cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-20 13:50:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add TEMPLATE_006 (Message Logs) and comprehensive template documentation

Browse Source 
Created Template 006 for encrypted messaging app evidence (Signal/Wickr) showing ENTROPY handler-asset communications, plus comprehensive README documentation for the entire template system.

## New Files:

### TEMPLATE_AGENT_ID_006_message_logs.md
- **Evidence Type:** Signal/Wickr encrypted messaging app logs
- **Key Feature:** Handler uses subject's REAL NAME 8 times in operational comms
- **Direct Identity Confirmation:** Definitive proof of NPC as ENTROPY asset
- **Evidence Strength:** 75% alone → 99% combined with other templates
- **High Cooperation Potential:** 85% base (subject wants out, shows coercion)

**5 Message Threads Included:**
1. Initial Tasking - Handler assigns data theft, uses real name
2. Operational Concerns - Subject worried, handler reassures
3. Coordination with Cell - Payment confirmed, second asset mentioned
4. Internal ENTROPY Comms - Handler briefs cell leader, confirms recruitment method
5. Escalation and Pressure - Subject wants out, handler threatens and coerces

**What Makes This Template Unique:**
- Only template with direct real name confirmation via ENTROPY internal comms
- Shows subject is KNOWN ENTITY within ENTROPY organization
- Reveals handler's OPSEC failure (using real names)
- Documents coercion and victimization (subject tried to quit)
- Provides intelligence beyond subject: handler contact, cell structure, operations
- Creates moral complexity: perpetrator who is also victim

**Substitution Variables (17 total):**
- [SUBJECT_NAME], [SUBJECT_CODENAME], [HANDLER_CODENAME]
- [CELL_DESIGNATION], [OPERATION_NAME]
- [HANDLER_PHONE], [SUBJECT_PHONE]
- [TARGET_ORGANIZATION], [DATA_TYPE], [SYSTEM_NAME]
- [AMOUNT], [MEETING_LOCATION], [DEADLINE_DATE]
- [DATE_1] through [DATE_5], [TIME_1] through [TIME_5]
- [PRESSURE_DETAIL], [SUBJECT_CONCERN]
- [SECOND_ASSET_CODENAME], [CELL_LEADER_CODENAME]

**Gameplay Integration:**
- Discovery: RARE (server compromise or handler device seizure)
- Unlocks: Handler arrest, second asset ID, cell mapping
- Interrogation approaches: Overwhelming evidence (85%), Empathetic victim-focused (90%), Strategic flip (90%)
- Intelligence yield: Cell structure, handler contact, dead drops, payment methods

**Educational Value (CyBOK):**
- Encrypted messaging security & limitations
- OPSEC failures in operational communications
- Mobile device forensics
- Digital evidence authentication
- Insider threat psychology and coercion tactics
- Counterintelligence and asset flipping

### README.md (Comprehensive Template System Guide)
- **Purpose:** Complete documentation for using all 6 evidence templates
- **Sections:** Quick start, substitution guide, best practices, examples

**Key Content:**
- Quick Start Guide (4 steps: Choose templates → Gather values → Substitute → Deploy)
- Complete 6-template overview with summaries
- **Complete Substitution Variable Reference Table:**
  - Core Identity (3 variables - used in ALL templates)
  - ENTROPY Operational (7 variables)
  - Financial (4 variables)
  - Technical/System (3 variables)
  - Communication (3 variables)
  - Location (3 variables)
  - Temporal (5 variables)
  - Contextual (4 variables)
- Evidence Combination Strategies (5 strategic paths)
- Interrogation Approaches by Evidence Collected (clear unlocks)
- Best Practices (DO/DON'T lists)
- Rarity and Discovery Recommendations (progression table)
- Success Metrics and Gameplay Impact (evidence count → outcomes)
- Customization Examples (3 complete NPC scenarios with all substitutions)
- Educational Value Summary (CyBOK alignment)
- Quick Reference Checklist

**DO/DON'T Best Practices:**
✓ Replace ALL placeholders
✓ Keep values consistent across templates for same NPC
✓ Match timeline chronologically
✓ Consider cooperation potential
✗ Don't leave [BRACKETS] in final version
✗ Don't require 100% collection
✗ Don't over-punish coerced NPCs

## Updated Files:

### TEMPLATE_CATALOG.md
- Updated template count: 5 → 6
- Updated section title: "The Five Evidence Templates" → "The Six Evidence Templates"
- Added complete Template 006 entry with:
  - Full substitution variable list (17 variables)
  - Message thread summaries
  - Real name usage pattern analysis
  - 9 red flags documented
  - Evidence strength progression
  - Gameplay integration details
  - Forensic & legal assessment
  - Cross-references to other templates
  - Discovery scenarios and timing
- Updated Evidence Chain diagram to include Message Logs
- Updated Confidence Thresholds table: Added 6-template row (99.9% confidence, 95% cooperation)
- Added 2 new combination strategies:
  - "Real Name Confirmation + High Cooperation" (Templates 006 + 005 + 002 = 99%, 95% cooperation)
  - "Complete Cell Mapping" (Templates 006 + 004 + 002 + 003 = 99.9%, enables handler arrest)
- Added Template 006 to Discovery Placement Recommendations (Very Hard, Late investigation)
- Updated Expansion Opportunities: Renumbered future templates 007-011 (was 006-010)
- Updated Version History: Added v2.0 entry
- Updated Quick Reference Card: Added Template 006 with  NEW marker

## System Impact:

**Template System v2.0:**
- Total Templates: 6 (was 5)
- Total Substitution Variables: 32+ unique placeholders
- Evidence Chain: 6-step progression from suspicion → definitive proof
- Maximum Confidence: 99.9% (all 6 templates)
- Cooperation Range: 50% (1 template) → 95% (all 6 with empathetic approach)

**New Capabilities:**
- Direct real name confirmation via ENTROPY internal comms
- Handler identification and arrest enablement
- Cell structure mapping
- Second asset discovery at same organization
- Coercion documentation for cooperation agreements
- Highest cooperation potential (85-95%)

**Documentation Completeness:**
- Quick start guide for new users
- Complete variable reference (32+ variables documented)
- 5 evidence combination strategies
- 8 interrogation approach unlocks
- 3 complete NPC customization examples
- Educational value mapped to CyBOK

## Integration Notes:

**Template 006 Cross-References:**
- Corroborates Template 002 (payment amounts match message discussions)
- Corroborates Template 003 (data extraction dates align with tasking)
- Corroborates Template 004 (dead drop timing/location matches messages)
- Corroborates Template 005 (emotional arc: trapped, wants out)
- Connects to RECRUITMENT_001 (financial pressure methodology)
- Connects to TACTICAL_001 (if operation is infrastructure attack)
- Connects to LEVERAGE_001 (pressure detail as leverage point)

**Recommended Discovery:**
- Rarity: RARE (Very Hard)
- Timing: Late game (Mid-game for major operation rewards)
- Prerequisites: Server compromise OR handler device seizure
- Value: Very High (real name confirmation + handler intel + cell mapping)

All templates maintain narrative consistency, CyBOK educational alignment, and infinite reusability through [PLACEHOLDER] substitution system.
This commit is contained in:
Z. Cliffe Schreuders
2025-11-19 17:43:15 +00:00
parent b5d3ee33c4
commit 2929bdb322
3 changed files with 1472 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

589
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/README.md Normal file
View File

