cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 11:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add reusable evidence template system for ENTROPY agent identification

Browse Source 
Created 5 comprehensive evidence templates with [PLACEHOLDER] substitution system that enable infinite NPC agent identification across scenarios.

## New Files:
- TEMPLATE_AGENT_ID_001_encrypted_comms.md
  * Intercepted PGP-encrypted communications
  * 40% confidence alone, 90% combined
  * Red flags: Policy violations, ProtonMail, after-hours timing

- TEMPLATE_AGENT_ID_002_financial_records.md
  * Bank transactions & cryptocurrency forensics
  * 60% confidence alone, 98% combined
  * Red flags: Unexplained cash, ENTROPY wallet, shell companies

- TEMPLATE_AGENT_ID_003_access_logs.md
  * IT audit showing unauthorized system access
  * 70% confidence alone, 98% combined
  * Documents 5 incidents: Reconnaissance → Exfiltration → Cover-up

- TEMPLATE_AGENT_ID_004_surveillance_photos.md
  * 14-day surveillance op with 7 photo scenarios
  * 50% confidence alone, 95% combined
  * Handler identification, dead drops, countersurveillance

- TEMPLATE_AGENT_ID_005_physical_evidence.md
  * Handwritten 3-page emotional confession
  * 80% confidence alone, 99.9% combined
  * Enables 95-98% cooperation through empathetic approach
  * Arc: Willing participant → Trapped → Desperate for help

- TEMPLATE_CATALOG.md
  * Complete template system documentation
  * Substitution guide & best practices
  * Evidence chain methodology
  * Integration strategies & success metrics

## Template System Features:
- [PLACEHOLDER] format for runtime substitution
- Evidence chain: Single evidence (40-80%) → All 5 (99.9%)
- Cooperation likelihood scales with evidence quality
- Multiple interrogation approaches unlocked by different combinations
- Infinite reusability across NPCs and scenarios

## Integration:
- Updated GAMEPLAY_CATALOG.md with template section
- Evidence Prosecution category expanded from 1 to 6 fragments
- Total gameplay-focused fragments: 13 (8 unique + 5 templates)
- Templates work standalone or combine for overwhelming cases

## Educational Value (CyBOK):
- Digital forensics (email analysis, blockchain tracing)
- Insider threat detection (behavioral indicators)
- Investigation methodology (evidence corroboration)
- Legal process (admissibility, chain of custody)
- Psychological profiling & ethical interrogation

## Gameplay Impact:
Each template enables different player actions and unlocks specific interrogation approaches based on evidence collected. System designed to reward thorough investigation while not requiring 100% collection for success.
This commit is contained in:
Z. Cliffe Schreuders
2025-11-19 17:43:15 +00:00
parent 56b0b654f1
commit b5d3ee33c4
7 changed files with 3619 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

355
story_design/lore_fragments/by_gameplay_function/GAMEPLAY_CATALOG.md
View File

@@ -6,10 +6,12 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** -
## Overview Statistics
**Total Gameplay-Focused Fragments Created:** 7
**Total Gameplay-Focused Fragments Created:** 13
- Unique Fragments: 8
- Evidence Templates: 5 (reusable with NPC substitution)
**By Gameplay Function:**
- Evidence for Prosecution: 1
- Evidence for Prosecution: 6 (1 unique + 5 templates)
- Tactical Intelligence: 1
- Financial Forensics: 1
- Recruitment Vectors: 1
@@ -22,7 +24,13 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** -
- Mission-critical objectives: 5 fragments
- Optional depth/context: 2 fragments
- Branching choice enablers: 6 fragments
- Success metric modifiers: 7 fragments
- Success metric modifiers: 13 fragments (templates multiply impact)
**Template System:**
- 5 evidence templates with [PLACEHOLDER] substitution
- Infinite NPC agent identification capability
- Evidence chain methodology (combine for 99.9% confidence)
- See TEMPLATE_CATALOG.md for complete template documentation
---
@@ -56,6 +64,347 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** -
---
### 📋 EVIDENCE_PROSECUTION - Evidence Templates (Reusable)
**TEMPLATE SYSTEM OVERVIEW**
The Evidence Template System provides 5 reusable evidence fragments for identifying ENTROPY agents/assets in any scenario. Each template uses [PLACEHOLDER] format for runtime NPC substitution.
**Complete Template Documentation:** See `TEMPLATE_CATALOG.md` in this directory
**Template Integration Philosophy:**
- **Single evidence piece:** 40-80% confidence (suspicion only)
- **2-3 evidence pieces:** 65-95% confidence (strong case)
- **4-5 evidence pieces:** 95-99.9% confidence (overwhelming)
- **All 5 templates:** Complete evidence chain, maximum cooperation likelihood (95%)
**Evidence Chain Methodology:**
```
Encrypted Comms → Initial suspicion flag
Financial Records → Payment proof (motive)
Access Logs → Activity confirmation (what they did)
Surveillance Photos → Handler identification (who they work for)
Handwritten Notes → Self-incrimination (confession)
= Overwhelming evidence, 99.9% confidence
```
---
**TEMPLATE_AGENT_ID_001 - Encrypted Communications**
**File:** `TEMPLATE_AGENT_ID_001_encrypted_comms.md`
- **What It Is:** Intercepted PGP-encrypted email from corporate account to ProtonMail
- **What Player Can DO:**
- Flag NPC as Person of Interest
- Unlock surveillance mission
- Trigger financial investigation
- Require corroboration for action
- **Evidence Type:** Digital communication
- **Substitution Variables:** [SUBJECT_NAME], [ORGANIZATION], [POSITION], [CURRENT_DATE]
- **Red Flags:**
- 🚩 PGP encryption from work email (policy violation)
- 🚩 ProtonMail recipient (anonymous service)
- 🚩 After-hours timing (23:47, secretive)
- 🚩 "Payment arrangement confirmed"
- 🚩 Security bypass offers
- 🚩 "Documentation transfer via agreed method"
- **Evidence Strength:**
- Alone: 40% confidence (circumstantial)
- + Financial records: 75% confidence
- + Access logs: 65% confidence
- + All evidence: 90% confidence
- **Best Used For:** Initial suspicion, corporate infiltration, data exfiltration
- **Rarity:** Common (starting evidence)
**Example Content:**
```
From: [SUBJECT_NAME]@[ORGANIZATION].com
To: secure-contact-7749@protonmail.com
Date: [DATE], 23:47
...payment arrangement confirmed. Standard terms as before.
The documentation you need will be transferred via the
agreed method...
...regarding the security audit team arriving Thursday -
I can ensure they have the credentials and building access
without additional verification...
```
---
**TEMPLATE_AGENT_ID_002 - Financial Records**
**File:** `TEMPLATE_AGENT_ID_002_financial_records.md`
- **What It Is:** Forensic analysis of suspicious bank transactions and cryptocurrency activity
- **What Player Can DO:**
- Prove quid pro quo (payment for services)
- Seize assets as proceeds of crime
- Trace payments to ENTROPY master wallet
- Identify financial recruitment vector
- Create leverage opportunity
- **Evidence Type:** Financial forensics
- **Substitution Variables:** [SUBJECT_NAME], [ORGANIZATION], [SALARY], [AMOUNT], [DATE]
- **Red Flags:**
- 🚩 Unexplained cash deposits ($25K-$75K range)
- 🚩 Cryptocurrency to ENTROPY master wallet
- 🚩 Shell company payments
- 🚩 Offshore transfers
- 🚩 Timing correlation with breaches
- 🚩 Lifestyle inflation (debt payoff, new car)
- **Evidence Strength:**
- Alone: 60% confidence (strong suspicion)
- + Encrypted comms: 75% confidence
- + Access logs: 95% confidence
- + All evidence: 98% confidence
- **Best Used For:** Payment proof, money laundering, connecting to ENTROPY financial network
- **Rarity:** Uncommon (requires warrant/subpoena)
**Example Content:**
```
SUSPICIOUS DEPOSIT #1:
Date: March 15, 2025
Amount: $42,000 (CASH)
Source: UNKNOWN
Note: Amount matches ENTROPY payment patterns
CRYPTOCURRENCY TRANSACTION:
Date: March 18, 2025
Destination: 1A9zW5...3kPm
Amount: $15,000 equivalent
NOTE: Wallet identified as ENTROPY master wallet!
Salary: $85,000/year
Total suspicious income (6 months): $127,000
Percentage above salary: 149% unexplained
```
---
**TEMPLATE_AGENT_ID_003 - Access Logs**
**File:** `TEMPLATE_AGENT_ID_003_access_logs.md`
- **What It Is:** IT audit showing unauthorized system access pattern
- **What Player Can DO:**
- Prove data theft technically
- Show reconnaissance → exfiltration pattern
- Demonstrate privilege escalation
- Identify what data was compromised
- Enable immediate access suspension
- **Evidence Type:** Technical forensics
- **Substitution Variables:** [SUBJECT_NAME], [POSITION], [SYSTEM_NAME], [DATA_TYPE], [FILE_COUNT]
- **Incidents Documented:**
1. Sensitive database access (after hours, no business need)
2. Network infrastructure mapping (weekend reconnaissance)
3. HR database access (500+ employee records, PII theft)
4. Executive email access (PowerShell exploitation)
5. USB device usage (1.2GB data exfiltration, 847 files)
- **Evidence Strength:**
- Alone: 70% confidence (technical proof)
- + Financial records: 95% confidence
- + Encrypted comms: 85% confidence
- + All evidence: 98% confidence
- **Best Used For:** Data breach proof, showing malicious pattern, technical espionage
- **Rarity:** Common (IT audit logs)
**Example Content:**
```
INCIDENT 5: USB DEVICE USAGE (DATA EXFILTRATION)
Date: March 18, 2025, 22:37
USB Device: SanDisk 64GB (Serial: 4C530001...)
Files Copied: 847 files
Total Size: 1.2GB
File Types: .xlsx (customer data), .docx (proprietary)
PATTERN ANALYSIS:
Week 1: Reconnaissance (network mapping)
Week 2: Access (privilege escalation)
Week 3: Exfiltration (USB transfer)
Week 4: Cover-up (deletion attempts)
Classic espionage attack pattern.
```
---
**TEMPLATE_AGENT_ID_004 - Surveillance Photos**
**File:** `TEMPLATE_AGENT_ID_004_surveillance_photos.md`
- **What It Is:** Complete 14-day surveillance operation with photos and handler profiling
- **What Player Can DO:**
- Identify ENTROPY handler (facial recognition)
- Document in-person meetings
- Prove document/cash exchange
- Show dead drop usage
- Enable simultaneous handler/asset arrest
- Demonstrate countersurveillance behavior
- **Evidence Type:** Photographic surveillance
- **Substitution Variables:** [SUBJECT_NAME], [CONTACT_DESCRIPTION], [LOCATION], [VEHICLE_DESCRIPTION]
- **7 Photo Scenarios:**
- Photo 1-3: Coffee shop meeting, document exchange, cash payment
- Photo 4-5: Dead drop (USB deposit, handler retrieval 2hrs later)
- Photo 6: Follow-up meeting, verbal comms
- Photo 7: Countersurveillance behavior (SDR route)
- **Evidence Strength:**
- Alone: 50% confidence (suspicious but explainable)
- + Financial records: 80% confidence
- + Access logs: 85% confidence
- + All evidence: 95% confidence
- **Best Used For:** Visual proof, handler identification, meeting patterns, tradecraft documentation
- **Rarity:** Uncommon (expensive surveillance operation)
**Example Content:**
```
[PHOTO 2: DOCUMENT EXCHANGE]
Location: [LOCATION] Coffee Shop
Date: [DATE], [TIME + 15 minutes]
CAPTURED MOMENT:
[SUBJECT_NAME] sliding manila envelope across table
Unknown individual accepting envelope
Envelope thickness: 20-30 pages estimated
[PHOTO 3: CASH PAYMENT]
Same meeting, +28 minutes
Unknown individual handing envelope to [SUBJECT_NAME]
Cash visible inside (appears to be $100 bills)
Estimated amount: $2,000-$5,000
[SUBJECT_NAME] shows relief in facial expression
```
---
**TEMPLATE_AGENT_ID_005 - Handwritten Notes**
**File:** `TEMPLATE_AGENT_ID_005_physical_evidence.md`
- **What It Is:** 3-page handwritten notes showing emotional journey from willing participant to desperate victim
- **What Player Can DO:**
- Devastating confrontation ("your own handwriting")
- Enable empathetic approach (subject wants help)
- Achieve 95-98% cooperation likelihood
- Self-incrimination in subject's own words
- Show coercion by ENTROPY (victim characteristics)
- **Evidence Type:** Physical - handwritten confession
- **Substitution Variables:** [SUBJECT_NAME], [HANDLER_CODENAME], [SYSTEM_NAME], [DEBT_AMOUNT]
- **3-Page Emotional Progression:**
- **Page 1:** Nervous rationalization ("just competitive intelligence", "not hurting anyone... right?")
- **Page 2:** Feeling trapped ("they have me trapped", "if I refuse they expose me")
- **Page 3:** Desperate cry for help ("please help me", "what have I gotten into", security hotline written down)
- **Evidence Strength:**
- Alone: 80% confidence (self-incrimination)
- + Financial records: 95% confidence
- + Access logs: 95% confidence
- + All evidence: 99.9% confidence (overwhelming)
- **Cooperation Likelihood:**
- Show notes immediately: 95%
- Empathetic approach referencing cry for help: 98%
- Use as leverage after lies: 90%
- **Best Used For:** High cooperation outcome, empathetic interrogation, showing subject as victim
- **Rarity:** Uncommon-Rare (lucky find or search warrant)
**Example Content:**
```
[PAGE 1 - TRANSCRIPTION]
Meeting notes - [DATE]
THINGS TO REMEMBER:
- [HANDLER_CODENAME] wants access to [SYSTEM_NAME]
- Payment: $[AMOUNT] on completion
- Files to copy: Customer database, Network diagrams
- "Delete these notes after memorizing!!!"
Feeling sick about this. But what choice do I have?
$[DEBT_AMOUNT] in debt. Can't keep living like this.
[HANDLER] says it's just "competitive intelligence"
Not really hurting anyone... right?
[PAGE 3 - TRANSCRIPTION]
THINGS GETTING WORSE
[HANDLER] mentioned "permanent solutions for loose ends"
AM I A LOOSE END??
Overheard [HANDLER] on phone: "ENTROPY cell needs..."
WHAT IS ENTROPY?? OH GOD WHAT HAVE I GOTTEN INTO
If someone finds these notes: I'm sorry.
If you're reading this, please help me.
[ORGANIZATION] Security Hotline: [NUMBER]
(Should I call? Too scared. But maybe...)
"Please let this end somehow"
```
**Forensic Analysis Included:**
- Handwriting verification: 99.7% match to subject
- Pen pressure analysis (stress visible in writing)
- Ink testing (same pen throughout)
- Chain of custody documentation
**Legal Assessment:**
- Admissibility: VERY HIGH (spontaneous confession)
- No Miranda issues (not custodial interrogation)
- Shows consciousness of guilt
- Demonstrates coercion by ENTROPY
**Recommended Use:**
"Use notes as leverage for cooperation, not prosecution. Subject is scared, remorseful, and wants out. Cooperation probability: 95%"
---
### Evidence Template Integration Strategy
**Optimal Discovery Sequence:**
1. **TEMPLATE_001 (Encrypted Comms)** → Triggers investigation
2. **TEMPLATE_002 (Financial Records)** → Proves motive
3. **TEMPLATE_003 (Access Logs)** → Confirms activity
4. **TEMPLATE_004 (Surveillance)** → Identifies handler
5. **TEMPLATE_005 (Handwritten Notes)** → Seals the case
**Confidence Progression:**
- 1 template: 40-80% (suspicion only, no action)
- 2 templates: 65-85% (strong suspicion, investigation warranted)
- 3 templates: 85-95% (probable cause, confrontation viable)
- 4 templates: 95-98% (very strong case, multiple approaches)
- 5 templates: 99.9% (overwhelming, maximum cooperation)
**Interrogation Approach Unlocks:**
- With TEMPLATE_002 (Financial): Offer financial help for cooperation
- With TEMPLATE_005 (Notes): Empathetic approach ("we know you want out")
- With TEMPLATE_004 (Surveillance): Visual confrontation ("we have photos")
- With TEMPLATE_003 (Access Logs): Technical proof ("every keystroke logged")
- With All 5: Overwhelming evidence ("no defense, but we can help")
**Template Reusability:**
Each template can be used infinite times across different NPCs by substituting:
- [SUBJECT_NAME] → Actual NPC name
- [ORGANIZATION] → Company name
- [POSITION] → Job title
- [HANDLER_CODENAME] → Handler designation
- [AMOUNT] → Payment amounts
- [DATE] → Appropriate timeline
- etc.
**See TEMPLATE_CATALOG.md for:**
- Complete template documentation
- Substitution best practices
- Evidence combination strategies
- Scenario-specific customization
- Technical implementation guide
---
### 🎯 TACTICAL_INTELLIGENCE
**TACTICAL_001 - Active Power Grid Attack (48-Hour Countdown)**

