Skip to main content

Investigating a Project

Evidence is processed into Projects and investigation starts by analyzing the project evidence. The project view provides an overview of the key information for all evidence items in a given project.

The tabs available on the Project Overview page are:

Tab NameDescription
TimelineA timeline of key events.
AlarmsMalicious events.
SuspiciousPossibly malicious events.
NetworkNetwork connections.

System View

By clicking on an individual Evidence item, you bring up the System View. The System View provides the same details as the Project View, but limited to a single evidence item.

Browsing Files

You can browse the filesystem of certain evidence items. When browsing a Disk folders with a red dot indicate the presence of a known malicious file. You can browse the folder structure of a disk by clicking on individual folders.


The search interface allows you to search both file and event contents.

Click Investigate then Search to open the search interface. Cado uses specialized indexing to provide fast searches across files and events. Due to the way this indexing works, you may get fewer results than if you performed a traditional slow byte by byte search of each file.

For more information on searching, see Timeline Search.

Indicators / Detections

The Indicators or Detections page provides a summary of indicators of compromise detected within a project, and which systems they matched.

Click Investigate then Indicators.