Views:

Create investigation timelines with the collected evidence to gain insight into the context of an incident.

The following table outlines the actions available in the Timeline screen.
Action
Description
Filter timeline elements
Specify the operating system to locate specific timeline entries.
  • Timestamp
  • Timestamp type
  • Evidence type
  • Endpoint
Add a custom element to the timeline
Click Add Element (add_icon=cf892c2f-1a1f-4d22-848f-023067e4a507.png) to add a custom element to the timeline.
Delete elements from the timeline
Select one or more elements from the timeline and then click Delete Selected.
Reset timeline
Click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select Delete All to delete all elements from a timeline.
Add timeline to sub-case
Click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select Add Timeline to Case to add the current timeline to the specified Forensics sub-case.