Collect SMF type 80 records for the affected period - Collect CICS journal records for affected transactions - Collect DB2 audit trace for affected tables - Reconstruct the sequence of events - Determine scope: what data was accessed or compromised?