@@ -0,0 +1,589 @@
# Evidence Templates - ENTROPY Agent Identification System
## Overview
This directory contains **6 reusable evidence templates** designed to identify NPCs as ENTROPY agents/assets in Break Escape scenarios. Each template is a complete evidence fragment with placeholder variables that can be substituted at game runtime or during scenario development.
### Purpose
The template system enables:
- **Infinite scalability:** Create evidence for any NPC without writing from scratch
- **Narrative consistency:** All evidence follows established LORE patterns
- **Evidence chains:** Templates designed to corroborate each other
- **Gameplay integration:** Each template unlocks specific player actions
- **Educational value:** CyBOK-aligned security concepts in every template
---
## Quick Start Guide
### Step 1: Choose Your Templates
Select 1-5 templates based on how strong you want the evidence to be:
| Evidence Count | Confidence Level | Use Case |
|----------------|------------------|----------|
| 1 template | 40-80% | Initial suspicion, investigation trigger |
| 2-3 templates | 65-95% | Strong case, confrontation viable |
| 4-5 templates | 95-98% | Very strong case, multiple approaches |
| All 6 templates | 99.9% | Overwhelming evidence, maximum cooperation |
### Step 2: Gather Your Substitution Values
Before using any template, prepare these values for your NPC:
**Required for ALL templates:**
- NPC's full name (e.g., "Jennifer Park")
- Organization name (e.g., "TechCorp Industries")
- Job title/position (e.g., "Network Security Analyst")
- Salary range (e.g., "$85,000/year")
**Additional scenario details:**
- Handler codename (e.g., "Phoenix", "Cascade")
- Cell designation (e.g., "CELL_DELTA", "CELL_BETA_03")
- Payment amounts (typical: $25K-$75K per operation)
- Operation names (e.g., "Glass House", "Silent Echo")
- Relevant dates in your scenario timeline
### Step 3: Substitute Placeholders
Replace **ALL** bracketed placeholders `[LIKE_THIS]` with your values.
**Example:**
```
[SUBJECT_NAME] → "Jennifer Park"
[ORGANIZATION] → "TechCorp Industries"
[AMOUNT] → "$42,000"
```
### Step 4: Deploy in Game
Place the customized evidence fragments where players can discover them according to each template's recommended difficulty and discovery method.
---
## The Six Evidence Templates
### TEMPLATE_001: Encrypted Communications
**File:** `TEMPLATE_AGENT_ID_001_encrypted_comms.md`
**What It Proves:** Suspicious encrypted email communications
**Evidence Strength:** 40% alone → 90% combined
**Best For:** Initial suspicion flag, starting investigations
**Discovery:** Email server logs, IT security alerts
**Key Features:**
- PGP-encrypted email to ProtonMail
- After-hours communication (23:47)
- References to payments and security bypasses
- 6 red flags documented
---
### TEMPLATE_002: Financial Records
**File:** `TEMPLATE_AGENT_ID_002_financial_records.md`
**What It Proves:** Suspicious bank transactions and cryptocurrency payments
**Evidence Strength:** 60% alone → 98% combined
**Best For:** Payment proof (quid pro quo), money laundering
**Discovery:** Subpoenaed bank records, financial audit
**Key Features:**
- Unexplained cash deposits ($25K-$75K)
- Cryptocurrency to ENTROPY master wallet
- Shell company connections
- Lifestyle vs. income discrepancy
---
### TEMPLATE_003: Access Logs
**File:** `TEMPLATE_AGENT_ID_003_access_logs.md`
**What It Proves:** Unauthorized system access pattern
**Evidence Strength:** 70% alone → 98% combined
**Best For:** Data breach proof, technical espionage
**Discovery:** IT audit reports, SIEM alerts
**Key Features:**
- 5 documented security incidents
- Pattern: Reconnaissance → Access → Exfiltration → Cover-up
- PowerShell exploitation evidence
- 1.2GB data exfiltration to USB
---
### TEMPLATE_004: Surveillance Photos
**File:** `TEMPLATE_AGENT_ID_004_surveillance_photos.md`
**What It Proves:** In-person meetings with ENTROPY handler
**Evidence Strength:** 50% alone → 95% combined
**Best For:** Visual proof, handler identification
**Discovery:** Surveillance operation reports
**Key Features:**
- 14-day surveillance operation
- 7 photo scenarios (meetings, dead drops, payments)
- Handler physical description
- Countersurveillance behavior documented
---
### TEMPLATE_005: Handwritten Notes
**File:** `TEMPLATE_AGENT_ID_005_physical_evidence.md`
**What It Proves:** Self-incrimination in subject's own handwriting
**Evidence Strength:** 80% alone → 99.9% combined
**Best For:** High cooperation outcome, empathetic interrogation
**Discovery:** Desk drawer search, home search warrant
**Key Features:**
- 3-page emotional progression (willing → trapped → desperate)
- Cry for help: "Please help me"
- Forensic handwriting analysis (99.7% match)
- Enables 95-98% cooperation probability
---
### TEMPLATE_006: Message Logs (NEW!)
**File:** `TEMPLATE_AGENT_ID_006_message_logs.md`
**What It Proves:** Direct identification via real name in ENTROPY communications
**Evidence Strength:** 75% alone → 99% combined
**Best For:** Confirming identity, showing coercion, mapping cell structure
**Discovery:** Compromised ENTROPY server, seized handler device
**Key Features:**
- Handler uses subject's REAL NAME 8 times
- Signal/Wickr encrypted messaging app logs
- Shows coercion and desire to escape
- Reveals handler contact info and cell structure
- Very high cooperation potential (85% base)
---
## Complete Substitution Variable Reference
### Core Identity Variables (Used in ALL Templates)
| Variable | Description | Example Values | Templates |
|----------|-------------|----------------|-----------|
| `[SUBJECT_NAME]` | NPC's real full name | "Jennifer Park", "Robert Chen" | All 6 |
| `[ORGANIZATION]` | Where NPC works | "TechCorp Industries", "Memorial Hospital" | All 6 |
| `[POSITION]` | NPC's job title | "Network Security Analyst", "Database Admin" | All 6 |
### ENTROPY Operational Variables
| Variable | Description | Example Values | Templates |
|----------|-------------|----------------|-----------|
| `[SUBJECT_CODENAME]` | NPC's ENTROPY designation | "SPARROW", "ASSET_DELTA_04" | 006 |
| `[HANDLER_CODENAME]` | Handler's operational name | "Phoenix", "Cascade", "HANDLER_07" | 005, 006 |
| `[CELL_DESIGNATION]` | Which ENTROPY cell | "CELL_DELTA", "CELL_ALPHA_07" | 006 |
| `[CELL_LEADER_CODENAME]` | Cell leadership | "ALPHA_PRIME", "CASCADE" | 006 |
| `[OPERATION_NAME]` | Specific operation | "Glass House", "Silent Echo" | 006 |
| `[SECOND_ASSET_CODENAME]` | Other asset at same org | "MOCKINGBIRD", "ASSET_DELTA_05" | 006 |
### Financial Variables
| Variable | Description | Example Values | Templates |
|----------|-------------|----------------|-----------|
| `[SALARY]` | NPC's annual salary | "$85,000/year", "$120,000" | 002 |
| `[AMOUNT]` | Payment amount | "$42,000", "$50,000", "$75,000" | 002, 005, 006 |
| `[DEBT_AMOUNT]` | NPC's financial pressure | "$127,000", "$200,000" | 005, 006 |
