Case management.

01 / Cases

Case records.

A case represents the investigative context in which supported evidence acquisition, analysis, tool execution, reporting, and review activity can be organized.

• Case number, name, description, owning organization, creator, assigned examiner, timestamps, and workflow status
• Creation, editing, status tracking, and closure where supported
• Association with evidence records, drive sessions, tool executions, acquired images, operation results, and reports
• Location-aware fields only where supported by workflow or deployed hardware

02 / Context

Active case context.

When a case is active or selected at tool time, supported operations can retain that case reference so the work can appear in case-scoped views, reports, and metrics.

• Active case selection
• Case selection at tool time
• Case reference on supported queued operations
• Case-scoped records for reports and investigation views

03 / Evidence

Evidence tracking.

Case management keeps supported evidence-handling activity connected to execution records and operation results so later review can follow what happened.

• Drive sessions, acquisitions, verifications, hashes, analysis operations, derived artifacts, and reports where records are created
• Provenance references between source drives, sessions, forensic images, tool executions, conversion outputs, analysis results, and reports
• Authenticated user and organization attribution where recorded
• Case-scoped operational history for review

04 / Assignments

Case assignments.

Cases can be assigned to users or organizations for workflow tracking and visibility. Assignment types can describe participation without replacing the permissions model.

• Primary, secondary, viewer, or collaborator assignment types where supported
• Assignment creator, timestamp, notes, and active or inactive state
• Assignment visibility for case workflows
• Permissions remain controlled by account, organization, and role configuration

05 / Location

Location capture.

Case records can include location context where the workflow and deployed hardware support it. Location data should be treated as conditional, not assumed for every evidence event.

• Captured location fields where supported
• Association with supported case or evidence workflows
• Graceful degradation when location hardware is absent
• Location should not be implied for every acquisition or case action

06 / Browse + Retain

Case browsers and retention.

Case and evidence browsers provide review surfaces for case records, investigation views, and file-level navigation where the related data exists. Deletion and retention behavior should stay tied to implemented case lifecycle controls.

• Case browser and case detail views where supported
• Investigation views for sessions, drives, execution history, and operation records
• File-level navigation into extracted or analyzed evidence where available
• Deletion, restoration, and retention behavior where implemented

07 / Review

Case review.

Case views can present available case-scoped records with drill-down into sessions, drives, execution history, operation records, analysis results, hashes, and reports.

• Case browser and case detail views where supported
• Investigation views for sessions, drives, tool execution history, and operation records
• File-level navigation into extracted or analyzed evidence where available
• Durable operational history and reportable provenance for supported case activity

Scope note: case pages should emphasize case-scoped operational history, reportable provenance, and chain-of-custody review support for supported platform activity.