The filesystem is not the only source of data that contains timestamps of events in the system. When computers work, even when users do not do anything, a lot of events occur in the system. For example, Windows XP creates a System Restore Point every 24 hours, runs disk defragmentation every three days so that sectors of deleted files will be rewritten. Windows 7 has a Volume Shadow Copy mechanism, which also creates backup files and so on. All these actions occur automatically without any user activity. So, even in idle mode, Windows has a lot of events. In the case that the system has active users, we would see many more events. The information about these events will reflect in different places: in the registry, event log files, log files of applications, browser history, and so on.

If we could use all of these sources in the timeline, we could make a whole picture of what happened in the system and link different events in logical chain. This approach is called...