255
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_001_encrypted_comms.md Normal file
View File

@@ -0,0 +1,255 @@
# TEMPLATE: Suspicious Encrypted Communications
**Fragment ID:** EVIDENCE_AGENT_ID_001
**Gameplay Function:** Agent Identification Evidence (Digital)
**Evidence Type:** Intercepted encrypted communication
**Rarity:** Common
**Substitution Required:** [SUBJECT_NAME], [ORGANIZATION], [POSITION]
---
## Evidence Summary
**Item:** Encrypted email communication from corporate account
**Subject:** [SUBJECT_NAME], [POSITION] at [ORGANIZATION]
**Evidence Quality:** MEDIUM (encrypted but pattern suspicious)
**Admissibility:** Medium (circumstantial, requires corroboration)
---
## Intercepted Communication
```
From: [SUBJECT_NAME]@[ORGANIZATION].com
To: secure-contact-7749@protonmail.com
Date: [CURRENT_DATE - 3 days], 23:47
Subject: Re: Consultation project update
Encryption: PGP encrypted (partial decryption successful)
[Decrypted portions:]
...understand the concerns about timeline. The access you
requested will be available during the maintenance window
as discussed.
[ENCRYPTED BLOCK - Unable to decrypt]
...payment arrangement confirmed. Standard terms as before.
The documentation you need will be transferred via the
agreed method.
[ENCRYPTED BLOCK - Unable to decrypt]
...regarding the security audit team arriving Thursday -
I can ensure they have the credentials and building access
without additional verification. Same procedure as last time.
Looking forward to our continued partnership.
Best regards,
[SUBJECT_NAME]
```
---
## Analysis Flags
**SUSPICIOUS INDICATORS:**
🚩 **Encrypted Communication from Work Email**
- Corporate email policy prohibits personal encryption
- PGP usage violates IT security policy
- Suggests deliberate obfuscation of content
- Professional email should not require encryption
🚩 **ProtonMail Recipient (Anonymous Service)**
- Recipient uses privacy-focused email service
- Address format suggests throwaway account
- No legitimate business contact uses this pattern
- Common in ENTROPY operational communications
🚩 **After-Hours Timing (23:47)**
- Sent late at night from personal device
- Suggests secretive communication
- Outside normal business hours
- Pattern consistent with covert activity
🚩 **"Payment Arrangement Confirmed"**
- Reference to financial transaction
- Not related to normal job duties
- "Standard terms as before" suggests ongoing payments
- Typical ENTROPY asset compensation language
🚩 **Security Audit Team Access**
- Offering to bypass verification procedures
- "Same procedure as last time" suggests repeat behavior
- Willing to violate security protocols
- Classic insider threat action
🚩 **"Documentation Transfer via Agreed Method"**
- Euphemism for data exfiltration
- "Agreed method" suggests dead drop or covert channel
- Not standard business file sharing
- Matches ENTROPY operational security patterns
---
## Investigation Recommendations
**IMMEDIATE ACTIONS:**
```
□ Monitor [SUBJECT_NAME]'s email for additional encrypted messages
□ Check employment records for financial stress indicators
□ Review building access logs for unusual patterns
□ Identify "security audit team" referenced
□ Trace ProtonMail recipient if possible
□ Review past "maintenance windows" for suspicious activity
□ Check for data exfiltration during previous access grants
```
**SURVEILLANCE PRIORITIES:**
```
□ Financial transactions (unusual deposits)
□ Meetings with unknown individuals
□ USB drive usage or file transfers
□ After-hours office access
□ Encrypted communication patterns
□ Dead drop locations (document transfers)
```
**CORROBORATING EVIDENCE NEEDED:**
```
□ Financial records showing unexplained income
□ Access logs showing policy violations
□ Witness testimony of suspicious behavior
□ Technical evidence of data exfiltration
□ Additional encrypted communications
□ Connection to known ENTROPY operatives
```
---
## Gameplay Integration
**This Fragment Enables:**
**Investigation Actions:**
- Flag [SUBJECT_NAME] as suspected ENTROPY asset
- Unlock surveillance mission on subject
- Enable deeper background investigation
- Trigger financial forensics check
**Player Choices:**
**APPROACH A: Immediate Confrontation**
- Confront subject with evidence
- Risk: May destroy evidence or alert ENTROPY
- Benefit: Quick resolution if subject cooperates
- Success depends on subject's psychology
**APPROACH B: Continued Surveillance**
- Monitor for additional evidence
- Build stronger case before action
- Risk: Subject may complete operation
- Benefit: Identify ENTROPY contacts and methods
**APPROACH C: Controlled Exposure**
- Feed false information through subject
- Use as unwitting double agent
- Risk: Complex operation, may fail
- Benefit: Intelligence on ENTROPY cell operations
**APPROACH D: Immediate Isolation**
- Suspend subject's access immediately
- Prevent ongoing operation
- Risk: Legal challenges if insufficient evidence
- Benefit: Stop potential breach quickly
**Success Metrics:**
- Evidence + Financial records = 75% confidence
- Evidence + Access logs = 65% confidence
- Evidence + Surveillance + Financial = 90% confidence
- Evidence alone = 40% confidence (insufficient for action)
---
## Template Substitution Guide
**When implementing this fragment, replace:**
```
[SUBJECT_NAME] → Actual NPC name (e.g., "Jennifer Park", "David Chen")
[ORGANIZATION] → Company/org name (e.g., "TechCorp", "Vanguard Financial")
[POSITION] → Job title (e.g., "Network Administrator", "Security Analyst")
[CURRENT_DATE - 3 days] → Game timeline appropriate date
```
**Maintain consistency:**
- Use same substituted name throughout fragment
- Email address format: firstname.lastname@company.com
- Position should match NPC's actual in-game role
- Timeline should fit scenario chronology
**Example with substitutions:**
```
From: jennifer.park@techcorp.com
To: secure-contact-7749@protonmail.com
Date: November 12, 2025, 23:47
Subject: Re: Consultation project update
...payment arrangement confirmed...
Best regards,
Jennifer Park
Network Security Analyst
TechCorp Industries
```
---
## Scenario-Specific Customization
**For Corporate Infiltration Scenarios:**
- Emphasize "security audit team" access
- Reference "maintenance windows" for data access
- Focus on credential provision
**For Data Exfiltration Scenarios:**
- Emphasize "documentation transfer"
- Reference specific data types in encrypted blocks
- Focus on file access patterns
**For Infrastructure Scenarios:**
- Reference SCADA/control system access
- Mention facility access credentials
- Focus on physical security bypass
**For Research Scenarios:**
- Reference proprietary research data
- Mention lab access or sample transfers
- Focus on intellectual property theft
---
## Related Fragments
**Supporting Evidence Types:**
- EVIDENCE_AGENT_ID_002: Financial records (shows payments)
- EVIDENCE_AGENT_ID_003: Access log analysis (proves violations)
- EVIDENCE_AGENT_ID_004: Surveillance photos (documents meetings)
- EVIDENCE_AGENT_ID_005: USB usage logs (data exfiltration proof)
- EVIDENCE_AGENT_ID_006: Recruitment approach (how ENTROPY contacted them)
**Collect Multiple for Higher Certainty:**
- 1 evidence type: 40% confidence (suspicion only)
- 2 evidence types: 65% confidence (strong suspicion)
- 3 evidence types: 85% confidence (probable cause)
- 4+ evidence types: 95% confidence (near certainty)
---
**CLASSIFICATION:** EVIDENCE - AGENT IDENTIFICATION
**TEMPLATE TYPE:** Reusable with substitution
**PRIORITY:** MEDIUM (requires corroboration)
**DISTRIBUTION:** Investigation teams, scenario designers
**USAGE:** Insert into scenarios with suspected insider threats

430
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_002_financial_records.md Normal file
View File

