Explanation should include
- documentation and evidence
- legal hold
- admissibility
- chain of custody
- timelines of sequence of events
- time stamps
- reports
- event logs
- interviews
- acquisition
- order of volatility
- secondary storage
- primary storage and random access memory (RAM)
- swap and page file
- firmware
- cache
- network
- data integrity
- hashing
- checksums
- provenance
- software for digital forensics investigation
- dd
- memdump
- WinHex
- forensic toolkit (FTK) imager
- autopsy
- electronic discovery (e-discovery), including identifying, collecting, and producing electronically stored information (ESI).