Hi,
It's a detailed science. However, very broadly, the main phases are sometimes considered to be: secure the subject system (from tampering during the operation); take a copy of hard drive (if applicable); identify and recovery all files (including those deleted); access/copy hidden, protected and temporary files; study 'special' areas on the drive (eg: residue from previously deleted files); investigate data/settings from installed applications/programs; assess the system as a whole, including its structure; consider general factors relating to the users activity; create detailed report. Throughout the investigation, it is important to stress that a full audit log of your activities should be maintained.