@@ -0,0 +1,430 @@
# TEMPLATE: Suspicious Financial Activity
**Fragment ID:** EVIDENCE_AGENT_ID_002
**Gameplay Function:** Agent Identification Evidence (Financial)
**Evidence Type:** Bank transaction records
**Rarity:** Uncommon
**Substitution Required:** [SUBJECT_NAME], [SALARY], [AMOUNT], [DATE]
---
## Evidence Summary
**Item:** Bank account transaction analysis
**Subject:** [SUBJECT_NAME]
**Evidence Quality:** HIGH (financial records are hard evidence)
**Admissibility:** HIGH (bank records with proper subpoena)
---
## Financial Analysis Report
```
═══════════════════════════════════════════════════════
SAFETYNET FINANCIAL FORENSICS ANALYSIS
Subject: [SUBJECT_NAME]
═══════════════════════════════════════════════════════
ANALYSIS DATE: [CURRENT_DATE]
ANALYST: Agent 0x77, Financial Crimes Division
AUTHORIZATION: Federal subpoena #[SUBPOENA_NUMBER]
BANKS ANALYZED: [PRIMARY_BANK], [SECONDARY_BANK]
SUMMARY:
Significant unexplained cash deposits inconsistent with
known employment income. Pattern consistent with ENTROPY
asset payment methodology.
───────────────────────────────────────────────────────
EMPLOYMENT INCOME VERIFICATION
───────────────────────────────────────────────────────
Employer: [ORGANIZATION]
Position: [POSITION]
Declared Salary: $[SALARY] annually
Expected Monthly Net: $[SALARY ÷ 12 × 0.70] (after tax)
Actual Payroll Deposits: VERIFIED (matches declared)
───────────────────────────────────────────────────────
SUSPICIOUS DEPOSITS IDENTIFIED
───────────────────────────────────────────────────────
DEPOSIT #1: CASH
Date: [DATE_1]
Amount: $[AMOUNT] (exactly)
Location: [BANK_BRANCH] ATM
Time: 22:47 (after hours)
Source: UNKNOWN - Cash deposit
Notes: Amount consistent with ENTROPY payment ($25K-$75K range)
DEPOSIT #2: CRYPTOCURRENCY EXCHANGE
Date: [DATE_2] (14 days after Deposit #1)
Amount: $[AMOUNT × 0.97]
Source: CryptoExchangePro (Bitcoin conversion)
Notes: Exchange timing suggests cryptocurrency laundering
97% of original amount (3% lost to fees/exchange)
DEPOSIT #3: WIRE TRANSFER
Date: [DATE_3]
Amount: $[AMOUNT × 0.5]
Source: "[SHELL_COMPANY_NAME]"
Registration: Delaware LLC (shell company indicators)
Business: "Consulting services" (vague purpose)
Notes: Payment memo: "Security consultation - Project [CODE]"
Company registered 6 months ago, minimal online presence
DEPOSIT #4: CASH
Date: [DATE_4]
Amount: $[AMOUNT × 0.75]
Location: Different branch (countersurveillance?)
Time: 21:13 (after hours again)
Notes: Deposited in multiple smaller amounts over 3 days
Structured to avoid $10K reporting threshold
TOTAL SUSPICIOUS DEPOSITS: $[TOTAL_AMOUNT]
TIMEFRAME: [DURATION] months
AVERAGE: $[AVERAGE_PER_MONTH]/month
───────────────────────────────────────────────────────
INCOME ANALYSIS
───────────────────────────────────────────────────────
DECLARED INCOME (Annual):
Salary: $[SALARY]
Other declared income: $0
Total: $[SALARY]
ACTUAL DEPOSITS (Analyzed period):
Regular salary: $[SALARY_DEPOSITS]
Suspicious deposits: $[TOTAL_AMOUNT]
Total: $[SALARY_DEPOSITS + TOTAL_AMOUNT]
UNEXPLAINED INCOME: $[TOTAL_AMOUNT]
PERCENTAGE OF SALARY: [PERCENTAGE]%
ASSESSMENT:
Unexplained income of $[TOTAL_AMOUNT] represents
[PERCENTAGE]% of declared salary. No legitimate
source identified for this income.
───────────────────────────────────────────────────────
EXPENDITURE PATTERNS
───────────────────────────────────────────────────────
FOLLOWING SUSPICIOUS DEPOSITS:
Large expenditures identified:
• $[DEBT_AMOUNT] - Student loan payoff ([DATE_5])
• $[DEBT_AMOUNT_2] - Credit card debt clearance ([DATE_6])
• $[EXPENSE_1] - [EXPENSE_DESCRIPTION]
• $[EXPENSE_2] - [EXPENSE_DESCRIPTION]
PATTERN ANALYSIS:
Subject used unexplained income to:
1. Pay off existing debt (financial desperation motive)
2. Make purchases previously unaffordable
3. Maintain lifestyle above legitimate income level
This pattern consistent with ENTROPY asset behavior:
- Recruited through financial desperation
- Paid for specific services/access
- Uses funds to resolve personal financial crisis
───────────────────────────────────────────────────────
CRYPTOCURRENCY ACTIVITY
───────────────────────────────────────────────────────
EXCHANGE ACCOUNT: CryptoExchangePro
Account Name: [SUBJECT_NAME]
KYC Status: Verified (used real identity)
Activity:
INCOMING BITCOIN:
Date: [CRYPTO_DATE_1]
Amount: [BTC_AMOUNT] BTC
Value: $[AMOUNT]
Source Wallet: 1A9zW5...3kPm
NOTE: This wallet identified as ENTROPY master wallet!
CONVERSION TO USD:
Date: [CRYPTO_DATE_2] (same day)
Amount: $[AMOUNT × 0.97]
Transferred to: [BANK_NAME] account
Fees: $[AMOUNT × 0.03]
CRITICAL FINDING:
Direct transaction from confirmed ENTROPY master wallet
to subject's personal exchange account. This is DIRECT
EVIDENCE of ENTROPY payment.
───────────────────────────────────────────────────────
SHELL COMPANY ANALYSIS
───────────────────────────────────────────────────────
COMPANY: [SHELL_COMPANY_NAME]
Registration: Delaware LLC
Date Formed: [FORMATION_DATE] (6 months ago)
Registered Agent: Corporate Formations Inc. (mass registrations)
Business Address: Virtual office, no physical presence
Website: [SHELL_COMPANY_URL] (created same month as registration)
Employees: 0 (per state filings)
Revenue: Unknown (no public filings)
RED FLAGS:
✗ Recently formed (timing suspicious)
✗ No physical office or employees
✗ Generic "consulting" business description
✗ Minimal web presence (likely fake)
✗ Registered agent specializes in shell companies
✗ No verifiable past projects or clients
✗ Payment amounts inconsistent with actual consulting rates
ASSESSMENT:
[SHELL_COMPANY_NAME] exhibits all characteristics of
ENTROPY front company. Likely exists solely to provide
"legitimate" cover for asset payments.
───────────────────────────────────────────────────────
TAX IMPLICATIONS
───────────────────────────────────────────────────────
UNREPORTED INCOME: $[TOTAL_AMOUNT] (likely)
If subject did not declare this income:
• Tax evasion (federal crime)
• Penalties: $[TAX_PENALTY_ESTIMATE]
• Criminal exposure: 1-5 years prison
Additional leverage for cooperation:
"We can help with IRS if you help us with ENTROPY."
───────────────────────────────────────────────────────
CONCLUSIONS
───────────────────────────────────────────────────────
EVIDENCE STRENGTH: HIGH
Multiple indicators of ENTROPY asset payments:
✓ Direct transaction from ENTROPY master wallet
✓ Cash deposits in ENTROPY payment range ($25K-$75K)
✓ Shell company payments with suspicious characteristics
✓ Structured deposits avoiding reporting thresholds
✓ Cryptocurrency conversion (laundering pattern)
✓ Unexplained income [PERCENTAGE]% of legitimate salary
✓ Timing correlates with known ENTROPY operations
LEGAL ASSESSMENT:
This evidence, combined with other indicators, establishes
probable cause for:
• Money laundering charges
• Tax evasion
• Conspiracy (if operational involvement proven)
• ENTROPY asset designation (administrative)
RECOMMENDATION:
Subject [SUBJECT_NAME] is receiving payments from ENTROPY.
Financial pressure likely recruitment vector.
High probability of cooperation if offered immunity +
financial assistance alternative.
───────────────────────────────────────────────────────
ANALYST NOTES:
Subject's financial desperation (debt visible in records)
made them vulnerable to ENTROPY recruitment. The $[AMOUNT]
payments provided relief they couldn't get elsewhere.
This isn't a career criminal. This is someone who made a
bad choice under extreme financial pressure.
Recommended approach: Offer help, not just prosecution.
"We can resolve your debt legally. No prison. Fresh start.
Just tell us what ENTROPY wanted you to do."
Cooperation probability: 75-85% if approached correctly.
- Agent 0x77
═══════════════════════════════════════════════════════
CLASSIFICATION: FINANCIAL EVIDENCE - HIGH CONFIDENCE
DISTRIBUTION: Investigation team, legal counsel
HANDLING: Subpoena required for admission in court
═══════════════════════════════════════════════════════
```
---
## Gameplay Integration
**This Fragment Enables:**
**Definitive Identification:**
- Confirms [SUBJECT_NAME] is ENTROPY asset (95% certainty)
- Direct evidence from master wallet transaction
- Legally admissible in court
- Justifies arrest/surveillance/confrontation
**Player Actions Unlocked:**
**CONFRONTATION:**
```
"We know about the payments, [SUBJECT_NAME].
$[TOTAL_AMOUNT] from ENTROPY over [DURATION] months.
Direct transfer from their master wallet to your account.
We have the bank records. We have the cryptocurrency trail.
We have everything.
You can cooperate now, or we can prosecute. Your choice."
```
**LEVERAGE:**
```
"You're facing money laundering charges. Tax evasion.
5-10 years federal prison.
OR
You help us. Full immunity. We help you with the debt
legally. Witness protection if needed. Clean slate.
What's it going to be?"
```
**INTELLIGENCE:**
```
Financial analysis reveals:
→ Payment amounts indicate level of access provided
→ Payment timing correlates with operations
→ Shell company shows ENTROPY front operation
→ Master wallet transaction connects to other assets
```
---
## Success Metrics
**Evidence Value:**
- Alone: 60% confidence (suspicious but could have explanation)
- + Encrypted comms: 85% confidence
- + Access logs: 90% confidence
- + Surveillance: 95% confidence
- + Confession: 100% certainty
**Cooperation Likelihood:**
- Show financial evidence alone: 45% cooperation
- Offer immunity + debt help: 75% cooperation
- Add threat of prison time: 85% cooperation
- Combine all approaches: 90% cooperation
**Legal Strength:**
- Prosecution without cooperation: 70% conviction rate
- With subject cooperation: 95% conviction rate (against ENTROPY)
- Tax evasion charges alone: 90% conviction rate
---
## Template Substitution Guide
**Replace these placeholders:**
```
[SUBJECT_NAME] → NPC name
[SALARY] → Annual salary matching their position
[AMOUNT] → ENTROPY payment amount ($25,000 - $75,000 typical)
[DATE_1], [DATE_2], etc. → Appropriate dates in game timeline
[ORGANIZATION] → Company name where NPC works
[POSITION] → NPC's job title
[SHELL_COMPANY_NAME] → Generic business name (e.g., "SecureConsult LLC")
[DEBT_AMOUNT] → Amount of debt NPC paid off
[EXPENSE_DESCRIPTION] → What they bought with the money
[PERCENTAGE] → Calculate: (TOTAL_AMOUNT ÷ SALARY) × 100
```
**Formula for realistic amounts:**
```
Base salary: $40,000 - $80,000 (typical corporate employee)
ENTROPY payment: 50-100% of annual salary
Total suspicious income: $25,000 - $75,000
Debt paid off: 80% of suspicious income
Remaining spent: 20% of suspicious income
```
**Example with substitutions:**
```
Subject: David Chen
Salary: $52,000
ENTROPY payment: $50,000 (96% of salary)
Student debt paid: $40,000
Credit cards cleared: $8,000
Unexplained income: 96% of declared salary
```
---
## Scenario Variations
**High-Value Target (More Money):**
```
Salary: $120,000 (senior position)
ENTROPY payment: $150,000 (125% of salary)
Justification: Valuable access, sensitive position
```
**Low-Value Target (Less Money):**
```
Salary: $35,000 (junior position)
ENTROPY payment: $25,000 (71% of salary)
Justification: Limited access, lower value
```
**Ongoing Asset (Multiple Payments):**
```
Payment 1: $40,000 (initial recruitment)
Payment 2: $15,000 (after 3 months)
Payment 3: $15,000 (after 6 months)
Total: $70,000 over 6 months
Pattern: Ongoing asset vs. one-time use
```
---
## Related Evidence Types
**Combine with:**
- EVIDENCE_AGENT_ID_001: Encrypted communications (motive for payment)
- EVIDENCE_AGENT_ID_003: Access logs (what they did for money)
- EVIDENCE_AGENT_ID_004: Surveillance (meetings with ENTROPY handlers)
- EVIDENCE_AGENT_ID_006: Recruitment approach (how they were contacted)
**Investigation Sequence:**
1. Find encrypted comms → Suspicion
2. Get financial records → Confirmation
3. Confront subject → Cooperation or arrest
4. Use testimony → Dismantle cell
---
## Educational Context
**Related CyBOK Topics:**
- Law & Regulation (Money laundering, tax law, financial crimes)
- Forensics (Financial forensics, transaction analysis)
- Human Factors (Financial pressure as vulnerability)
**Security Lessons:**
- Financial desperation creates insider threats
- Cryptocurrency provides pseudo-anonymity, not true anonymity
- Shell companies are traceable through proper investigation
- Bank records are powerful evidence (hard to deny)
- Structured deposits indicate guilty knowledge
- Employee financial wellness reduces vulnerability
---
**CLASSIFICATION:** EVIDENCE TEMPLATE - FINANCIAL
**PRIORITY:** HIGH (Definitive proof with proper subpoena)
**REUSABILITY:** High (works for any insider threat scenario)
**LEGAL VALUE:** Excellent (bank records highly admissible)
**COOPERATION VALUE:** Excellent (strong leverage for turning asset)

