So Where Should You Start From

It's time to start the hard work, right? You have your forensic system loaded with software and a target computer or media you have to analyze, so let's get started.

The very first step should always be to document everything before you actually do anything. As boring as this might sound, if you've spent some hours or days rigging up your hardware and software, this is a must, and you'd better learn it the right way from the beginning! You don't want to build up nasty habits that could endanger any piece of evidence you might find, right? Nah, you don't want that, believe us.

Not until you have documented everything—make, model, serial number, current status, and taken some pictures just in case—is it time to take the first real step. Your first decision as a future forensic expert will be quite easy sometimes but very, very hard on occasion. Should you work with the system live or not? This is also known as the famous "pull-the-plug" debate. We won't go into it, not on a forensic starter-kit level, but we will give you some guidelines as to how to proceed for both scenarios.