| `[PAYMENT_METHOD]` | How payments made | "cryptocurrency wallet", "cash deposits" | 006 |
### Technical/System Variables
| Variable | Description | Example Values | Templates |
|----------|-------------|----------------|-----------|
| `[SYSTEM_NAME]` | System being accessed | "Customer Database", "SCADA Control" | 003, 005, 006 |
| `[DATA_TYPE]` | Type of data stolen | "customer records", "network diagrams" | 003, 006 |
| `[FILE_COUNT]` | Number of files | "847", "1,293" | 003 |
### Communication Variables
| Variable | Description | Example Values | Templates |
|----------|-------------|----------------|-----------|
| `[CURRENT_DATE]` | Email date | "March 15, 2025" | 001 |
| `[HANDLER_PHONE]` | Handler's contact | "+1-555-0847", "@secure_contact" | 006 |
| `[SUBJECT_PHONE]` | Subject's contact | "+1-555-0234", "@delta_sparrow" | 006 |
### Location Variables
| Variable | Description | Example Values | Templates |
|----------|-------------|----------------|-----------|
| `[MEETING_LOCATION]` | Dead drop/meeting spot | "Riverside Park bench 7", "Joe's Pizza" | 004, 006 |
| `[LOCATION]` | Generic location | "Downtown Coffee Shop", "Metro Station" | 004 |
| `[VEHICLE_DESCRIPTION]` | Handler's vehicle | "Gray Honda Civic, plate ABC-1234" | 004 |
### Temporal Variables
| Variable | Description | Example Values | Templates |
|----------|-------------|----------------|-----------|
| `[DATE]`, `[DATE_1]`, `[DATE_2]` | Specific dates | "March 15, 2025", "Friday" | All |
| `[TIME]`, `[TIME_1]`, `[TIME_2]` | Specific times | "14:23", "22:47" | 001, 003, 006 |
| `[DEADLINE_DATE]` | Operation deadline | "March 20, 2025" | 006 |
### Contextual Variables
| Variable | Description | Example Values | Templates |
|----------|-------------|----------------|-----------|
| `[CONTACT_DESCRIPTION]` | Handler physical description | "Male, 40s, graying hair..." | 004 |
| `[PRESSURE_DETAIL]` | Coercion/leverage type | "student debt", "medical bills" | 005, 006 |
| `[SUBJECT_CONCERN]` | NPC's expressed worry | "security audit", "feeling watched" | 006 |
| `[EXFIL_METHOD]` | Data transfer method | "USB dead drop", "encrypted upload" | 006 |
| `[COVER_STORY]` | NPC's cover explanation | "working late on project" | 006 |
---
## Evidence Combination Strategies
### Strategy 1: Build from Suspicion
**Path:** Encrypted Comms → Financial Records → Access Logs
- Template 001 (40% confidence) flags the NPC
- Template 002 (60%) proves motive (payment)
- Template 003 (70%) proves activity (data theft)
- **Result:** 95% confidence, strong prosecution case
### Strategy 2: Visual + Technical Corroboration
**Path:** Surveillance Photos → Access Logs → Financial Records
- Template 004 (50%) shows handler meetings
- Template 003 (70%) shows what data was stolen
- Template 002 (60%) shows payments matching meeting dates
- **Result:** 98% confidence, timeline correlation
### Strategy 3: The Confession Path
**Path:** Message Logs → Handwritten Notes → Financial Records
- Template 006 (75%) shows subject admitting crimes
- Template 005 (80%) shows emotional confession + regret
- Template 002 (60%) corroborates payment amounts discussed
- **Result:** 99.9% confidence, maximum cooperation likelihood (98%)
### Strategy 4: Handler Takedown
**Path:** Message Logs → Surveillance Photos → Access Logs
- Template 006 (75%) identifies handler phone + real name
- Template 004 (50%) provides handler photos and vehicle
- Template 003 (70%) shows when data was stolen for handler
- **Result:** 95% confidence + handler arrest opportunity
### Strategy 5: Complete Overwhelming Evidence
**Path:** All 6 Templates
- Every evidence type corroborates others
- Multiple independent proof sources
- Timeline fully documented across evidence types
- **Result:** 99.9% confidence, all interrogation approaches available
---
## Interrogation Approaches by Evidence Collected
### With Encrypted Comms (Template 001)
**Approach:** "We intercepted your encrypted emails. You're violating company policy and federal law."
**Success:** 55%
### With Financial Records (Template 002)
**Approach:** "We have your bank records. Unexplained $42,000 deposits. Where did this money come from?"
**Success:** 65%
**Alternate:** "We can help with your debt if you cooperate with us."
**Success:** 75% (if financial pressure is recruitment vector)
### With Access Logs (Template 003)
**Approach:** "We have every keystroke. Every file you touched. 847 files on a USB drive at 10:37 PM. Explain that."
**Success:** 70%
### With Surveillance Photos (Template 004)
**Approach:** "We have photos. You, meeting with this person, cash exchange, dead drop. You can't deny this."
**Success:** 60%
### With Handwritten Notes (Template 005)
**Approach:** "This is your handwriting. 'Please help me.' We read your notes. We know you want out. We can help."
**Success:** 95% (empathetic approach)
### With Message Logs (Template 006)
**Approach:** "Your handler used your real name. They discussed Operation [NAME]. You admitted everything in your own messages."
**Success:** 85%
**Alternate:** "We saw you tried to quit. Your handler threatened you. You're a victim. Help us get THEM."
**Success:** 90%
### With All 6 Templates
**Approach:** "There's no defense. Messages, photos, financial records, access logs, your own handwriting, your own admissions. But we can still help you if you help us."
**Success:** 95-98%
---
## Best Practices for Template Usage
### DO:
**Replace ALL placeholders** - Leaving `[BRACKETS]` breaks immersion
**Keep values consistent** - Same NPC should have same name/details across all templates
**Match timeline** - Dates should be chronological and logical
**Customize personality** - Adjust NPC's emotional tone to match character
**Corroborate details** - Payment amounts, dates, systems should align across templates
**Consider cooperation** - Templates 005 and 006 create high-cooperation scenarios
**Scale to scenario** - Use fewer templates for minor NPCs, more for major cases
### DON'T:
**Don't leave placeholders** - Always substitute all variables
**Don't mix NPCs** - One set of templates = one NPC only
**Don't ignore timeline** - Date 1 should come before Date 2
**Don't over-punish coerced NPCs** - Templates 005/006 show victims; offer cooperation
**Don't make all NPCs identical** - Customize handler personality, NPC emotional state
**Don't require 100% collection** - 3 templates should be sufficient for action
**Don't skip corroboration** - Templates are stronger together
---
## Rarity and Discovery Recommendations
| Template | Recommended Rarity | Discovery Difficulty | Discovery Method |
|----------|-------------------|---------------------|------------------|
| 001 - Encrypted Comms | Common | Medium | Email server logs, IT alerts |
| 002 - Financial Records | Uncommon | Hard | Subpoena, financial audit |
| 003 - Access Logs | Common | Medium | IT audit, SIEM analysis |
| 004 - Surveillance Photos | Uncommon | Hard | Active surveillance operation |
