In this chapter, we will describe a framework for conducting an internal investigation of a computer security incident. You will find that much of this framework has changed little since the first edition of the book. While the nature of digital incidents has continued to evolve, the overall investigative methodology still fits well. Because the focus of this book is still the corporate investigator, rather than law enforcement, we will skip discussions of search warrants, subpoenas, and other issues with which law enforcement must deal. We point out, however, that you will not, in all likelihood, have decided whether or not to request assistance from a law enforcement agency when you begin your investigation. For that reason, you must treat every investigation as if it will become a criminal proceeding.