598
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_003_access_logs.md Normal file
View File

@@ -0,0 +1,598 @@
# TEMPLATE: Unauthorized System Access Pattern
**Fragment ID:** EVIDENCE_AGENT_ID_003
**Gameplay Function:** Agent Identification Evidence (Technical)
**Evidence Type:** System access logs and audit trail
**Rarity:** Common
**Substitution Required:** [SUBJECT_NAME], [POSITION], [SYSTEM_NAME], [DATA_TYPE]
---
## Evidence Summary
**Item:** System access log analysis
**Subject:** [SUBJECT_NAME], [POSITION]
**Evidence Quality:** HIGH (technical logs are objective)
**Admissibility:** HIGH (system logs with proper chain of custody)
---
## Access Log Analysis Report
```
╔═══════════════════════════════════════════════════════╗
║ SYSTEM ACCESS AUDIT REPORT ║
║ Unauthorized Activity Detection ║
╚═══════════════════════════════════════════════════════╝
REPORT ID: SYS-AUDIT-[REPORT_NUMBER]
GENERATED: [CURRENT_DATE]
ANALYST: IT Security Team / SAFETYNET Technical Division
SUBJECT: [SUBJECT_NAME]
EMPLOYEE ID: [EMP_ID]
POSITION: [POSITION]
DEPARTMENT: [DEPARTMENT]
AUTHORIZED ACCESS LEVEL: [ACCESS_LEVEL]
═══════════════════════════════════════════════════════
SUMMARY:
Comprehensive analysis of system access logs reveals
pattern of unauthorized access to systems and data
outside subject's job responsibilities and clearance level.
Activity consistent with data exfiltration preparation
and reconnaissance for ENTROPY operations.
═══════════════════════════════════════════════════════
BASELINE LEGITIMATE ACCESS
═══════════════════════════════════════════════════════
Based on position [POSITION], subject should access:
AUTHORIZED SYSTEMS:
✓ [SYSTEM_1] - Required for daily work
✓ [SYSTEM_2] - Department shared resources
✓ [SYSTEM_3] - Communication tools
✓ [SYSTEM_4] - Standard employee applications
AUTHORIZED DATA:
✓ [DATA_TYPE_1] - Related to job function
✓ [DATA_TYPE_2] - Department information
✓ [DATA_TYPE_3] - Public/shared company data
TYPICAL USAGE PATTERN:
• Login times: 08:00-18:00 (business hours)
• Access frequency: Multiple times daily
• Data volume: Normal for position
• Locations: Office workstation, VPN from home
═══════════════════════════════════════════════════════
UNAUTHORIZED ACCESS DETECTED
═══════════════════════════════════════════════════════
INCIDENT #1: SENSITIVE DATABASE ACCESS
Date/Time: [DATE_TIME_1]
System: [SENSITIVE_SYSTEM]
Access Method: SQL query via admin console
User Account: [SUBJECT_NAME]@[ORGANIZATION]
Location: Office workstation (IP: [IP_ADDRESS])
QUERY EXECUTED:
SELECT * FROM [DATABASE].[TABLE]
WHERE [CRITERIA]
LIMIT 50000
ANALYSIS:
✗ [SUBJECT_NAME] has NO authorized access to [SENSITIVE_SYSTEM]
✗ Position [POSITION] has no business need for this data
✗ Query extracted [DATA_TYPE] for 50,000 records
✗ Data volume far exceeds any legitimate need
✗ Query format suggests data exfiltration intent
RED FLAGS:
• Access outside job responsibilities
• Large-scale data extraction
• No ticket/request for access
• Used elevated credentials (how obtained?)
• Timing: After hours (22:34)
───────────────────────────────────────────────────────
INCIDENT #2: NETWORK INFRASTRUCTURE MAPPING
Date/Time: [DATE_TIME_2]
System: Network Management Console
Access Method: Direct login
User Account: [SUBJECT_NAME] (used supervisor's credentials!)
Location: Office (IP: [IP_ADDRESS])
ACTIONS PERFORMED:
• Exported network topology diagram
• Downloaded firewall rule configurations
• Accessed VPN server logs
• Queried active directory structure
• Downloaded security camera placement map
ANALYSIS:
✗ Supervisor credentials compromised/shared (security violation)
✗ Network admin access not authorized for [POSITION]
✗ Infrastructure documentation downloaded (reconnaissance)
✗ Security architecture exposed
✗ No legitimate business justification exists
RED FLAGS:
• Credential theft/sharing (serious violation)
• Complete infrastructure reconnaissance
• Downloaded security-sensitive diagrams
• Classic pre-attack intelligence gathering
• Timing: Weekend (Saturday 14:23)
───────────────────────────────────────────────────────
INCIDENT #3: HUMAN RESOURCES DATABASE
Date/Time: [DATE_TIME_3]
System: HR Management System
Access Method: Web portal login
User Account: [SUBJECT_NAME]
Location: Unknown (VPN from residential IP)
DATA ACCESSED:
• Employee personal information (500+ records)
• Salary and compensation data
• Home addresses and contact info
• Security clearance levels
• Emergency contacts
ANALYSIS:
✗ HR system access not authorized for [POSITION]
✗ Accessed 500+ employee records (entire department)
✗ No HR-related job responsibilities
✗ Personal data with no legitimate need
✗ Pattern suggests target profiling for ENTROPY
RED FLAGS:
• Mass employee data access
• Personal information exfiltration
• Possible recruitment target identification
• Social engineering preparation
• Timing: Evening from home (20:15)
───────────────────────────────────────────────────────
INCIDENT #4: EXECUTIVE EMAIL ACCESS
Date/Time: [DATE_TIME_4]
System: Email server (Exchange)
Access Method: PowerShell remote access
User Account: [SUBJECT_NAME]
Location: Office (IP: [IP_ADDRESS])
ACTIVITY:
• Accessed CEO mailbox (unauthorized!)
• Read 127 emails marked "Confidential"
• Exported emails to PST file
• Downloaded email to external drive
• Deleted access logs (attempted cover-up)
ANALYSIS:
✗ Executive email access STRICTLY prohibited
✗ PowerShell used to bypass security controls
✗ Exported emails for offline viewing
✗ Attempted to delete evidence (consciousness of guilt)
✗ Contains privileged executive communications
RED FLAGS:
• Highest-level unauthorized access
• Corporate espionage indicators
• Active cover-up attempt (log deletion)
• Technical sophistication (PowerShell usage)
• Timing: Middle of night (02:17)
───────────────────────────────────────────────────────
INCIDENT #5: USB DEVICE USAGE
Date/Time: [DATE_TIME_5]
System: Endpoint detection (workstation)
Device: USB flash drive (128GB)
User Account: [SUBJECT_NAME]
Location: Office workstation
ACTIVITY:
• Connected unauthorized USB device
• Copied [FILE_COUNT] files to drive
• Total data: [DATA_SIZE] GB
• File types: .xlsx, .docx, .pdf, .pst
• Encryption detected on USB (secure storage)
ANALYSIS:
✗ USB devices prohibited by policy (DLP violation)
✗ Large-scale file copying to external media
✗ Included sensitive/confidential documents
✗ USB encrypted (hiding contents)
✗ Classic data exfiltration method
RED FLAGS:
• Policy violation (USB prohibition)
• Data exfiltration to portable media
• Encryption suggests premeditation
• Volume suggests systematic collection
• Timing: Late evening (19:45)
═══════════════════════════════════════════════════════
PATTERN ANALYSIS
═══════════════════════════════════════════════════════
TIMELINE OF UNAUTHORIZED ACTIVITY:
Week 1: [DATE_RANGE_1]
→ Initial reconnaissance (network mapping)
→ Identifying high-value systems
Week 2-3: [DATE_RANGE_2]
→ Unauthorized data access begins
→ Multiple system compromises
→ Credential elevation/theft
Week 4: [DATE_RANGE_3]
→ Large-scale data exfiltration
→ Executive communications accessed
→ USB device data export
PROGRESSION:
Reconnaissance → Access → Exfiltration → Cover-up
This timeline consistent with ENTROPY operational cadence:
- 2-4 weeks from recruitment to first deliverable
- Systematic approach (not random access)
- Escalating access levels
- Final exfiltration before rotation
TEMPORAL PATTERNS:
After-Hours Access: 78% of incidents
• 22:34, 02:17, 19:45, 20:15, 14:23 (weekend)
• Suggests covert activity awareness
• Avoiding daytime supervision
• Consciousness of wrongdoing
Weekend Access: 23% of incidents
• Saturday access to avoid scrutiny
• Reduced security staffing
• Fewer witnesses to activity
VPN/Remote Access: 34% of incidents
• From residential IP addresses
• Outside corporate network
• Harder to detect/monitor
═══════════════════════════════════════════════════════
TECHNICAL SOPHISTICATION INDICATORS
═══════════════════════════════════════════════════════
SKILLS DEMONSTRATED:
✓ PowerShell scripting (executive email access)
✓ SQL query construction (database extraction)
✓ Credential compromise (supervisor's account)
✓ Log manipulation (attempted deletion)
✓ Encryption usage (USB device)
✓ Network reconnaissance (topology mapping)
ASSESSMENT:
Subject demonstrates technical capabilities beyond
requirements of [POSITION]. Suggests:
1. Prior training (possibly ENTROPY-provided)
2. Security background (knows how to evade detection)
3. Deliberate skill application (not accidental)
4. Sophisticated adversary (not amateur mistake)
This level of sophistication consistent with:
→ Trained ENTROPY operative
→ Professional cyber criminal
→ Insider threat with external guidance
→ Asset with technical handler support
═══════════════════════════════════════════════════════
DATA EXFILTRATED (ESTIMATED)
═══════════════════════════════════════════════════════
Based on log analysis, subject likely obtained:
CATEGORY 1: CUSTOMER DATA
• [NUMBER] customer records
• Personal information (PII)
• Financial account details
• Contact information
Estimated Volume: [SIZE] GB
CATEGORY 2: INFRASTRUCTURE
• Network topology diagrams
• Security architecture docs
• Access control configurations
• Firewall rules and VPN configs
Estimated Volume: [SIZE] MB
CATEGORY 3: EMPLOYEE DATA
• 500+ employee personal records
• Salary and compensation data
• Security clearance information
• Contact details for recruitment targeting
Estimated Volume: [SIZE] MB
CATEGORY 4: EXECUTIVE COMMUNICATIONS
• 127 confidential emails
• Strategic planning documents
• Merger/acquisition discussions
• Proprietary business intelligence
Estimated Volume: [SIZE] MB
CATEGORY 5: PROPRIETARY DATA
• [FILE_COUNT] sensitive documents
• Trade secrets potential
• Intellectual property
• Competitive intelligence
Estimated Volume: [SIZE] GB
TOTAL ESTIMATED EXFILTRATION: [TOTAL_SIZE] GB
VALUE ASSESSMENT:
This data highly valuable for:
→ ENTROPY Phase 3 operations (customer targeting)
→ Future social engineering campaigns
→ Competitive intelligence sale
→ Infrastructure attack planning
→ Employee recruitment targeting
═══════════════════════════════════════════════════════
POLICY VIOLATIONS
═══════════════════════════════════════════════════════
Subject violated the following corporate policies:
✗ Acceptable Use Policy (Section 3.2)
- Unauthorized system access
✗ Data Protection Policy (Section 2.1)
- Accessed data without business need
✗ USB Device Policy (Section 4.7)
- Used prohibited external storage
✗ Credential Sharing Policy (Section 1.3)
- Used supervisor's credentials
✗ After-Hours Access Policy (Section 5.2)
- Suspicious access patterns
✗ Data Classification Policy (Section 6.1)
- Accessed confidential/secret data
✗ Log Integrity Policy (Section 7.4)
- Attempted log deletion
RECOMMENDED EMPLOYMENT ACTION:
Immediate termination for cause with policies violated.
═══════════════════════════════════════════════════════
LEGAL IMPLICATIONS
═══════════════════════════════════════════════════════
CRIMINAL STATUTES POTENTIALLY VIOLATED:
Federal:
• 18 U.S.C. § 1030 - Computer Fraud and Abuse Act
• 18 U.S.C. § 1831 - Economic Espionage Act
• 18 U.S.C. § 2511 - Wiretap Act (email interception)
State:
• Computer trespass
• Theft of trade secrets
• Unauthorized access to computer systems
Civil:
• Breach of employment contract
• Breach of confidentiality agreement
• Trade secret misappropriation
POTENTIAL SENTENCES:
• Federal CFAA: Up to 10 years per count
• Economic espionage: Up to 15 years
• Multiple counts possible: 25+ years exposure
═══════════════════════════════════════════════════════
CONCLUSIONS AND RECOMMENDATIONS
═══════════════════════════════════════════════════════
EVIDENCE ASSESSMENT: DEFINITIVE
Subject [SUBJECT_NAME] engaged in systematic unauthorized
access to corporate systems and data exfiltration over
[TIMEFRAME] period.
Activity characteristics:
✓ Deliberate and premeditated
✓ Technically sophisticated
✓ Aligned with ENTROPY operational patterns
✓ Resulted in significant data compromise
✓ Included active cover-up attempts
CONFIDENCE LEVEL: 95%
This is not accidental access or policy misunderstanding.
This is deliberate espionage/data theft by trained operative
or ENTROPY asset.
IMMEDIATE RECOMMENDATIONS:
□ Suspend all system access immediately
□ Confiscate workstation and devices
□ Preserve all log evidence (legal hold)
□ Coordinate with SAFETYNET for investigation
□ Prepare termination documentation
□ Consider criminal prosecution
□ Assess damage and notify affected parties
□ Review security controls that failed
INVESTIGATION PRIORITIES:
□ How were supervisor credentials obtained?
□ What happened to exfiltrated data?
□ Are there other compromised employees?
□ What is subject's connection to ENTROPY?
□ Recover USB device if possible
□ Interview subject (with legal counsel present)
□ Coordinate with law enforcement
═══════════════════════════════════════════════════════
ANALYST NOTES:
The technical sophistication and systematic approach
suggests [SUBJECT_NAME] received external guidance,
likely from ENTROPY handler.
Pattern matches 12 other cases of ENTROPY asset behavior:
- Reconnaissance phase (2-3 weeks)
- Access escalation (1-2 weeks)
- Exfiltration (final week)
- Attempted cover-up
Subject likely recruited for specific access, trained on
what to collect, and provided tools/methods for exfiltration.
Recommend offering cooperation deal:
"Help us understand who recruited you, what they wanted,
and where the data went. We can help you if you help us."
Without cooperation, prosecution recommended.
- IT Security Team / SAFETYNET Liaison
═══════════════════════════════════════════════════════
CLASSIFICATION: TECHNICAL EVIDENCE - UNAUTHORIZED ACCESS
DISTRIBUTION: Security team, legal, SAFETYNET, management
HANDLING: Preserve original logs, maintain chain of custody
═══════════════════════════════════════════════════════
```
---
## Gameplay Integration
**This Fragment Enables:**
**Immediate Actions:**
- Suspend [SUBJECT_NAME]'s access (prevent further damage)
- Confiscate devices and conduct forensic analysis
- Initiate formal investigation
- Coordinate with SAFETYNET
**Confrontation Dialog:**
```
"We have your access logs, [SUBJECT_NAME].
[SENSITIVE_SYSTEM] at 22:34. You're not authorized for that system.
Network diagrams downloaded on Saturday. Why?
CEO's emails exported at 02:17. That's a federal crime.
128GB USB drive. Where did that data go?
We have timestamps. IP addresses. Exact files accessed.
This isn't a mistake. This is systematic data theft.
Who are you working for?"
```
**Player Choices:**
**APPROACH A: Technical Lockdown**
- Immediate suspension
- Forensic investigation
- Criminal prosecution
- No cooperation opportunity
**APPROACH B: Monitored Access**
- Allow continued access under surveillance
- Track who they contact
- Identify ENTROPY handler
- Build larger case
**APPROACH C: Confrontation + Deal**
- Show evidence
- Offer immunity for cooperation
- Learn ENTROPY methods
- Turn asset into informant
**APPROACH D: Counter-Intelligence**
- Feed false data through subject
- Use as unwitting double agent
- Track where data goes
- Identify ENTROPY infrastructure
---
## Success Metrics
**Evidence Strength:**
- System logs alone: 70% conviction probability
- Logs + financial records: 90% probability
- Logs + financial + surveillance: 95% probability
- Add confession: 99% probability
**Damage Assessment:**
- Data exfiltrated: [TOTAL_SIZE] GB
- Systems compromised: [NUMBER]
- Policy violations: 7 major
- Potential impact: HIGH (customer data, exec comms)
**Recovery Actions:**
- Incident response: 2-4 weeks
- Customer notification: Required (data breach laws)
- Security improvements: $[COST_ESTIMATE]
- Reputational damage: Significant
---
## Template Substitution Guide
**Replace these placeholders:**
```
[SUBJECT_NAME] → NPC name
[POSITION] → Job title
[DEPARTMENT] → Department name
[ORGANIZATION] → Company name
[SYSTEM_NAME] → Specific system accessed (e.g., "Customer Database")
[DATA_TYPE] → Type of data (e.g., "financial records")
[SENSITIVE_SYSTEM] → High-value target system
[DATE_TIME_X] → Specific timestamps
[IP_ADDRESS] → Internal IP address
[FILE_COUNT] → Number of files exfiltrated
[DATA_SIZE] → Size of data exfiltrated
[ACCESS_LEVEL] → Authorized clearance level
```
**Realistic Technical Details:**
```
IP addresses: 10.x.x.x or 192.168.x.x (internal)
File counts: 50-500 (believable exfiltration)
Data sizes: 1-10 GB (USB-portable)
Timestamps: Mix of after-hours and weekends
Access levels: User, Power User, Admin
```
---
**CLASSIFICATION:** EVIDENCE TEMPLATE - TECHNICAL
**PRIORITY:** HIGH (Objective technical proof)
**REUSABILITY:** High (works for any insider threat)
**LEGAL VALUE:** Excellent (system logs are strong evidence)
**INVESTIGATION VALUE:** Excellent (shows what, when, how)

