We propose a framework for structuring the description and results of the forensic analysis of actions of investigative interest in digital applications, and for automated reasoning on such actions. A high level of abstraction is suitable for forensic stakeholders that are not ICT experts; other levels are suitable for automating experiments on the devices to establish traces left by actions, and for associating the results of the experiments. Such results are used in a computational logic framework to conclude evidence on the occurrence of actions. The evidence can be presented to stakeholders or used in further automated reasoning, and traced back to data on the device.