| 005 - Handwritten Notes | Uncommon-Rare | Medium-Hard | Desk/home search |
| 006 - Message Logs | **Rare** | **Very Hard** | Server compromise, handler device seizure |
**Progression:**
- **Early Game (Scenarios 1-5):** Templates 001, 003 available (starting investigation)
- **Mid Game (Scenarios 6-14):** Templates 002, 004, 005 available (building case)
- **Late Game (Scenarios 15-20):** Template 006 available (major breakthrough)
---
## Success Metrics and Gameplay Impact
### Evidence Count → Outcomes
**1 Template:**
- **Confidence:** 40-80%
- **Action:** Suspicion flagged, investigation unlocked
- **Prosecution:** Insufficient
- **Cooperation:** 50%
**2 Templates:**
- **Confidence:** 65-85%
- **Action:** Surveillance authorized, assets frozen
- **Prosecution:** Possible but weak
- **Cooperation:** 70%
**3 Templates:**
- **Confidence:** 85-95%
- **Action:** Arrest warrant viable, confrontation enabled
- **Prosecution:** Strong case
- **Cooperation:** 85%
**4 Templates:**
- **Confidence:** 95-98%
- **Action:** Multiple interrogation approaches, handler arrest
- **Prosecution:** Very strong case
- **Cooperation:** 90%
**5-6 Templates:**
- **Confidence:** 99.9%
- **Action:** All approaches available, cell mapping
- **Prosecution:** Overwhelming case
- **Cooperation:** 95-98%
### Intelligence Value by Template
Each template provides unique intelligence:
- **001:** Email infrastructure, encryption methods
- **002:** ENTROPY financial network, master wallet
- **003:** What data was stolen, when, how
- **004:** Handler identity, vehicle, meeting patterns
- **005:** NPC's emotional state, recruitment method
- **006:** Cell structure, operations, handler contacts, real name confirmation
---
## Customization Examples
### Example 1: Corporate Infiltration - Data Theft
**NPC:** Jennifer Park, Network Security Analyst at TechCorp
**Recruitment:** Student debt ($127K)
**Handler:** Phoenix (CELL_DELTA)
**Substitutions:**
```
[SUBJECT_NAME] = "Jennifer Park"
[ORGANIZATION] = "TechCorp Industries"
[POSITION] = "Network Security Analyst"
[SALARY] = "$85,000/year"
[SUBJECT_CODENAME] = "SPARROW"
[HANDLER_CODENAME] = "Phoenix"
[CELL_DESIGNATION] = "CELL_DELTA"
[DEBT_AMOUNT] = "$127,000"
[AMOUNT] = "$42,000"
[DATA_TYPE] = "customer database records"
[SYSTEM_NAME] = "Customer CRM System"
[OPERATION_NAME] = "Glass House"
```
**Templates Used:** 001, 002, 003, 006 (95% confidence)
---
### Example 2: Infrastructure Attack - Insider Access
**NPC:** Marcus Chen, Facilities Manager at Power Grid Control
**Recruitment:** Medical debt (wife's cancer treatment)
**Handler:** Cascade (CELL_BETA_03)
**Substitutions:**
```
[SUBJECT_NAME] = "Marcus Chen"
[ORGANIZATION] = "Metropolitan Power Grid Control"
[POSITION] = "Facilities Manager"
[SALARY] = "$72,000/year"
[SUBJECT_CODENAME] = "KEYMASTER"
[HANDLER_CODENAME] = "Cascade"
[CELL_DESIGNATION] = "CELL_BETA_03"
[DEBT_AMOUNT] = "$180,000"
[AMOUNT] = "$50,000"
[DATA_TYPE] = "SCADA access credentials"
[SYSTEM_NAME] = "Grid Control SCADA Network"
[OPERATION_NAME] = "Midnight Cascade"
```
**Templates Used:** 004, 005, 006 (98% confidence, high cooperation due to victimization)
---
### Example 3: Research Theft - Ideological Recruitment
**NPC:** Dr. Sarah Kim, Senior Research Scientist
**Recruitment:** Ideological (disillusioned with corporate IP law)
**Handler:** Entropy-Prime (CELL_ALPHA_07)
**Substitutions:**
```
[SUBJECT_NAME] = "Dr. Sarah Kim"
[ORGANIZATION] = "BioGenesis Research Labs"
[POSITION] = "Senior Research Scientist"
[SALARY] = "$145,000/year"
[SUBJECT_CODENAME] = "PROMETHEUS"
[HANDLER_CODENAME] = "Entropy-Prime"
[CELL_DESIGNATION] = "CELL_ALPHA_07"
[DEBT_AMOUNT] = "N/A (ideological motivation)"
[AMOUNT] = "$25,000" (smaller, not primary motivation)
[DATA_TYPE] = "proprietary gene therapy research"
[SYSTEM_NAME] = "Research Database - Level 4 Access"
[OPERATION_NAME] = "Open Science Initiative"
```
**Templates Used:** 001, 003, 006 (90% confidence, lower cooperation - true believer)
---
## Educational Value Summary
Each template teaches specific security concepts:
**Template 001 - Encrypted Communications:**
- Email encryption (PGP)
- Policy violations as red flags
- After-hours activity patterns
**Template 002 - Financial Records:**
- Financial forensics
- Cryptocurrency tracing
- Money laundering detection
**Template 003 - Access Logs:**
- System log analysis
- Attack pattern recognition (cyber kill chain)
- Privilege escalation techniques
**Template 004 - Surveillance Photos:**
- Physical surveillance methodology
- Countersurveillance detection
- HUMINT (Human Intelligence) collection
**Template 005 - Handwritten Notes:**
- Physical evidence handling
- Forensic document analysis
- Psychological profiling
**Template 006 - Message Logs:**
- Encrypted messaging security
- OPSEC failures (using real names)
- Digital forensics and chain of custody
---
## Template Versions and Updates
**Current Version:** 1.0
**Last Updated:** November 2025
**Templates Count:** 6
**Version History:**
- **v1.0** - Initial template system (Templates 001-006)
**Planned Additions:**
- Template 007: Social media OSINT evidence
- Template 008: Witness testimony from coworkers
- Template 009: Digital forensics (deleted files)
- Template 010: Physical surveillance (extended)
---
## Support and Documentation
**Primary Documentation:**
- `TEMPLATE_CATALOG.md` - Complete template reference with examples
- `GAMEPLAY_CATALOG.md` - Integration with gameplay systems
- Individual template files - Detailed content for each template
**For Questions:**
- See individual template files for detailed usage notes
- Check TEMPLATE_CATALOG.md for evidence combination strategies
- Review GAMEPLAY_CATALOG.md for mission integration examples
---
## Quick Reference: Variable Substitution Checklist
Before deploying ANY template, ensure you have values for:
**Core (Required for All):**
- [ ] `[SUBJECT_NAME]` - NPC's real name
- [ ] `[ORGANIZATION]` - Where they work
- [ ] `[POSITION]` - Their job title
**Financial (Templates 002, 005, 006):**
- [ ] `[SALARY]` - Annual salary
- [ ] `[AMOUNT]` - Payment amount(s)
- [ ] `[DEBT_AMOUNT]` - Financial pressure (if applicable)
**ENTROPY Operational (Templates 005, 006):**
- [ ] `[SUBJECT_CODENAME]` - ENTROPY designation
- [ ] `[HANDLER_CODENAME]` - Handler's name
- [ ] `[CELL_DESIGNATION]` - Cell affiliation
**Technical (Templates 001, 003, 006):**
- [ ] `[SYSTEM_NAME]` - System accessed
- [ ] `[DATA_TYPE]` - Data stolen
**Timeline (All Templates):**
- [ ] `[DATE]` or `[DATE_1]`, `[DATE_2]`, etc. - Relevant dates
- [ ] `[TIME]` or `[TIME_1]`, `[TIME_2]`, etc. - Timestamps (if applicable)
**Location (Templates 004, 006):**
- [ ] `[MEETING_LOCATION]` - Dead drop or meeting spot
- [ ] `[LOCATION]` - Generic location name
---
**Ready to create evidence? Choose your template and start substituting!**
For complete examples and detailed integration, see `TEMPLATE_CATALOG.md`.