563
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_004_surveillance_photos.md Normal file
View File

@@ -0,0 +1,563 @@
# TEMPLATE: Surveillance Evidence of ENTROPY Contact
**Fragment ID:** EVIDENCE_AGENT_ID_004
**Gameplay Function:** Agent Identification Evidence (Surveillance)
**Evidence Type:** Photographic surveillance and behavioral analysis
**Rarity:** Uncommon
**Substitution Required:** [SUBJECT_NAME], [POSITION], [CONTACT_DESCRIPTION]
---
## Evidence Summary
**Item:** Surveillance photography and behavioral observation
**Subject:** [SUBJECT_NAME], [POSITION]
**Evidence Quality:** MEDIUM-HIGH (visual evidence corroborates other intel)
**Admissibility:** HIGH (photographic evidence with proper surveillance authorization)
---
## Surveillance Report
```
╔═══════════════════════════════════════════════════════╗
║ SAFETYNET SURVEILLANCE REPORT ║
║ Suspected ENTROPY Asset Monitoring ║
╚═══════════════════════════════════════════════════════╝
OPERATION: [OPERATION_CODE_NAME]
SUBJECT: [SUBJECT_NAME]
SURVEILLANCE TEAM: Alpha-3
LEAD AGENT: Agent 0x99 "HAXOLOTTLE"
DURATION: [DURATION] days ([START_DATE] - [END_DATE])
AUTHORIZATION: Director Netherton, Priority [PRIORITY]
BUDGET: $[BUDGET] (surveillance, tech, analyst time)
═══════════════════════════════════════════════════════
MISSION OBJECTIVE:
Determine if [SUBJECT_NAME] maintains contact with
ENTROPY operatives or handlers. Visual confirmation
of suspicious meetings and behavior patterns.
═══════════════════════════════════════════════════════
SURVEILLANCE PHOTOGRAPHY - DAY 1
═══════════════════════════════════════════════════════
[PHOTO 1: UNUSUAL MEETING]
Location: [LOCATION] (Coffee shop, outdoor seating)
Date: [DATE], [TIME]
Camera: High-resolution telephoto (300mm)
Quality: EXCELLENT (clear facial features, good lighting)
SUBJECTS VISIBLE:
• [SUBJECT_NAME] - Target (left side of table)
• Unknown individual - [CONTACT_DESCRIPTION] (right side)
DESCRIPTION:
Meeting duration: 42 minutes
Body language: Serious discussion, no social pleasantries
Documents visible: Papers exchanged across table
Subject's demeanor: Nervous (observed touching face repeatedly)
Unknown individual: Confident, professional bearing
PHOTOGRAPHIC DETAILS:
- Both leaning in close (secretive conversation)
- [SUBJECT_NAME] looking around frequently (countersurveillance awareness)
- Unknown individual pointing at documents (giving instructions?)
- Paper documents visible but text not legible
- No coffee consumed (not social meeting)
BEHAVIORAL ANALYSIS:
✗ Meeting location unusual for [SUBJECT_NAME] (30 miles from home/work)
✗ Body language suggests stress/guilt
✗ Countersurveillance behavior (checking for followers)
✗ Document exchange (physical information transfer)
✗ Professional meeting disguised as casual coffee
RED FLAGS:
• Off-site location (avoiding workplace surveillance)
• Unknown contact (not in subject's social circle or colleagues)
• Document exchange (analog to avoid digital trail)
• Subject's nervous behavior (consciousness of wrongdoing)
• Duration/timing (41 minutes = substantive discussion)
───────────────────────────────────────────────────────
[PHOTO 2: DOCUMENT EXCHANGE]
Same Location: [LOCATION]
Same Date: [DATE], [TIME + 15 minutes]
Camera: Close-up telephoto zoom
Quality: GOOD (documents partially visible)
CAPTURED MOMENT:
[SUBJECT_NAME] sliding manila envelope across table
Unknown individual accepting envelope
Envelope appears to contain papers (thickness visible)
VISIBLE DETAILS:
- Envelope unmarked (no corporate branding)
- Approximately 20-30 pages based on thickness
- [SUBJECT_NAME]'s hand visibly trembling (stress/fear)
- Unknown individual nodding (confirmation received)
- Both glancing around (awareness of surveillance risk)
ANALYSIS:
Physical document transfer avoids:
→ Email monitoring (corporate IT)
→ Digital forensics trails
→ Cloud storage logging
→ Network activity detection
Classic tradecraft for covert information transfer.
───────────────────────────────────────────────────────
[PHOTO 3: CASH PAYMENT]
Same Location: [LOCATION]
Same Date: [DATE], [TIME + 28 minutes]
Camera: High-resolution capture
Quality: EXCELLENT (bills visible)
CAPTURED TRANSACTION:
Unknown individual handing envelope to [SUBJECT_NAME]
Envelope different from document envelope (smaller, white)
[SUBJECT_NAME] opening envelope briefly
Cash visible inside (bills appear to be $100 denominations)
OBSERVED BEHAVIOR:
- [SUBJECT_NAME] glancing inside quickly
- Immediate concealment (into jacket pocket)
- No counting of money (trusts amount)
- Relief visible in facial expression
- Handshake after payment
ESTIMATED AMOUNT:
Based on envelope size and visible bills: $2,000-$5,000
(Consistent with ENTROPY "installment payment" pattern)
SIGNIFICANCE:
Cash payment for documents = textbook espionage transaction
Pattern matches ENTROPY asset handling methodology
═══════════════════════════════════════════════════════
SURVEILLANCE PHOTOGRAPHY - DAY 5
═══════════════════════════════════════════════════════
[PHOTO 4: SUBJECT AT DEAD DROP LOCATION]
Location: [DEAD_DROP_LOCATION] (Public park, near bench #7)
Date: [DATE + 5 days], [TIME]
Camera: Long-range surveillance (500mm)
Quality: MEDIUM (distance ~200 meters)
OBSERVED ACTIVITY:
Subject walking through park (unusual for daily routine)
Stopped at specific bench (#7)
Appeared to place something under bench
Departed quickly without sitting
Total time at location: 47 seconds
DEAD DROP PROCEDURE (Classic):
1. Arrive at predetermined location
2. Deposit package/message
3. Leave immediately without lingering
4. Handler retrieves later (separate visit)
RECOVERY OPERATION:
Surveillance team recovered package after subject departed:
• USB flash drive (32GB, encrypted)
• Handwritten note: "Files from [SYSTEM_NAME] as requested"
• Note signed with [SUBJECT_NAME]'s initials
CRITICAL EVIDENCE:
Subject's own handwriting confirming data exfiltration
Physical USB drive proves ENTROPY dead drop usage
───────────────────────────────────────────────────────
[PHOTO 5: HANDLER RETRIEVAL]
Same Location: [DEAD_DROP_LOCATION]
Same Date: [DATE + 5 days], [TIME + 2 hours]
Camera: Different angle, concealed position
Quality: GOOD (facial features visible)
SUBJECT:
Unknown individual (SAME as coffee shop meeting!)
Arrived 2 hours after [SUBJECT_NAME]'s deposit
Retrieved package from under bench
Departed in [VEHICLE_DESCRIPTION]
CONFIRMATION:
Facial recognition match: 87% confidence
Same clothing as coffee shop meeting
Professional countersurveillance (checked surroundings)
Vehicle license plate captured: [PLATE_NUMBER] (rental car)
HANDLER IDENTIFICATION:
Subject's contact is confirmed ENTROPY handler
Using classic tradecraft (dead drops, cash payments)
Coordinating multiple assets (likely cell member)
═══════════════════════════════════════════════════════
SURVEILLANCE PHOTOGRAPHY - DAY 12
═══════════════════════════════════════════════════════
[PHOTO 6: SECOND MEETING AT DIFFERENT LOCATION]
Location: [SECOND_LOCATION] (Shopping mall food court)
Date: [DATE + 12 days], [TIME]
Camera: Concealed body camera (agent in proximity)
Quality: EXCELLENT (close range ~10 meters)
MEETING DETAILS:
Same unknown individual as before
Meeting duration: 18 minutes (brief check-in)
No visible document exchange (verbal communication only)
Cash payment observed again (smaller envelope)
AUDIO CAPTURED (Partial):
Agent positioned close enough to hear fragments:
[SUBJECT_NAME]: "...worried about the security audit..."
Handler: "...completely normal, don't panic..."
[SUBJECT_NAME]: "...access will be more difficult now..."
Handler: "...we can adjust timeline if needed..."
ANALYSIS:
Conversation references:
→ Security audit (possibly our investigation?)
→ Access difficulties (tightened controls working)
→ Timeline flexibility (operation in progress)
→ Handler providing reassurance (asset management)
───────────────────────────────────────────────────────
[PHOTO 7: COUNTERSURVEILLANCE BEHAVIOR]
Location: [SUBJECT_NAME]'s vehicle
Date: [DATE + 14 days], [TIME]
Camera: Traffic camera access
Quality: MEDIUM (standard traffic cam)
OBSERVED:
Subject taking circuitous route home after work
Multiple turns and backtracking
Stopped suddenly, waited, continued
Route added 45 minutes to normal commute
COUNTERSURVEILLANCE TECHNIQUES OBSERVED:
• Sudden direction changes
• Multiple U-turns
• Extended parking wait (watch for followers)
• Avoided direct route to destination
• Classic surveillance detection route (SDR)
SIGNIFICANCE:
Subject trained in countersurveillance by ENTROPY
Consciousness of potential surveillance
Professional operational security awareness
This is NOT amateur behavior. This is trained operative activity.
═══════════════════════════════════════════════════════
PATTERN ANALYSIS
═══════════════════════════════════════════════════════
