Notes:
Reminder - because the IDS time is not synchronized to the subject computer, the timestamps are from the compromised host.
Timeline (and this is just highlights!) shows just how much data is recoverable using forensics.