664
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_006_message_logs.md Normal file
View File

@@ -0,0 +1,664 @@
# EVIDENCE TEMPLATE 006: ENTROPY Agent Message Logs
**Evidence Type:** Digital Communications - Encrypted Messaging App Logs
**Classification:** HIGH VALUE - Direct identification evidence
**Recommended Discovery:** Compromised ENTROPY communications server, seized handler device, decrypted Signal/Wickr backup
---
## TEMPLATE SUBSTITUTION GUIDE
**CRITICAL:** Replace ALL bracketed placeholders with scenario-specific values before use.
### Required Substitutions
| Placeholder | Description | Example Value |
|------------|-------------|---------------|
| `[SUBJECT_NAME]` | NPC's real full name | "Jennifer Park" |
| `[SUBJECT_CODENAME]` | ENTROPY operational designation | "SPARROW" or "ASSET_DELTA_04" |
| `[HANDLER_CODENAME]` | Handler's operational name | "Phoenix", "Cascade", "HANDLER_07" |
| `[CELL_DESIGNATION]` | Which ENTROPY cell | "CELL_DELTA", "CELL_BETA_03" |
| `[TARGET_ORGANIZATION]` | Where subject works | "TechCorp Industries", "Memorial Hospital" |
| `[SUBJECT_POSITION]` | Job title/role | "Network Security Analyst", "Database Admin" |
| `[DATA_TYPE]` | Type of data provided | "customer records", "financial data", "network diagrams" |
| `[OPERATION_NAME]` | Specific operation mentioned | "Glass House", "Midnight Cascade", "Silent Echo" |
| `[DATE_1]`, `[DATE_2]`, etc. | Message dates | "March 15, 2025" |
| `[TIME_1]`, `[TIME_2]`, etc. | Message timestamps | "14:23", "22:47" |
| `[AMOUNT]` | Payment amounts | "$42,000", "$50,000" |
| `[HANDLER_PHONE]` | Encrypted app ID (handler) | "+1-555-0847" (Signal), "@secure_contact_749" |
| `[SUBJECT_PHONE]` | Encrypted app ID (subject) | "+1-555-0234" (Signal), "@delta_sparrow" |
| `[SYSTEM_NAME]` | System being accessed | "Customer Database", "HR Portal", "SCADA Control" |
| `[DEADLINE_DATE]` | Operation deadline | "March 20, 2025", "Friday" |
| `[MEETING_LOCATION]` | Dead drop or meeting spot | "Riverside Park bench 7", "Joe's Pizza back room" |
### Optional Contextual Substitutions
| Placeholder | Description | Example Value |
|------------|-------------|---------------|
| `[PRESSURE_DETAIL]` | Coercion/pressure mentioned | "debt situation", "family safety", "legal exposure" |
| `[SUBJECT_CONCERN]` | Subject's expressed worry | "security audit", "suspicious coworker", "feeling watched" |
| `[EXFIL_METHOD]` | How data is transferred | "USB dead drop", "encrypted upload", "photograph documents" |
| `[COVER_STORY]` | Subject's cover explanation | "working late on project", "authorized maintenance", "routine audit" |
---
## EVIDENCE FRAGMENT: Encrypted Messaging App Communications
### Source Information
**Evidence ID:** COMMS-INTERCEPT-[CASE_NUMBER]
**Source Platform:** Signal Private Messenger (end-to-end encrypted)
**Acquisition Method:** Server compromise of ENTROPY C2 infrastructure / Seized device forensics
**Date Range:** [DATE_1] through [DATE_2]
**Participants:**
- **Handler:** [HANDLER_CODENAME] (Phone: [HANDLER_PHONE])
- **Asset:** [SUBJECT_CODENAME] / [SUBJECT_NAME] (Phone: [SUBJECT_PHONE])
**Chain of Custody:**
- Acquired: [ACQUISITION_DATE] by [INVESTIGATING_AGENCY]
- Decrypted: [DECRYPTION_DATE] using [METHOD]
- Authentication: Message metadata verified, timestamps validated
- Admissibility: HIGH (proper warrant, authentic communications)
---
## MESSAGE LOG TRANSCRIPT
### Conversation Thread 1: Initial Tasking
**Date:** [DATE_1]
**Time:** [TIME_1]
---
**[HANDLER_CODENAME]:** [SUBJECT_CODENAME], this is your handler checking in. Confirm secure comms.
**[SUBJECT_CODENAME]:** Confirmed. Signal showing verified encryption.
**[HANDLER_CODENAME]:** Good. [CELL_DESIGNATION] has new priority tasking for you. Operation [OPERATION_NAME] enters next phase this week.
**[SUBJECT_CODENAME]:** Understood. What do you need?
**[HANDLER_CODENAME]:** [TARGET_ORGANIZATION] [SYSTEM_NAME] - we need complete [DATA_TYPE] extraction. Deadline is [DEADLINE_DATE]. Can you deliver?
**[SUBJECT_CODENAME]:** That's... that's a lot of files. Security has been tighter since the last audit.
**[HANDLER_CODENAME]:** That's why we're paying you well, [SUBJECT_NAME]. You know your way around their systems.
**ANALYSIS NOTE:** ⚠️ **CRITICAL IDENTIFICATION** - Handler uses subject's REAL NAME ([SUBJECT_NAME]) in operational communication, confirming subject's true identity is known to ENTROPY.
**[SUBJECT_CODENAME]:** I know. Just nervous. When do I get the rest of the payment?
**[HANDLER_CODENAME]:** $[AMOUNT] on delivery, as always. Plus bonus if you include [ADDITIONAL_DATA].
**[SUBJECT_CODENAME]:** Ok. I can do this. Same drop point?
**[HANDLER_CODENAME]:** Yes. [MEETING_LOCATION]. USB drive, encrypted with usual key. Thursday, 22:00. I'll retrieve Friday morning.
**[SUBJECT_CODENAME]:** Copy that.
**[HANDLER_CODENAME]:** And [SUBJECT_NAME]? Don't get sloppy. You've been valuable to [CELL_DESIGNATION]. We take care of our assets.
**ANALYSIS NOTE:** ⚠️ **SECOND REAL NAME USAGE** - Handler again uses real name, showing this is not a typo but confirmed identification.
---
### Conversation Thread 2: Operational Concerns
**Date:** [DATE_2] (3 days later)
**Time:** [TIME_2]
---
**[SUBJECT_CODENAME]:** We have a problem.
**[HANDLER_CODENAME]:** What kind of problem?
**[SUBJECT_CODENAME]:** [SUBJECT_CONCERN]. Someone might be watching my access patterns. Should I lay low?
**[HANDLER_CODENAME]:** No. We need that data for [OPERATION_NAME]. You're close to completion, [SUBJECT_NAME]. Don't lose your nerve now.
**ANALYSIS NOTE:** ⚠️ **THIRD REAL NAME USAGE** - Pattern establishes this is intentional, not operational security lapse.
**[SUBJECT_CODENAME]:** I'm not losing my nerve. I'm being careful.
**[HANDLER_CODENAME]:** Careful is good. Paranoid is counterproductive. Your [SUBJECT_POSITION] role gives you legitimate access. Use your [COVER_STORY] if anyone asks.
**[SUBJECT_CODENAME]:** What if they don't believe me?
**[HANDLER_CODENAME]:** They will. You've been there 3 years. You're trusted. That's WHY we recruited you.
**[SUBJECT_CODENAME]:** Fine. I'll finish the extraction tonight.
**[HANDLER_CODENAME]:** Smart decision. Remember what we discussed about [PRESSURE_DETAIL]. We're helping each other here.
**ANALYSIS NOTE:** ⚠️ Shows coercion/leverage being applied. Subject may be victim as well as perpetrator.
---
### Conversation Thread 3: Coordination with Cell
**Date:** [DATE_3] (1 week later)
**Time:** [TIME_3]
---
**[HANDLER_CODENAME]:** [SUBJECT_NAME], excellent work on the [DATA_TYPE] package. [CELL_DESIGNATION] leadership very pleased.
**ANALYSIS NOTE:** ⚠️ **FOURTH REAL NAME USAGE** - Confirms completion of data theft operation.
**[SUBJECT_CODENAME]:** Thanks. When does the payment clear?
**[HANDLER_CODENAME]:** Already in your account as of this morning. Check [PAYMENT_METHOD].
**[SUBJECT_CODENAME]:** Got it. Thank you.
**[HANDLER_CODENAME]:** We'll need you again for Phase 2 of [OPERATION_NAME]. Probably 2-3 weeks. Stand by for tasking.
**[SUBJECT_CODENAME]:** Understood. Will wait for your signal.
**[HANDLER_CODENAME]:** One more thing - [CELL_DESIGNATION] is expanding operations. We might introduce you to another asset at [TARGET_ORGANIZATION]. Would make coordination easier.
**[SUBJECT_CODENAME]:** There's ANOTHER person from my company working for you??
**[HANDLER_CODENAME]:** We have assets in many organizations, [SUBJECT_NAME]. You're not alone. That should be reassuring.
**ANALYSIS NOTE:** ⚠️ **FIFTH REAL NAME USAGE** + revelation of multiple assets at same organization.
**[SUBJECT_CODENAME]:** I guess. Who is it?
**[HANDLER_CODENAME]:** Need to know basis for now. But you'll meet [SECOND_ASSET_CODENAME] when the time is right.
---
### Conversation Thread 4: Internal ENTROPY Communications (Subject Mentioned)
**Date:** [DATE_4]
**Time:** [TIME_4]
**Participants:** [HANDLER_CODENAME] and [CELL_LEADER_CODENAME]
**NOTE:** This thread recovered from HANDLER's device. Subject is discussed but not participating.
---