MEETING FREQUENCY:
Week 1: Initial coffee shop meeting (Day 1)
Week 2: Dead drop communication (Day 5)
Week 3: Second in-person meeting (Day 12)
Pattern: Meetings every 5-7 days (weekly handler check-ins)
Consistent with ENTROPY asset handling protocol
LOCATION SELECTION:
• Different location each time (security)
• Public places with multiple exits
• 20-30 miles from subject's home/work
• Areas subject doesn't normally frequent
Pattern: Professional tradecraft, avoiding pattern establishment
PAYMENT STRUCTURE:
Meeting 1: Estimated $3,000-$5,000 (document payment)
Meeting 2: Estimated $1,000-$2,000 (check-in payment)
Total observed: ~$5,000 over 12 days
Projected: $10,000-$15,000 monthly if pattern continues
COMMUNICATION METHODS:
• In-person meetings (avoid digital surveillance)
• Physical dead drops (analog security)
• Cash payments (no banking trail)
• Document exchanges (no email trail)
Assessment: Sophisticated operational security maintained
═══════════════════════════════════════════════════════
HANDLER PROFILE
═══════════════════════════════════════════════════════
UNKNOWN INDIVIDUAL (ENTROPY HANDLER):
PHYSICAL DESCRIPTION:
• [GENDER], approximately [AGE] years old
• Height: [HEIGHT] (estimated from photos)
• Build: [BUILD]
• Hair: [HAIR_DESCRIPTION]
• Distinguishing features: [FEATURES]
• Clothing: Professional casual (blend in anywhere)
BEHAVIORAL INDICATORS:
• Confident bearing (experienced operator)
• Excellent situational awareness
• Professional countersurveillance
• Calm demeanor (not nervous like subject)
• Directive body language (giving orders)
VEHICLE:
• [VEHICLE_DESCRIPTION]
• License plate: [PLATE_NUMBER] (rental, fake ID used)
• Parked in areas allowing quick exit
• Changed vehicles twice (rental rotation)
COMMUNICATIONS SECURITY:
• Uses burner phones (observed discarding one)
• Cash transactions only
• No digital footprint visible
• Multiple fake identities suspected
THREAT ASSESSMENT: HIGH
This is professional ENTROPY cell member, possibly cell leader
Handles multiple assets (subject likely not their only contact)
Trained in intelligence tradecraft
Significant operational security discipline
═══════════════════════════════════════════════════════
CONCLUSIONS
═══════════════════════════════════════════════════════
EVIDENCE ASSESSMENT: STRONG
Photographic and surveillance evidence confirms:
✓ [SUBJECT_NAME] maintains regular contact with ENTROPY operative
✓ Physical exchange of documents for cash payment
✓ Usage of dead drop locations (USB drive recovery)
✓ Subject's handwriting on dead drop note
✓ Countersurveillance behavior (trained operative awareness)
✓ Pattern consistent with ENTROPY asset handling
✓ Weekly handler meetings with payment structure
CONFIDENCE LEVEL: 85%
Subject is actively operating as ENTROPY asset, providing
information/data in exchange for cash payments under
direction of experienced ENTROPY handler.
RECOMMENDATIONS:
OPTION 1: Arrest Both Subject and Handler
• Simultaneous takedown at next meeting
• Seize evidence (cash, documents, devices)
• Interrogate both separately
• Build case against cell
OPTION 2: Continue Surveillance
• Identify other assets handler manages
• Map complete cell network
• Build larger case before action
• Risk: Subject completes current operation
OPTION 3: Approach Subject with Evidence
• Show photos during interview
• "We know about your handler. We have photos."
• Offer cooperation vs. prosecution
• Use surveillance as leverage
RECOMMENDED: Option 3 (Leverage for cooperation)
Photos are compelling evidence difficult to deny
Subject's fear visible in photos (vulnerable to pressure)
Handler identification valuable intelligence
Turn subject into informant against cell
═══════════════════════════════════════════════════════
SURVEILLANCE TEAM NOTES:
[SUBJECT_NAME] is clearly uncomfortable with this activity.
Fear and stress visible in every meeting photo.
Not a professional operative - recruited asset under pressure.
The handler, however, is experienced professional.
Likely cell member with multiple assets under management.
Capturing handler would significantly disrupt cell operations.
Recommend showing [SUBJECT_NAME] the photos:
"You thought no one was watching. But we have everything.
Every meeting. Every payment. Your handler's face.
You can keep pretending, or you can help us.
What's it going to be?"
Prediction: Subject will cooperate when shown evidence.
- Agent 0x99, Surveillance Lead
═══════════════════════════════════════════════════════
CLASSIFICATION: SURVEILLANCE EVIDENCE - PHOTOGRAPHIC
DISTRIBUTION: Investigation team, legal counsel
HANDLING: Maintain photo chain of custody, proper authorization
═══════════════════════════════════════════════════════
```
---
## Gameplay Integration
**This Fragment Enables:**
**Visual Proof:**
- Photos harder to deny than digital evidence
- Subject's own handwriting on dead drop note
- Handler's face captured (can identify)
- Cash payments documented
- Pattern of meetings established
**Confrontation Impact:**
```
Player shows photos during interrogation:
"This is you, [SUBJECT_NAME]. Meeting your handler.
This photo - you're passing documents.
This one - receiving cash payment.
This one - your handwritten note at the dead drop.
We have dates, times, locations. Your handler's face.
You can't talk your way out of photographs.
So let's skip the denials. Tell us about your handler."
```
**Player Choices:**
**SHOW PHOTOS IMMEDIATELY:**
- High impact confrontation
- Subject rattled by visual proof
- 75% cooperation likelihood
- Quick resolution
**HOLD PHOTOS IN RESERVE:**
- Let subject lie first
- Catch them in contradictions
- Then reveal photos (devastation)
- 85% cooperation (broken by own lies + photos)
**USE FOR HANDLER IDENTIFICATION:**
- Facial recognition on handler photos
- Vehicle tracking via plate number
- Pattern analysis for next meeting
- Attempt to arrest both simultaneously
---
## Success Metrics
**Evidence Value:**
- Photos alone: 50% (suspicious but could be explained)
- Photos + financial records: 80% (payments match meetings)
- Photos + access logs: 85% (timing correlates with data theft)
- Photos + encrypted comms + financial + access: 95%
**Cooperation Likelihood:**
- Text evidence only: 50% cooperation
- Financial evidence: 60% cooperation
- Surveillance photos: 75% cooperation (harder to deny)
- All evidence combined: 90% cooperation
**Handler Capture Value:**
- Handler ID'd: +Intelligence on cell structure
- Handler arrested: Major cell disruption
- Handler turned: Complete cell compromise (rare)
---
## Template Substitution Guide
**Replace placeholders:**
```
[SUBJECT_NAME] → NPC name
[POSITION] → Job title
[CONTACT_DESCRIPTION] → Handler description (e.g., "Male, 35-40, professional attire")
[LOCATION] → Meeting location (e.g., "Riverside Coffee House")
[DATE], [TIME] → Appropriate timestamps
[OPERATION_CODE_NAME] → Surveillance op name
[DURATION] → Days of surveillance (e.g., "14 days")
[BUDGET] → Surveillance cost (e.g., "$47,000")
[DEAD_DROP_LOCATION] → Park, parking lot, etc.
[SYSTEM_NAME] → System data came from
[VEHICLE_DESCRIPTION] → Handler's vehicle
[PLATE_NUMBER] → License plate
[SECOND_LOCATION] → Different meeting spot
```
**Photo Description Templates:**
```
Coffee Shop Meeting:
"Outdoor seating, telephoto lens, both visible in profile,
document exchange captured, nervous body language visible"
Dead Drop:
"Park bench #7, subject depositing package, 47 seconds at location,
USB drive recovered, handwritten note with initials"
Payment:
"Cash envelope visible, $100 bills, quick concealment,
relief in facial expression, handshake afterward"
Handler Retrieval:
"Same location 2 hours later, same individual from first meeting,
package retrieval, vehicle departure, license plate captured"
```
---
## Related Evidence Combination
**Optimal Evidence Set:**
1. **Surveillance photos** (this fragment) → WHO they met
2. **Financial records** (TEMPLATE_002) → PAYMENT received
3. **Access logs** (TEMPLATE_003) → WHAT they stole
4. **Encrypted comms** (TEMPLATE_001) → COORDINATION details
**Evidence Chain:**
```
Encrypted email → Arranges meeting
Surveillance photo → Documents meeting occurred
Access logs → Shows data theft timing matches meeting
Financial records → Payment received after theft
Dead drop photo → Physical data transfer captured
Handler photo → ENTROPY operative identified
```
**Overwhelming Evidence:**
When presented together, subject has no defense.
Each piece corroborates the others.
Cooperation becomes only logical choice.
---
**CLASSIFICATION:** EVIDENCE TEMPLATE - SURVEILLANCE
**PRIORITY:** HIGH (Visual proof compelling)
**REUSABILITY:** High (works for any handler-asset relationship)
**LEGAL VALUE:** Excellent (photos highly admissible)
**PSYCHOLOGICAL VALUE:** Excellent (harder to deny than text)

