

Recover deleted files as much as possible. Pay special attention to specific areas of the hard drive, including boot sectors, page files and temporary or swap files used by application programs and by the operating system. Look at unallocated space (i.e., marked as currently unused), as well as the unoccupied space at the end of a file in the last assigned disk cluster after the end-of-file marker. Either area, though not considered a part of an active file, might hold relevant data from a different file or version of a document.

Maintain a full audit log of your activities throughout the investigation, and produce a detailed report at the end.