**[CELL_LEADER_CODENAME]:** Status update on [OPERATION_NAME]?
**[HANDLER_CODENAME]:** On track. [SUBJECT_CODENAME] delivered the [DATA_TYPE] package. Quality is excellent.
**[CELL_LEADER_CODENAME]:** [SUBJECT_CODENAME]... that's the [SUBJECT_POSITION] at [TARGET_ORGANIZATION]?
**[HANDLER_CODENAME]:** Correct. Real name [SUBJECT_NAME]. Recruited 8 months ago via financial pressure approach.
**ANALYSIS NOTE:** ⚠️ **CRITICAL - HANDLER CONFIRMS SUBJECT'S REAL IDENTITY TO CELL LEADERSHIP**
**[CELL_LEADER_CODENAME]:** Reliability assessment?
**[HANDLER_CODENAME]:** 85%. Nervous sometimes, but delivers. Motivated by debt relief and payment. No ideological commitment, purely transactional.
**[CELL_LEADER_CODENAME]:** Risk of cooperation with authorities?
**[HANDLER_CODENAME]:** Moderate. We have leverage via [PRESSURE_DETAIL]. Also, they're in too deep now. Complicit in [NUMBER] data breaches. Legal exposure significant.
**[CELL_LEADER_CODENAME]:** Keep them productive. We'll need [TARGET_ORGANIZATION] access for Phase 3.
**[HANDLER_CODENAME]:** Understood. [SUBJECT_NAME] will continue to be valuable asset.
**ANALYSIS NOTE:** ⚠️ **HANDLER CONFIRMS REAL NAME IN CELL LEADERSHIP BRIEFING** - Shows subject's true identity documented in ENTROPY internal records.
---
### Conversation Thread 5: Escalation and Pressure
**Date:** [DATE_5] (2 weeks later)
**Time:** [TIME_5]
---
**[SUBJECT_CODENAME]:** I need to talk.
**[HANDLER_CODENAME]:** I'm listening.
**[SUBJECT_CODENAME]:** I think I want out. This is too much. Security is investigating unusual access patterns. I'm going to get caught.
**[HANDLER_CODENAME]:** [SUBJECT_NAME], we've discussed this. You can't just "want out."
**ANALYSIS NOTE:** ⚠️ Real name usage during coercive conversation.
**[SUBJECT_CODENAME]:** Why not? I'll just stop. I won't talk to anyone.
**[HANDLER_CODENAME]:** Because you've committed federal crimes. Computer fraud, espionage, conspiracy. We have records of everything you've provided. Payment trails. Access logs WE captured showing your activity.
**[SUBJECT_CODENAME]:** You're threatening me?
**[HANDLER_CODENAME]:** I'm reminding you of reality. If you stop cooperating, we have no reason to protect you. Those records could find their way to law enforcement. Along with your real name, your role, everything.
**[SUBJECT_CODENAME]:** Oh god.
**[HANDLER_CODENAME]:** But if you CONTINUE to help [CELL_DESIGNATION], we protect you. We ensure you're never exposed. Plus you keep getting paid. It's not a hard choice, [SUBJECT_NAME].
**ANALYSIS NOTE:** ⚠️ Classic coercion pattern. Subject trapped and showing signs of wanting to escape.
**[SUBJECT_CODENAME]:** I don't have a choice, do I?
**[HANDLER_CODENAME]:** You always have choices. Choose to keep working with us. It's the smart play.
**[SUBJECT_CODENAME]:** ...fine. What do you need?
**[HANDLER_CODENAME]:** That's the right answer. New tasking coming tomorrow. Stand by.
---
## FORENSIC ANALYSIS
### Message Authentication
**Metadata Verification:**
- All messages verified via Signal's sealed sender protocol
- Phone numbers [HANDLER_PHONE] and [SUBJECT_PHONE] confirmed via carrier records
- Timestamps validated against server logs
- No evidence of tampering or fabrication
**Device Correlation:**
- [SUBJECT_PHONE] registered to device IMEI matching [SUBJECT_NAME]'s known personal phone
- Location data places device at [TARGET_ORGANIZATION] during work hours
- Location data places device at [MEETING_LOCATION] at times matching dead drop schedule
### Identity Confirmation
**Real Name Usage - Statistical Analysis:**
Handler used subject's real name ([SUBJECT_NAME]) **8 times** across 5 conversation threads.
**Usage Pattern:**
1. During operational tasking (3 instances)
2. During pressure/coercion (2 instances)
3. During cell leadership briefing (2 instances)
4. During praise/reassurance (1 instance)
**Conclusion:** Real name usage is consistent, intentional, and confirms [SUBJECT_NAME]'s identity as [SUBJECT_CODENAME] / ENTROPY asset.
### Operational Intelligence Extracted
**Confirmed Facts:**
- Subject's real identity: [SUBJECT_NAME]
- ENTROPY designation: [SUBJECT_CODENAME]
- Cell affiliation: [CELL_DESIGNATION]
- Handler: [HANDLER_CODENAME]
- Operations participated in: [OPERATION_NAME]
- Data provided: [DATA_TYPE] from [TARGET_ORGANIZATION]
- Payment received: $[AMOUNT] (with additional payments referenced)
- Recruitment method: Financial pressure
- Current status: Active asset, showing reluctance
- Cooperation likelihood: Moderate-High (trapped, wants out, coerced)
**Additional Intelligence:**
- Multiple assets at [TARGET_ORGANIZATION] (second asset: [SECOND_ASSET_CODENAME])
- Operation [OPERATION_NAME] has multiple phases
- Cell uses dead drop methodology at [MEETING_LOCATION]
- Handler phone: [HANDLER_PHONE] (high value target)
---
## LEGAL ASSESSMENT
### Admissibility as Evidence
**Federal Prosecution Viability:** VERY HIGH
**Applicable Charges:**
1. **18 U.S.C. § 1030** - Computer Fraud and Abuse Act
- Unauthorized access to computer systems
- Theft of data exceeding $5,000 value
- Evidence: Subject's own admissions in messages
2. **18 U.S.C. § 1831** - Economic Espionage Act
- Theft of trade secrets
- Evidence: [DATA_TYPE] exfiltration for benefit of ENTROPY
3. **18 U.S.C. § 371** - Conspiracy
- Conspiracy to commit computer fraud
- Evidence: Coordinated activity with [HANDLER_CODENAME]
**Evidentiary Strengths:**
✓ Subject's own words confirming criminal activity
✓ Real name confirmed multiple times (eliminates identity defense)
✓ Specific systems, data, and dates documented
✓ Payment trail corroboration available
✓ Handler identity and contact information revealed
✓ Proper acquisition (warrant-based or seized device)
**Evidentiary Considerations:**
⚠️ Subject shows signs of coercion/victimization
⚠️ Financial pressure exploitation evident
⚠️ Subject expressed desire to stop (shows remorse)
⚠️ May warrant consideration for cooperation agreement rather than maximum prosecution
### Authentication Requirements
**Prosecutor Needs:**
- [ ] Warrant documentation for acquisition
- [ ] Chain of custody records
- [ ] Device forensics report linking phone to subject
- [ ] Carrier records confirming phone registration
- [ ] Expert witness testimony on Signal encryption/authentication
- [ ] Corroborating evidence (financial records, access logs, surveillance)
**Defense Challenges Likely:**
- "Messages could be fabricated"
- **Counter:** Metadata verification, cryptographic authentication
- "Phone belonged to someone else"
- **Counter:** IMEI records, location data, carrier registration
- "Coerced into participation, victim not perpetrator"
- **Counter:** Partially valid; recommend cooperation agreement
---
## GAMEPLAY INTEGRATION
### Discovery Scenarios
**How Players Might Obtain This Evidence:**
**Scenario A: Server Compromise**
- SAFETYNET cyberops team compromises ENTROPY communications server
- Decrypts message backups stored on C2 infrastructure
- Discovers [SUBJECT_NAME] among active assets
**Scenario B: Handler Device Seizure**
- Arrest or surveillance of [HANDLER_CODENAME]
- Forensic examination of seized mobile device
- Signal message history recovered
**Scenario C: Signal Safety Number Compromise**
- Cryptographic breakthrough or stolen device keys
- Retroactive decryption of intercepted Signal traffic
- Specific conversations between handler and assets revealed
**Scenario D: Asset Cooperation**
- Different ENTROPY asset provides intelligence
- Names [SUBJECT_NAME] as fellow operative
- Provides handler contact information leading to message logs
### Player Actions Enabled
**Immediate Actions:**
- Flag [SUBJECT_NAME] as confirmed ENTROPY asset
- Issue warrant for arrest based on own admissions
- Seize [SUBJECT_PHONE] for additional forensics
- Trace [HANDLER_PHONE] for surveillance/arrest
**Investigation Actions:**
- Identify [SECOND_ASSET_CODENAME] (second asset at [TARGET_ORGANIZATION])
- Map [CELL_DESIGNATION] structure via handler communications
- Identify [OPERATION_NAME] as active ENTROPY operation
- Corroborate with financial records (look for $[AMOUNT] payments)
**Strategic Actions:**
- Offer cooperation agreement (subject wants out, shows remorse)
- Flip [SUBJECT_NAME] to provide intelligence on [HANDLER_CODENAME]
- Use [SUBJECT_NAME] as double agent (risky but high reward)
- Coordinate simultaneous arrests of subject + handler
### Interrogation Approach Options
**Approach 1: Overwhelming Evidence (Direct)**
> "We have your Signal messages with your ENTROPY handler. They used your real name, [SUBJECT_NAME]. They discussed Operation [OPERATION_NAME]. You admitted to stealing [DATA_TYPE]. There's no defense here."
**Success Likelihood:** 70% immediate cooperation
**Approach 2: Empathetic/Victim-Focused**
> "We read your messages. We saw you tried to get out. We saw your handler threaten you. You're a victim here, [SUBJECT_NAME]. Let us help you."