575
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_005_physical_evidence.md Normal file
View File

@@ -0,0 +1,575 @@
# TEMPLATE: Handwritten Notes and Physical Evidence
**Fragment ID:** EVIDENCE_AGENT_ID_005
**Gameplay Function:** Agent Identification Evidence (Physical)
**Evidence Type:** Handwritten document, personal notes
**Rarity:** Common
**Substitution Required:** [SUBJECT_NAME], [HANDLER_CODENAME], [MEETING_LOCATION]
---
## Evidence Summary
**Item:** Handwritten notes recovered from subject's personal effects
**Subject:** [SUBJECT_NAME]
**Evidence Quality:** HIGH (subject's own handwriting, direct confession)
**Admissibility:** HIGH (physical evidence with chain of custody)
---
## Recovered Physical Evidence
```
╔═══════════════════════════════════════════════════════╗
║ EVIDENCE RECOVERY REPORT ║
║ Physical Document Analysis ║
╚═══════════════════════════════════════════════════════╝
EVIDENCE ID: PHYS-[EVIDENCE_NUMBER]
RECOVERY DATE: [CURRENT_DATE]
RECOVERY LOCATION: [SUBJECT_NAME]'s desk drawer (work)
RECOVERED BY: Agent 0x99 "HAXOLOTTLE"
AUTHORIZATION: Search warrant #[WARRANT_NUMBER]
DESCRIPTION:
Handwritten notes on yellow legal pad pages (3 pages)
Torn from larger notepad, edges ragged
Blue ink, ballpoint pen
Subject's handwriting (verified by comparison samples)
CHAIN OF CUSTODY:
[CURRENT_DATE] 14:23 - Discovered by Agent 0x99
[CURRENT_DATE] 14:47 - Photographed in situ
[CURRENT_DATE] 15:12 - Bagged and tagged (Evidence locker #447)
[CURRENT_DATE] 16:30 - Handwriting analysis (confirmed match)
STATUS: Preserved as evidence, copies made for investigation
```
---
## Handwritten Note - Page 1
```
[IMAGE: Photo of handwritten note on yellow legal pad paper]
[TRANSCRIPTION - Exact text as written, including errors/strikeouts]
Meeting notes - [DATE]
THINGS TO REMEMBER:
- [HANDLER_CODENAME] wants access to [SYSTEM_NAME] by next week
- Password for [SYSTEM]: [REDACTED] (wrote it down - delete this!)
- Files to copy:
* Customer database (all records)
* Network diagrams
* Employee info spreadsheet
* Email backup from [EXECUTIVE_NAME]
PAYMENT: $[AMOUNT] on completion
(Need this for student loans - almost there!)
Next meeting: [MEETING_LOCATION], [DATE], [TIME]
Code word if problems: "The project is delayed"
DON'T FORGET TO:
- Clear browser history after each session
- Use VPN from home
- USB drive hidden in [HIDING_LOCATION]
- Delete these notes after memorizing!!!
[Several lines scratched out heavily - attempted concealment]
Feeling sick about this. But what choice do I have?
$[DEBT_AMOUNT] in debt. Can't keep living like this.
[HANDLER_CODENAME] says it's just "competitive intelligence"
Not really hurting anyone... right?
[Bottom of page has doodles - nervous energy visible]
```
---
## Analysis: Page 1
**CRITICAL EVIDENCE ELEMENTS:**
🔴 **Direct Admission of Activity**
- "Files to copy" - consciousness of data theft
- Lists specific systems and data targets
- Acknowledges payment for services
- Planning future meeting with handler
🔴 **Handler Reference**
- "[HANDLER_CODENAME]" - ENTROPY operative designation
- Subject takes instructions from external party
- Codename suggests operational security awareness
🔴 **Operational Details**
- Specific system names and access methods
- Password written down (poor OPSEC but great evidence)
- File exfiltration plan documented
- USB drive location noted
🔴 **Payment Information**
- "$[AMOUNT] on completion" - quid pro quo documented
- Financial motivation explicitly stated
- Student loan debt referenced (recruitment vector)
🔴 **Security Evasion Tactics**
- "Clear browser history"
- "Use VPN from home"
- "Delete these notes" (consciousness of wrongdoing)
- Hiding physical evidence (USB drive)
🔴 **Guilty Knowledge**
- "Feeling sick about this" - knows it's wrong
- "What choice do I have?" - rationalization
- Handler's reassurance ("just competitive intelligence")
- Self-doubt visible ("Not really hurting anyone... right?")
---
## Handwritten Note - Page 2
```
[IMAGE: Photo of second page, different date]
[TRANSCRIPTION]
After meeting with [HANDLER_CODENAME] - [LATER_DATE]
THEY WANT MORE:
- [NEW_SYSTEM] access (don't have clearance for this!)
- Told them might be difficult
- [HANDLER_CODENAME] said "find a way" - sounded threatening?
- Offered another $[AMOUNT_2] if I get it
FEELING WORSE:
This isn't what I signed up for
Thought it would be one-time thing
Now they keep asking for more
What if I get caught?
What if I refuse and they expose me?
MEETING NOTES:
- [HANDLER_CODENAME] asked about security audit happening
- Seemed worried about it
- Told me to "act normal" and "don't panic"
- Gave me encrypted phone number: [PHONE_NUMBER]
(Only for emergencies - burner phone)
PAYMENT RECEIVED:
$[PREVIOUS_AMOUNT] - cash, small bills
Paid off credit card #1
Still owe $[REMAINING_DEBT]
They have me trapped. Can't stop now.
If I refuse, they threaten to tell [ORGANIZATION].
I'd be fired. Maybe arrested.
Have to keep going...
[Heavy pen marks - stress visible in writing pressure]
Maybe I should talk to someone? But who?
Can't tell [FRIEND_NAME] - they'd be horrified
Can't tell work - I'd be fired immediately
Can't tell police - I'd go to jail
STUCK.
[Last line heavily scratched out but still partially visible:
"What have I done"]
```
---
## Analysis: Page 2
**ESCALATION PATTERN:**
🔴 **Increasing Demands**
- "They want more" - scope creep
- System beyond clearance level (escalation)
- Handler "sounded threatening" (coercion emerging)
- Can't refuse without consequences
🔴 **Emotional Deterioration**
- "FEELING WORSE" (capitalized - emphasis)
- "Wasn't what I signed up for"
- Explicit fear of being caught
- Recognition of being trapped
🔴 **Coercion Evidence**
- "If I refuse they threaten to tell [ORGANIZATION]"
- Subject feels unable to stop
- Fear of exposure keeping them compliant
- Classic ENTROPY asset control tactic
🔴 **Handler Security Concerns**
- Handler worried about security audit (our investigation?)
- Gave burner phone number (emergency contact)
- Instructions to "act normal" (aware of surveillance risk)
🔴 **Payment Tracking**
- Specific amount documented
- Used for debt payoff (confirmation of financial motive)
- Remaining debt noted (ongoing vulnerability)
🔴 **Isolation**
- Can't tell friends (social isolation)
- Can't tell work (professional isolation)
- Can't tell police (legal isolation)
- Psychological trap documented in own words
---
## Handwritten Note - Page 3
```
[IMAGE: Photo of third page, most recent date]
[TRANSCRIPTION - Writing appears rushed, stressed]
[RECENT_DATE] - THINGS GETTING WORSE
Security is tightening at work
[IT_SECURITY_NAME] asking questions about access logs
Trying to stay calm but panicking inside
[HANDLER_CODENAME] wants me to:
1. Get [EXECUTIVE_NAME]'s emails (IMPOSSIBLE - don't have access)
2. Network diagrams (already gave these??)
3. Something about "SCADA systems" - don't even know what that means
THEY'RE PUSHING TOO HARD
Last payment only $[REDUCED_AMOUNT] - said it's "installment"
Was supposed to be $[PROMISED_AMOUNT]
Are they cheating me now too?
Meeting got scary:
[HANDLER_CODENAME] mentioned "permanent solutions for loose ends"
When I asked what that meant, they just smiled
AM I A LOOSE END??
Found out they're not even "competitive intelligence"
Overheard [HANDLER_CODENAME] on phone: "ENTROPY cell needs..."
WHAT IS ENTROPY??
Googled it - sounds like criminal organization
OH GOD WHAT HAVE I GOTTEN INTO
CONSIDERING OPTIONS:
1. Keep going - might get caught, might get hurt
2. Refuse - they expose me, I lose everything
3. Run - they'd find me?
4. Go to police - I'd go to jail but maybe safer?
5. Talk to [ORGANIZATION] security? Would they help or arrest me?
DON'T KNOW WHAT TO DO
If someone finds these notes: I'm sorry. I made terrible choices.
Started because of debt. Kept going because of fear.
I know it's wrong. I know I hurt people.
But I'm scared and don't know how to get out.
If you're reading this, please help me.
[Phone number written at bottom:]
[ORGANIZATION] Security Hotline: [SECURITY_NUMBER]
(Should I call? Too scared. But maybe...)
[Final line, barely legible:]
"Please let this end somehow"
[EVIDENCE NOTE: This page was on top of stack, most recent entry]
```
---
## Analysis: Page 3
**CRITICAL DEVELOPMENTS:**
🔴 **Handler Becoming Threatening**
- "Permanent solutions for loose ends" - death threat implication
- Subject recognizes danger to self
- Handler reducing payments (exploitation)
- Coercion escalating to potential violence
🔴 **Discovery of True Nature**
- Overheard "ENTROPY cell" reference
- Subject researched ENTROPY
- Realization they're involved with criminals
- "OH GOD WHAT HAVE I GOTTEN INTO" - genuine shock
🔴 **Desperate Consideration of Options**
- Explicitly considering coming forward
- Recognizes jail as possibility
- Still paralyzed by fear
- Reaching toward help but unable to commit
🔴 **Cry for Help**
- "If you're reading this, please help me"
- Security hotline number written down
- "Should I call? Too scared."
- Subject wants out but doesn't know how
🔴 **Remorse and Self-Awareness**
- "I made terrible choices"
- "I know I hurt people"
- "I know it's wrong"
- Genuine guilt and regret documented
---
## Forensic Analysis
```
═══════════════════════════════════════════════════════
HANDWRITING ANALYSIS REPORT
═══════════════════════════════════════════════════════
ANALYST: Forensic Document Examiner, SAFETYNET Lab
SAMPLES COMPARED: Known exemplars from [SUBJECT_NAME]'s
employment records, signatures, forms
CONCLUSION: DEFINITIVE MATCH
Handwriting characteristics consistent across all samples:
✓ Letter formation (unique 'g' and 'y' descenders)
✓ Pen pressure patterns (heavy initial strokes)
✓ Slant and spacing (consistent rightward 15° slant)
✓ Baseline consistency
✓ Unique character formations ('e', 'a', 'r')
PROBABILITY: 99.7% that notes written by [SUBJECT_NAME]
ADDITIONAL OBSERVATIONS:
• Pen pressure increases in stressed sections (visible anxiety)
• Writing becomes more hurried/less legible over time
• Scratch-outs indicate attempts at concealment
• Doodles/pressure marks indicate nervous energy
• Ink testing: Blue ballpoint, same pen throughout
EVIDENCE INTEGRITY: EXCELLENT
Notes are authentic, unaltered, written by subject.
═══════════════════════════════════════════════════════
```
---
## Legal Assessment
```
═══════════════════════════════════════════════════════
PROSECUTORIAL ANALYSIS
═══════════════════════════════════════════════════════
From: Federal Prosecutor's Office
Re: Evidence value of recovered handwritten notes
ADMISSIBILITY: VERY HIGH
These notes constitute direct confession written by
subject's own hand. Elements present:
✓ Subject's own handwriting (verified by forensic analysis)
✓ Specific admission of criminal activity
✓ Documentation of quid pro quo (services for payment)
✓ Knowledge of wrongdoing (guilty conscience expressed)
✓ Operational details (systems, methods, targets)
✓ Handler identification (ENTROPY operative)
✓ Payment records (money laundering evidence)
LEGAL STRENGTH:
Confession in writing is powerful evidence:
• No Miranda issues (not custodial interrogation)
• No coercion by law enforcement (spontaneous)
• Subject's own words incriminating themselves
• Corroborates other evidence (financial, technical)
• Demonstrates consciousness of guilt
However, notes also show:
• Coercion by ENTROPY (threatens subject)
• Fear and remorse (victim characteristics)
• Desire for help (reaching toward authorities)
• Financial desperation (mitigating factor)
RECOMMENDATION:
Use notes as leverage for cooperation, not prosecution.
Subject is scared, remorseful, and wants out.
Show them the notes:
"We found your notes. We know everything. We know you're
scared. We know they threatened you. We can help. But you
need to help us first."
Cooperation probability: 95%
Prosecution without cooperation: Unnecessary (better uses for this evidence)
Notes make subject perfect witness against ENTROPY:
• Credible (genuine fear and remorse)
• Detailed (operational knowledge documented)
• Motivated (wants to escape ENTROPY control)
Turn them. Don't prosecute them.
═══════════════════════════════════════════════════════
```
---
## Gameplay Integration
**This Fragment Enables:**
**Devastating Confrontation:**
```
Agent places notes on interrogation table:
"We found your notes, [SUBJECT_NAME].
In your own handwriting.
'Files to copy... Payment $[AMOUNT]... Delete these notes.'
You documented everything. Your meetings with [HANDLER_CODENAME].
The systems you accessed. The payments you received.
And this: 'Please help me.' You wrote that.
We're here to help. But first, you need to tell us everything."
```
**Empathetic Approach Enabled:**
```
"We read all three pages. We know you're scared.
We know they threatened you with 'permanent solutions.'
We know you want out.
That security hotline number you wrote down? Consider this us
calling you instead.
We can protect you from ENTROPY. We can help with your debt.
We can make this right.
But we need your full cooperation. Everything about [HANDLER_CODENAME].
Everything about what they wanted. Everything about ENTROPY.
Will you help us?"
```
**Player Choices:**
**SHOW NOTES IMMEDIATELY:**
- Maximum emotional impact
- Subject realizes everything documented
- 95% cooperation likelihood
- Compassionate approach available
**USE NOTES AS LEVERAGE:**
- Build case with other evidence first
- Show notes as final proof
- Subject has no defense remaining
- 90% cooperation (through overwhelming evidence)
**OFFER HELP BASED ON NOTES:**
- Reference their cry for help
- Show notes prove they want out
- Emphasize protection from ENTROPY
- 95% cooperation (relief at rescue)
---
## Success Metrics
**Evidence Value:**
- Handwritten notes alone: 80% (self-incrimination)
- Notes + financial records: 95% (payment confirmation)
- Notes + access logs: 95% (activity confirmation)
- Notes + surveillance: 98% (complete picture)
- All evidence combined: 99.9% (overwhelming)
**Cooperation Likelihood:**
- Notes showing guilt: 85% (fear of prosecution)
- Notes showing fear of ENTROPY: 90% (protection offer)
- Notes showing cry for help: 95% (rescue opportunity)
- Empathetic approach: 98% (genuine care shown)
**Psychological Impact:**
- Subject's own words used against them: High impact
- Recognition they documented everything: Devastating
- Cry for help acknowledged: Relief and cooperation
- Protection from ENTROPY offered: Gratitude
---
## Template Substitution Guide
**Replace placeholders:**
```
[SUBJECT_NAME] → NPC name
[HANDLER_CODENAME] → Handler's code designation (e.g., "Phoenix", "Architect", "Alpha-07")
[SYSTEM_NAME] → System accessed (e.g., "Customer Database", "Finance Server")
[AMOUNT] → Payment amount
[DATE], [TIME] → Appropriate dates and times
[MEETING_LOCATION] → Meeting place
[ORGANIZATION] → Company name
[EXECUTIVE_NAME] → Target executive
[DEBT_AMOUNT] → Subject's total debt
[PHONE_NUMBER] → Burner phone number
[HIDING_LOCATION] → Where USB drive hidden
[IT_SECURITY_NAME] → IT security person's name
[SECURITY_NUMBER] → Organization security hotline
```
**Emotional Progression:**
```
Page 1: Nervous but rationalizing ("just competitive intelligence")
Page 2: Trapped and afraid ("they have me trapped")
Page 3: Desperate for escape ("please help me")
Arc: Willing participant → Coerced asset → Victim seeking rescue
```
---
## Related Evidence Combination
**Optimal Evidence Set (All Templates Together):**
1. **Encrypted comms** (TEMPLATE_001) → Initial contact
2. **Financial records** (TEMPLATE_002) → Payments match notes
3. **Access logs** (TEMPLATE_003) → Activity matches notes
4. **Surveillance photos** (TEMPLATE_004) → Meetings documented
5. **Handwritten notes** (this) → Subject's confession in own words
**Complete Evidence Chain:**
```
Encrypted email arranges meeting
Surveillance photo documents meeting occurred
Handwritten notes describe what handler wanted
Access logs show subject accessed those exact systems
Financial records show payment received as noted
Handwritten notes express guilt and fear
Overwhelming evidence = cooperation inevitable
```
---
**CLASSIFICATION:** EVIDENCE TEMPLATE - PHYSICAL
**PRIORITY:** VERY HIGH (Self-incrimination in writing)
**REUSABILITY:** High (works for any documentary evidence)
**LEGAL VALUE:** Excellent (handwriting verified, admissible)
**PSYCHOLOGICAL VALUE:** Maximum (subject's own words, genuine emotion)
**COOPERATION VALUE:** Excellent (empathy possible, rescue narrative)

