Investigators trying to understand what happened in a computer attack will assemble a timeline that lists all of the clues and snippets found inside the log files and other records. The structure and pattern of how this timeline can help identify when the computer was breached and, perhaps, which data was compromised.