**Success Likelihood:** 85% cooperation (subject shows remorse, was coerced)
**Approach 3: Strategic Flip**
> "Your handler [HANDLER_CODENAME] used your real name in messages. They documented everything you did. You think they're protecting you? They're creating evidence against you. Help us get THEM, and we'll help you."
**Success Likelihood:** 90% cooperation (subject already resentful of handler)
**Approach 4: Double Agent Recruitment**
> "Keep talking to your handler. But now you work for us. We'll tell you what to say. We'll use you to take down the entire cell. In exchange, cooperation agreement and protection."
**Success Likelihood:** 60% (risky, requires courage subject may not have)
### Success Metrics
**Evidence Value:**
- **Alone:** 75% confidence (very strong, subject's own admissions)
- **+ Financial Records:** 90% confidence (payments match message discussions)
- **+ Access Logs:** 95% confidence (activity matches tasking)
- **+ Surveillance Photos:** 98% confidence (dead drops match message coordination)
- **+ All Evidence Types:** 99.9% confidence (overwhelming, complete picture)
**Cooperation Probability:**
- Subject shows high cooperation potential
- Already wanted out
- Resentful of handler's coercion
- Remorseful about criminal activity
- **Base Cooperation:** 75%
- **With Empathetic Approach:** 85%
- **With Protection Offer:** 90%
- **With Family Safety Assurances:** 95%
**Intelligence Yield:**
If subject cooperates, provides:
- Complete [CELL_DESIGNATION] operational details
- Identity of [HANDLER_CODENAME]
- Location of [SECOND_ASSET_CODENAME]
- Details on [OPERATION_NAME] phases
- Dead drop locations and procedures
- Payment methods and wallet addresses
- Handler's other assets (if known)
---
## CROSS-REFERENCE CONNECTIONS
### Corroborating Evidence Templates
**TEMPLATE_002 (Financial Records):**
- Look for $[AMOUNT] deposits matching message timeline
- Cryptocurrency transactions mentioned in messages
- Payment dates should align with "payment cleared" messages
**TEMPLATE_003 (Access Logs):**
- Match data extraction dates to message tasking
- [SYSTEM_NAME] access should correlate with deadlines
- USB usage on dates matching dead drop schedule
**TEMPLATE_004 (Surveillance Photos):**
- [MEETING_LOCATION] surveillance should show subject
- Dead drop photos should match Thursday 22:00 timeline
- Handler photos should match [HANDLER_CODENAME] description
**TEMPLATE_005 (Handwritten Notes):**
- Subject's notes might reference [HANDLER_CODENAME]
- Notes might show same operations ([OPERATION_NAME])
- Emotional arc matches message progression (willing → trapped)
### Interconnected Story Elements
**Related Narrative Fragments:**
- **RECRUITMENT_001:** Financial pressure methodology matches subject's recruitment
- **TACTICAL_001:** If [OPERATION_NAME] is infrastructure attack, connects to broader plot
- **LEVERAGE_001:** Subject's [PRESSURE_DETAIL] could be leverage point
- **VICTIM_001:** Subject's data theft may have enabled attacks with human casualties
**Cell Structure Mapping:**
- [CELL_DESIGNATION] hierarchy includes [CELL_LEADER_CODENAME]
- [HANDLER_CODENAME] manages multiple assets
- [SECOND_ASSET_CODENAME] is second penetration at [TARGET_ORGANIZATION]
- Operation [OPERATION_NAME] involves multiple cells (check other fragments)
---
## EDUCATIONAL VALUE (CyBOK Alignment)
### Security Concepts Demonstrated
**Encrypted Communications Security:**
- Signal protocol and end-to-end encryption
- Limitations: Encryption protects in transit, not at endpoints
- Proper OPSEC: Using codenames vs. real names
- Handler's operational security failure (using real name)
**Digital Forensics:**
- Mobile device forensics and evidence extraction
- Message metadata analysis and authentication
- Correlation of communication logs with other evidence types
- Chain of custody in digital evidence
**Insider Threat Indicators:**
- Handler/asset communication patterns
- Coercion and leverage tactics
- Operational tasking and coordination
- Subject's psychological state and vulnerability
**Counterintelligence:**
- Identifying assets via compromised communications
- Flipping assets through cooperation agreements
- Mapping adversary organizational structure
- Exploiting operational security failures
### Learning Outcomes
**Players Learn:**
1. **OPSEC Failures:** Using real names in operational comms is critical error
2. **Communication Security:** Encrypted ≠ Secure if endpoints are compromised
3. **Evidence Correlation:** Messages provide timeline to cross-reference other evidence
4. **Psychological Warfare:** Coercion tactics used by handlers on assets
5. **Legal Process:** How digital communications become admissible evidence
6. **Ethical Complexity:** Subject is perpetrator AND victim (coerced, wants out)
---
## TEMPLATE USAGE NOTES
### When to Use This Template
**Best For:**
- Confirming suspected asset's real identity
- Revealing handler-asset relationships
- Documenting specific operations
- Showing coercion and victimization
- Mapping cell structure
- Creating high-cooperation scenarios
**Scenario Types:**
- Corporate infiltration (data theft)
- Infrastructure targeting (insider access)
- Espionage operations (coordinated exfiltration)
- Multi-asset coordination (cell operations)
### Customization Tips
**Handler Personality:**
- Professional/Cold: Minimal pleasantries, direct tasking
- Manipulative: Alternates threats and reassurance
- Ideological: Appeals to ENTROPY philosophy
- Transactional: Pure business, payment-focused
**Subject Personality:**
- Reluctant: Nervous, questioning, wants out
- Professional: Competent, efficient, detached
- Desperate: Financially motivated, compliant
- Ideological: True believer, enthusiastic
**Message Volume:**
- Light: 3-5 messages showing key moments
- Medium: 10-15 messages showing progression
- Heavy: 20+ messages showing complete relationship arc
**Timeline:**
- Compressed: Days or weeks (urgent operation)
- Extended: Months (long-term asset cultivation)
- Archived: Years (established relationship)
### Rarity and Discovery
**Recommended Rarity:** RARE
**Rationale:**
- Requires significant SAFETYNET achievement (server compromise, handler arrest)
- Very high evidential value
- Provides extensive intelligence beyond subject identification
- Should feel like major breakthrough
**Discovery Timing:**
- **Early Game:** Too easy, undermines player progression
- **Mid Game:** Reward for successful operation (handler device seizure)
- **Late Game:** Strategic intelligence for Phase 3 operations
**Discovery Difficulty:** HARD
- Requires successful cyberops mission OR tactical arrest
- May require multiple prerequisite achievements
- Should be earned, not stumbled upon
---
## TECHNICAL IMPLEMENTATION
### Message Log Data Structure
```json
{
"evidence_id": "TEMPLATE_006_[SUBJECT_NAME]",
"evidence_type": "encrypted_message_logs",
"subject": {
"real_name": "[SUBJECT_NAME]",
"codename": "[SUBJECT_CODENAME]",
"phone": "[SUBJECT_PHONE]",
"organization": "[TARGET_ORGANIZATION]",
"position": "[SUBJECT_POSITION]"
},
"handler": {
"codename": "[HANDLER_CODENAME]",
"phone": "[HANDLER_PHONE]",
"cell": "[CELL_DESIGNATION]"
},
"real_name_usage_count": 8,
"coercion_indicators": ["financial_pressure", "legal_threat", "trapped_language"],
"cooperation_likelihood": 85,
"evidence_strength": 75,
"corroboration_bonus": {
"financial_records": 15,
"access_logs": 20,
"surveillance": 23
}
}
```
### Unlock Conditions
```python
def unlock_message_log_evidence(game_state):
# Require one of these achievements:
if (game_state.completed_mission("Server_Compromise") or
game_state.completed_mission("Handler_Arrest") or
game_state.discovered_fragment("ENTROPY_C2_SERVER")):
return True
return False
def calculate_cooperation(evidence_collected, approach):
base_cooperation = 75 # Subject wants out
if approach == "empathetic":
base_cooperation += 10
if approach == "protection_offer":
base_cooperation += 15
if "TEMPLATE_005" in evidence_collected: # Handwritten notes
base_cooperation += 5 # Corroborates emotional state
return min(base_cooperation, 98)
```
---
**CLASSIFICATION:** EVIDENCE TEMPLATE - AGENT IDENTIFICATION
**PRIORITY:** VERY HIGH (Direct real name identification)
**REUSABILITY:** High (adapt to any NPC asset scenario)
**COOPERATION POTENTIAL:** Very High (subject shows remorse, coercion)
---
**End of Template 006**

