A method for analyzing a potential data breach is disclosed. In one embodiment, such a method includes identifying a time frame and data store in which a data breach potentially occurred. The method reconstructs the data store to a point in time near an end of the time frame. The method then repeatedly performs the following until the data store reaches a point in time near a beginning of the time frame: revert to a previous version of the data store by removing an incremental update to the data store; record changes to the data store caused by removing the incremental update; and record timestamps associated with the changes. Once the data store reaches the point in time near the beginning of the time frame, the method creates a report that documents the changes and the timestamps and provides the report to a user. A corresponding system and computer program product are also disclosed.