The Security Incident Response Team should always follow a structured documented process, wherein the content of the items to be investigated need to be preserved, validated, and documented. Any investigation must be understood at the onset as to its dimensions, scope, and investigative methods which are best based upon proven techniques, such as proper and legal collection of evidence and obtaining proper bit-stream “hash encrypted” copies of evidence. The linear nature of investigation always needs documentation and supporting evidence, for technology can give unexpected results. So, always document everything and report everything.