A relatively standard procedure would be as follows, this is general and basic:


capture volatile data -memory, processes etc.
Get the hard drive out of the system. Image the system by attaching a write blocker and using "forensically sound" software. linux dd is pretty much forensically sound..just as much as the expensive crap anyways. You can image the disk to an image file OR image it to another disk. If you image it to another disk, use the same make and model disk.
The image src should be checksummed, as should be the image itself. It's typical to make 2 images of the original.

Typically you know what you are looking for when you seize evidence since it requires a warrant.
So you search slack space(ram, file etc), the swap file for any clues, then go through the MFT(NTFS only), internet history, email, documents, check for recoverable documents/files, look in partition gaps for hidden data, check alternate data streams, MAC times, check image files for hidden data and on and on and on.
The most important part is that you never never never modify the evidence, especially if you plan on using it in court.


for starters it's not a bad idea to screw up a computer, plant some crap, delete it, format the drive and try to find it and recover it. It's also not a bad idea to practice doing that WITHOUT trying to be forensically sound at first.
I would suggest you grab a few books from your local bookstore or online and start reading.