Incident Response scenario questions

Hi
Couple of hypothetical scenarios I wanted to get a DFIR SME opinion about, what would be your approach as an incident responder.
1) You have a Windows disk/memory image of a compromised system with no further details, where will you start investigating?( Interested to know the approach like which artifcats to start looking first etc.)
2) Customer contacted you to respond to an incident because they have seen a process "blah".exe being launched from a user desktop and that …

compromised cybersecurity dfir disk etc image incident incident responder incident response memory opinion questions responder response scenario start system windows