230
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_CATALOG.md
View File

@@ -2,7 +2,7 @@
**Purpose:** Reusable evidence templates for identifying NPCs as ENTROPY agents/assets
**Location:** `story_design/lore_fragments/by_gameplay_function/evidence_prosecution/`
**Template Count:** 5 comprehensive evidence types
**Template Count:** 6 comprehensive evidence types
**Substitution System:** [PLACEHOLDER] format for runtime NPC assignment
---
@@ -30,7 +30,7 @@ Each template is a **complete evidence fragment** with placeholder variables tha
---
## The Five Evidence Templates
## The Six Evidence Templates
### 1. TEMPLATE_AGENT_ID_001: Encrypted Communications
@@ -373,6 +373,177 @@ Subject is scared, remorseful, and wants out."
---
### 6. TEMPLATE_AGENT_ID_006: Message Logs
**File:** `TEMPLATE_AGENT_ID_006_message_logs.md`
**Evidence Type:** Digital Communications - Encrypted Messaging App Logs (Signal/Wickr)
**What It Provides:**
- Complete Signal/Wickr message thread between handler and asset
- Handler uses subject's REAL NAME **8 times** in operational communications
- Direct confirmation of subject's identity as ENTROPY operative
- Shows coercion and subject's desire to escape
- Reveals handler contact information, cell structure, operations
- Documents specific data theft admissions
- Payment amount discussions corroborating financial evidence
- Dead drop coordination matching surveillance evidence
**Substitution Variables:**
- [SUBJECT_NAME] - NPC's real name (used 8x by handler!)
- [SUBJECT_CODENAME] - ENTROPY operational designation (e.g., "SPARROW", "ASSET_DELTA_04")
- [HANDLER_CODENAME] - Handler's name (e.g., "Phoenix", "Cascade")
- [CELL_DESIGNATION] - Cell affiliation (e.g., "CELL_DELTA", "CELL_BETA_03")
- [OPERATION_NAME] - Specific operation (e.g., "Glass House", "Silent Echo")
- [HANDLER_PHONE] - Handler's encrypted app ID (e.g., "+1-555-0847")
- [SUBJECT_PHONE] - Subject's encrypted app ID
- [TARGET_ORGANIZATION] - Where subject works
- [DATA_TYPE] - Type of data being stolen
- [SYSTEM_NAME] - Systems being accessed
- [AMOUNT] - Payment amounts
- [MEETING_LOCATION] - Dead drop location
- [DEADLINE_DATE] - Operation deadline
- [DATE_1] through [DATE_5] - Message dates
- [TIME_1] through [TIME_5] - Message timestamps
- [PRESSURE_DETAIL] - Coercion type (e.g., "debt situation", "legal exposure")
- [SUBJECT_CONCERN] - Subject's worry (e.g., "security audit", "feeling watched")
- [SECOND_ASSET_CODENAME] - Another asset at same organization
- [CELL_LEADER_CODENAME] - Cell leadership designation
**Message Threads Included:**
1. **Thread 1: Initial Tasking** - Handler assigns data theft, subject nervous, real name used
2. **Thread 2: Operational Concerns** - Subject worried about being watched, handler reassures
3. **Thread 3: Coordination with Cell** - Payment confirmed, future tasking, another asset mentioned
4. **Thread 4: Internal ENTROPY Comms** - Handler briefs cell leader, confirms subject's real name and recruitment method
5. **Thread 5: Escalation and Pressure** - Subject wants out, handler threatens and coerces
**Real Name Usage Pattern:**
Handler uses [SUBJECT_NAME] **8 times** across 5 conversation threads:
- During operational tasking (3 instances)
- During pressure/coercion (2 instances)
- During cell leadership briefing (2 instances)
- During praise/reassurance (1 instance)
**Conclusion:** Real name usage is consistent, intentional, and confirms [SUBJECT_NAME]'s identity as ENTROPY asset.
**Red Flags Documented:**
🚩 Subject's real name used repeatedly in ENTROPY operations
🚩 Handler admits recruitment via financial pressure
🚩 Subject admits data theft in own words
🚩 Payment amounts discussed ($25K-$75K range)
🚩 Dead drop coordination (matches surveillance timeline)
🚩 Subject expresses wanting out (shows coercion)
🚩 Handler threatens subject with exposure
🚩 Multiple assets at same organization revealed
🚩 Cell structure and operations documented
**Evidence Strength:**
- Alone: 75% confidence (very strong - subject's own admissions + real name confirmation)
- + Financial records: 90% confidence (payments match message discussions)
- + Access logs: 95% confidence (activity matches tasking timeline)
- + Surveillance: 98% confidence (dead drops match message coordination)
- + Handwritten notes: 99% confidence (emotional state corroborated)
- + All evidence: 99.9% confidence (overwhelming, complete picture)
**Best Used For:**
- Confirming suspected asset's real identity (definitive proof)
- Revealing handler-asset relationships
- Documenting specific operations and data theft
- Showing coercion and victimization (subject wants out)
- Mapping cell structure (handler, cell leader, other assets)
- Creating high-cooperation scenarios (85% base cooperation)
- Handler identification and arrest opportunity
**Gameplay Integration:**
- **Discovery:** Rare, high-value - requires server compromise or handler device seizure
- **Player Actions Enabled:**
- Confirm [SUBJECT_NAME] as ENTROPY asset (definitive)
- Issue arrest warrant (subject's own admissions)
- Trace [HANDLER_PHONE] for surveillance/arrest
- Identify [SECOND_ASSET_CODENAME] (second asset at organization)
- Map [CELL_DESIGNATION] structure
- Corroborate with financial records (payment amounts match)
- Coordinate simultaneous subject + handler arrests
- **Interrogation Approaches:**
- Overwhelming Evidence: "Your handler used your real name. You admitted everything." (85% cooperation)
- Empathetic/Victim: "We saw you tried to quit. Your handler threatened you. You're a victim." (90% cooperation)
- Strategic Flip: "Your handler documented everything against you. Help us get THEM." (90% cooperation)
- Double Agent: "Keep talking to your handler. But now you work for us." (60% cooperation, risky)
- **Intelligence Yield:**
- Complete cell operational details
- Handler identity and contact info
- Second asset at organization
- Operation phases and timeline
- Dead drop locations
- Payment methods
- ENTROPY communication infrastructure
**Cooperation Likelihood:**
- Base: 75% (subject already wanted out based on messages)
- With empathetic approach: 85%
- With protection offer: 90%
- With family safety assurances: 95%
**Why This Template Is Unique:**
- **Only template** that directly confirms subject's real name via ENTROPY internal communications
- Shows subject is KNOWN ENTITY within ENTROPY (not anonymous)
- Reveals handler's operational security failure (using real names)
- Demonstrates subject's victimization (wanted out, was coerced)
- Provides actionable intelligence beyond subject (handler, cell, operations)
- Highest cooperation potential due to documented coercion
- Creates moral complexity (perpetrator who is also victim)
**Forensic Analysis Included:**
- Message metadata verification (Signal sealed sender protocol)
- Phone number carrier verification
- Device IMEI correlation to subject
- Location data (device at organization, dead drop sites)
- No evidence of tampering
- Cryptographic authentication
- Chain of custody documentation
**Legal Assessment:**
- Admissibility: VERY HIGH
- Subject's own admissions to federal crimes
- Real name confirmed (eliminates identity defense)
- Specific systems, data, and dates documented
- Payment trail corroboration available
- Handler identity revealed (bonus intelligence)
- **Consideration:** Subject shows coercion/victimization - recommend cooperation agreement
**Educational Value (CyBOK):**
- Encrypted messaging security (Signal protocol)
- OPSEC failures (using real names in operational comms)
- Mobile device forensics
- Digital evidence authentication
- Insider threat psychology (coercion tactics)
- Counterintelligence (flipping assets)
- Legal process (admissibility, cooperation agreements)
**Cross-References:**
- **TEMPLATE_002 (Financial):** Payment amounts should match message discussions
- **TEMPLATE_003 (Access Logs):** Data extraction dates should align with tasking
- **TEMPLATE_004 (Surveillance):** Dead drop timing/location should match messages
- **TEMPLATE_005 (Handwritten Notes):** Emotional arc (trapped, wants out) corroborates
- **RECRUITMENT_001:** Financial pressure methodology matches
- **TACTICAL_001:** If operation mentioned is infrastructure attack
- **LEVERAGE_001:** Subject's pressure detail could be leverage point
**Recommended Rarity:** RARE (Very Hard Discovery)
**Discovery Scenarios:**
- SAFETYNET compromises ENTROPY communications server
- Handler's device seized during arrest
- Cryptographic breakthrough on intercepted Signal traffic
- Different ENTROPY asset provides handler contact info
**Discovery Timing:**
- Early Game: Too powerful, skip
- Mid Game: Possible reward for major operation success
- Late Game: Appropriate for strategic Phase 3 intelligence
---
## Evidence Combination Strategies
### Optimal Evidence Chain
@@ -389,8 +560,10 @@ SEQUENCE 1: Discovery Path
│ └─ Proves what they did
├─ Surveillance Photos (Handler Identified)
│ └─ Shows who they work for
─ Handwritten Notes (Confession)
└─ Subject's own words seal the case
─ Handwritten Notes (Confession)
└─ Subject's own words, emotional state
└─ Message Logs (Real Name Confirmation)
└─ Handler uses real name, definitive proof
```
### Confidence Thresholds
@@ -403,7 +576,8 @@ SEQUENCE 1: Discovery Path
| 2 templates | 65-85% | Maybe (circumstantial) | 70% |
| 3 templates | 85-95% | Yes (strong case) | 85% |
| 4 templates | 95-98% | Yes (very strong) | 90% |
| 5 templates | 99.9% | Yes (overwhelming) | 95% |
| 5 templates | 99% | Yes (overwhelming) | 93% |
| 6 templates | 99.9% | Yes (overwhelming) | 95% |
### Best Combinations by Scenario Type
@@ -431,6 +605,21 @@ SEQUENCE 1: Discovery Path
3. Encrypted Comms (coordination proof)
- Confidence: 90%
**Real Name Confirmation + High Cooperation:**
1. Message Logs (real name used 8x, wants out)
2. Handwritten Notes (emotional confession)
3. Financial Records (payment corroboration)
- Confidence: 99%
- Cooperation: 95% (both show victimization)
**Complete Cell Mapping:**
1. Message Logs (handler contact, cell structure)
2. Surveillance (handler photos, vehicle)
3. Financial Records (payment network)
4. Access Logs (what data compromised)
- Confidence: 99.9%
- Enables: Simultaneous handler + asset arrest, second asset identification
---
## Gameplay Integration Guide
@@ -708,6 +897,12 @@ def get_interrogation_options(evidence_list):
- Timing: Variable (lucky find or late-game search warrant)
- Difficulty: Medium-Hard (requires physical access)
**TEMPLATE_006 (Message Logs):**
- Location: Compromised ENTROPY server, seized handler device
- Timing: Late investigation (major breakthrough)
- Difficulty: Very Hard (requires server compromise or handler arrest)
- **HIGH VALUE:** Real name confirmation, handler intel, cell mapping
---
## Educational Value (CyBOK Alignment)
@@ -754,27 +949,27 @@ Players using these templates will learn:
### Additional Template Ideas
**TEMPLATE_006: Phone Records**
**TEMPLATE_007: Phone Records**
- Call logs to burner phones
- Timing correlation with operations
- Location data (cell tower triangulation)
**TEMPLATE_007: Social Media OSINT**
**TEMPLATE_008: Social Media OSINT**
- Lifestyle changes visible on social media
- Travel patterns (meetings with handler)
- Unusual purchases or activities
**TEMPLATE_008: Witness Testimony**
**TEMPLATE_009: Witness Testimony**
- Coworker observations
- "They've been acting strange lately"
- Suspicious conversations overheard
**TEMPLATE_009: Digital Forensics**
**TEMPLATE_010: Digital Forensics**
- Deleted file recovery
- Browser history analysis
- VPN usage and encrypted tools
**TEMPLATE_010: Physical Surveillance (Extended)**
**TEMPLATE_011: Physical Surveillance (Extended)**
- Safe house identification
- Handler's vehicle tracking
- Dead drop location mapping
@@ -789,6 +984,13 @@ Players using these templates will learn:
- Gameplay integration framework
- Cross-reference structure
**v2.0** - Message Logs template and documentation expansion
- Added TEMPLATE_006: Message Logs (Signal/Wickr communications)
- Added comprehensive README.md for template system
- Enhanced documentation with complete substitution variable reference
- Real name confirmation via handler communications
- 6 total evidence templates with 99.9% confidence when combined
---
**CLASSIFICATION:** TEMPLATE SYSTEM - EVIDENCE GENERATION
@@ -826,11 +1028,17 @@ TEMPLATE_005: Handwritten Notes
→ Alone: 80% | Best With: Everything
→ Use For: Confession, empathetic approach
OPTIMAL COMBINATION: All 5 templates = 99.9% confidence
TEMPLATE_006: Message Logs ⭐ NEW
→ Alone: 75% | Best With: Notes + Financial
→ Use For: Real name confirmation, handler intel, cell mapping
→ RARE - Requires server compromise or handler device seizure
OPTIMAL COMBINATION: All 6 templates = 99.9% confidence
MINIMUM FOR ACTION: 3 templates = 85% confidence
COOPERATION PROBABILITY:
- Empathetic + Message Logs: 90%
- Compassionate + Notes: 98%
- Overwhelming + All Evidence: 95%
- Standard + Some Evidence: 70%