The Forensic Investigation Workflow
Hover any step for details. Every step writes to the Chain of Custody log (right rail).
flowchart TD
S1["1. Identify and Isolate
photograph, document, isolate"]:::slate S2["2. Capture Volatile Data
RAM, processes, connections"]:::blue D1{"3. Power Decision"}:::decision S4["4. Forensic Imaging
write-blocker, bit-for-bit, SHA-256"]:::blue D2{"5. Verify Hashes Match?"}:::decision S6["6. Examination Copy
work on a copy, never the source"]:::slate S7["7. Analysis
filesystem, registry, logs, memory"]:::blue S8["8. Reporting
findings tied to evidence + hashes"]:::slate S9["9. Court / Disclosure
testimony, chain-of-custody log"]:::court LOG["Chain of Custody Log
continuous record
every step writes here"]:::log S1 --> S2 --> D1 D1 --> S4 S4 --> D2 D2 -->|Yes| S6 D2 -->|No: re-image| S4 S6 --> S7 --> S8 --> S9 S1 -.-> LOG D1 -.-> LOG S4 -.-> LOG S7 -.-> LOG S9 -.-> LOG classDef slate fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:14px classDef blue fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:14px classDef decision fill:#ffa000,stroke:#b26a00,stroke-width:2px,color:#3e2723,font-size:14px classDef court fill:#fff8e1,stroke:#455a64,stroke-width:2.5px,color:#37474f,font-size:14px classDef log fill:#e8eef5,stroke:#1565c0,stroke-width:2px,color:#1a3a5c,font-size:14px linkStyle default stroke:#607d8b,stroke-width:2px,font-size:13px
photograph, document, isolate"]:::slate S2["2. Capture Volatile Data
RAM, processes, connections"]:::blue D1{"3. Power Decision"}:::decision S4["4. Forensic Imaging
write-blocker, bit-for-bit, SHA-256"]:::blue D2{"5. Verify Hashes Match?"}:::decision S6["6. Examination Copy
work on a copy, never the source"]:::slate S7["7. Analysis
filesystem, registry, logs, memory"]:::blue S8["8. Reporting
findings tied to evidence + hashes"]:::slate S9["9. Court / Disclosure
testimony, chain-of-custody log"]:::court LOG["Chain of Custody Log
continuous record
every step writes here"]:::log S1 --> S2 --> D1 D1 --> S4 S4 --> D2 D2 -->|Yes| S6 D2 -->|No: re-image| S4 S6 --> S7 --> S8 --> S9 S1 -.-> LOG D1 -.-> LOG S4 -.-> LOG S7 -.-> LOG S9 -.-> LOG classDef slate fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:14px classDef blue fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:14px classDef decision fill:#ffa000,stroke:#b26a00,stroke-width:2px,color:#3e2723,font-size:14px classDef court fill:#fff8e1,stroke:#455a64,stroke-width:2.5px,color:#37474f,font-size:14px classDef log fill:#e8eef5,stroke:#1565c0,stroke-width:2px,color:#1a3a5c,font-size:14px linkStyle default stroke:#607d8b,stroke-width:2px,font-size:13px