The goal of a forensic analysis is to draw relevant conclusions from evidence collected. It occurs in four main phases: correlation, corroboration, testing, and reporting. In the correlation phase, an investigator follows an inductive process across a broad set of data to formulate an initial hypothesis about how an incident took place. In the corroboration phase, evidence from the correlation phase is cross-checked against other sources of evidence to build a stronger hypothesis based on unverified hypothesis previously identified. In the testing phase, an investigator takes on the role of the "devil's advocate" and tests the hypotheses against alternate possible explanations. In the reporting phase, findings of fact and strong hypotheses are distilled into a report deliverable, which includes supporting evidence.
As with an incident response, the phases of a forensic analysis may occur in a cycle, since conflicting evidence may contradict hunches and hypotheses. The product of a forensic analysis is a report detailing a set of findings of fact or substantiated hypotheses, supported by relevant evidence. It is not guaranteed, however, that the product will answer the questions posed by a client with sufficient specificity. It is sometimes the case that insufficient evidence remains to completely answer the questions related to root cause of an incident.