What should each timeline entry include?

For every event, capture the date and time (with the time zone), what happened in one plain sentence, who or what account was involved, and a pointer to the underlying evidence (a file name, a message, a screenshot reference). The goal is that anyone can follow the story and find the proof behind each line.

How do I handle time zones and timestamps?

Pick one time zone for the whole timeline and note it at the top, then convert everything to it. Where you can, record the original timestamp from the source as well — message metadata, email headers, and device logs carry the authoritative time, and a screenshot alone can lose it. NIST's mobile-forensics guidance treats these original timestamps as the reliable record.

Will my timeline be usable in court?

A timeline you build yourself is a roadmap, not evidence on its own — it points to the underlying records that do the proving. Keep it factual and dated, avoid speculation, and preserve the originals it references. A credentialed examiner can then authenticate those records and turn your roadmap into something an attorney can file.

How to Build a Scam or Harassment Timeline

When a scam or a harassment campaign unfolds over weeks, the details blur. A timeline fixes that: it turns a pile of screenshots and half-remembered events into a clear, ordered story that anyone can follow. It is the artifact lawyers and investigators ask for first, because it shows the pattern — and points to the proof behind every line.

Why a timeline matters

Individual messages rarely tell the story; the sequencedoes. A timeline shows escalation, repetition, and the link between events that look unrelated in isolation. It also keeps you honest: each entry has to point at a real piece of evidence, which stops a case from drifting into “I think” and “probably.”

How to structure each entry

When: date and time, with the time zone. Use the original timestamp from the source where you can.
What: one plain sentence describing the event.
Who / where: the account, number, email, or platform involved.
Evidence: a pointer to the underlying record — a file name, message, or screenshot reference — so the line can be verified.

Keep it credible

Pick one time zone and note it at the top. Preserve the originals your timeline references rather than relying on screenshots alone — original message metadata and headers carry the authoritative time. Stick to facts and leave conclusions out; the sequence makes the point on its own. For the underlying preservation step, see screenshots vs. forensic evidence.

Hand it off

Once the timeline is built, it is the spine of the case. SleuthX’s AI triage can help organize the events and the evidence behind them, with an examiner reviewing the result, and this guide covers how to package it for a lawyer or the police.

Primary sources

National Institute of Standards and Technology, SP 800-101 Rev. 1 — Guidelines on Mobile Device Forensics, 2014. https://csrc.nist.gov/pubs/sp/800/101/r1/final

U.S. Federal Trade Commission, IdentityTheft.gov — document what happened and build a recovery plan. https://www.identitytheft.gov/

Scientific Working Group on Digital Evidence (SWGDE), SWGDE Best Practices for Digital Evidence Collection (18-F-002). https://www.swgde.org/documents/published-complete-listing/18-f-002-best-practices-for-digital-evidence-collection/

Quinnlan Varcoe

Founder & CEO

GIAC-certified · 15 industry certifications

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response