846
story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_CATALOG.md Normal file
View File

@@ -0,0 +1,846 @@
# Evidence Template Catalog - ENTROPY Agent Identification
**Purpose:** Reusable evidence templates for identifying NPCs as ENTROPY agents/assets
**Location:** `story_design/lore_fragments/by_gameplay_function/evidence_prosecution/`
**Template Count:** 5 comprehensive evidence types
**Substitution System:** [PLACEHOLDER] format for runtime NPC assignment
---
## Template System Overview
### How Templates Work
Each template is a **complete evidence fragment** with placeholder variables that can be substituted at game runtime with specific NPC names, organizations, dates, and other contextual details.
**Template Format:**
```markdown
[SUBJECT_NAME] → Actual NPC name
[ORGANIZATION] → Company/organization name
[POSITION] → Job title/role
[AMOUNT] → Dollar amounts
[DATE] → Appropriate game timeline dates
```
**Usage in Game:**
1. Select template based on evidence type needed
2. Substitute all [PLACEHOLDER] variables with scenario-specific values
3. Adjust details to match NPC's role and storyline
4. Deploy as discoverable LORE fragment
---
## The Five Evidence Templates
### 1. TEMPLATE_AGENT_ID_001: Encrypted Communications
**File:** `TEMPLATE_AGENT_ID_001_encrypted_comms.md`
**Evidence Type:** Digital - Suspicious encrypted email communications
**What It Provides:**
- Intercepted PGP-encrypted email from corporate account to ProtonMail
- After-hours communication (23:47 timestamp)
- References to "payment arrangement" and "documentation transfer"
- Security policy violations (encryption on corporate email)
- References to bypassing security procedures
**Substitution Variables:**
- [SUBJECT_NAME] - NPC's name
- [ORGANIZATION] - Company name
- [POSITION] - Job title
- [CURRENT_DATE] - Appropriate game date
**Red Flags Documented:**
🚩 Encrypted communication from work email (policy violation)
🚩 ProtonMail recipient (anonymous service)
🚩 After-hours timing (secretive)
🚩 "Payment arrangement confirmed" (financial transaction)
🚩 Security audit bypass offer (insider threat)
🚩 "Documentation transfer via agreed method" (covert exfiltration)
**Evidence Strength:**
- Alone: 40% confidence (circumstantial)
- + Financial records: 75% confidence
- + Access logs: 65% confidence
- + All evidence types: 90% confidence
**Best Used For:**
- Initial suspicion flag
- Corporate infiltration scenarios
- Data exfiltration cases
- Insider threat identification
**Gameplay Integration:**
- Triggers investigation unlock on NPC
- Enables surveillance mission
- Requires corroboration for action
- Multiple approach choices (immediate confrontation vs. continued monitoring)
---
### 2. TEMPLATE_AGENT_ID_002: Financial Records
**File:** `TEMPLATE_AGENT_ID_002_financial_records.md`
**Evidence Type:** Financial - Suspicious bank transactions and cryptocurrency activity
**What It Provides:**
- Complete forensic analysis of NPC's financial records
- Employment verification and salary baseline
- Suspicious cash deposits ($25K-$75K range, ENTROPY payment pattern)
- Cryptocurrency wallet activity linked to ENTROPY master wallet
- Shell company connections
- Offshore account activity
- Lifestyle vs. income discrepancy analysis
**Substitution Variables:**
- [SUBJECT_NAME] - NPC's name
- [ORGANIZATION] - Employer
- [POSITION] - Job title
- [SALARY] - Base salary
- [AMOUNT] - Payment amounts
- [DATE] - Transaction dates
**Red Flags Documented:**
🚩 Unexplained cash deposits (15-30% above salary)
🚩 Cryptocurrency transactions to known ENTROPY wallet
🚩 Shell company payments (obfuscation)
🚩 Offshore transfers (tax evasion, hiding wealth)
🚩 Timing correlation with data breaches
🚩 Lifestyle inflation (new car, debt payoff)
**Financial Timeline Example:**
```
March 15: Cash deposit $42,000 (source unknown)
March 18: Cryptocurrency transfer to ENTROPY master wallet
March 20: Student loan payment $15,000
April 2: Cash deposit $38,000
April 5: New vehicle purchase $45,000 (cash)
```
**Evidence Strength:**
- Alone: 60% confidence (strong suspicion)
- + Encrypted comms: 75% confidence
- + Access logs: 95% confidence (quid pro quo proven)
- + All evidence types: 98% confidence
**Best Used For:**
- Proving payment for services (quid pro quo)
- Asset recruitment scenarios (financial desperation)
- Money laundering investigations
- Connecting to ENTROPY financial network
**Gameplay Integration:**
- Unlocks financial forensics mission
- Enables asset seizure actions
- Shows ENTROPY payment patterns
- Creates leverage opportunity (financial crimes)
---
### 3. TEMPLATE_AGENT_ID_003: Access Logs
**File:** `TEMPLATE_AGENT_ID_003_access_logs.md`
**Evidence Type:** Technical - Unauthorized system access patterns
**What It Provides:**
- Comprehensive IT audit of NPC's system activity
- 5 documented security incidents with technical details
- Pattern analysis showing reconnaissance → access → exfiltration → cover-up
- Behavioral analysis (after-hours access, weekend activity)
- Technical evidence (PowerShell exploitation, USB usage)
- Data exfiltration proof (1.2GB transferred to USB)
**Substitution Variables:**
- [SUBJECT_NAME] - NPC's name
- [POSITION] - Job title/role
- [SYSTEM_NAME] - Accessed systems
- [DATA_TYPE] - Type of data stolen
- [FILE_COUNT] - Number of files accessed
- [DATE], [TIME] - Activity timestamps
**Incidents Documented:**
1. **Sensitive Database Access** (after hours, no business need)
2. **Network Infrastructure Mapping** (weekend, reconnaissance)
3. **HR Database Access** (500+ employee records, PII theft)
4. **Executive Email Access** (PowerShell exploitation, privilege escalation)
5. **USB Device Usage** (data exfiltration, 1.2GB, 847 files)
**Technical Details:**
- PowerShell commands used (Get-MailboxPermission, Add-MailboxPermission)
- Database queries executed (SELECT * FROM sensitive_tables)
- Network mapping tools (Nmap, NetDiscover patterns)
- USB device IDs and transfer volumes
- Deletion attempts (ClearEventLog commands)
**Evidence Strength:**
- Alone: 70% confidence (technical proof)
- + Financial records: 95% confidence (motive + activity)
- + Encrypted comms: 85% confidence (coordination proven)
- + All evidence types: 98% confidence
**Best Used For:**
- Data breach investigations
- Proving unauthorized access
- Technical espionage scenarios
- Demonstrating pattern of malicious activity
**Gameplay Integration:**
- Unlocks technical analysis mission
- Shows what data was compromised
- Creates urgency (active exfiltration)
- Enables immediate access suspension
---
### 4. TEMPLATE_AGENT_ID_004: Surveillance Photos
**File:** `TEMPLATE_AGENT_ID_004_surveillance_photos.md`
**Evidence Type:** Physical - Photographic surveillance and behavioral observation
**What It Provides:**
- Complete 14-day surveillance operation report
- 7 photographic scenarios with detailed descriptions
- Handler identification and profiling
- Pattern analysis (meeting frequency, locations, payment structure)
- Countersurveillance behavior documentation
- Dead drop usage evidence
- Behavioral indicators analysis
**Substitution Variables:**
- [SUBJECT_NAME] - NPC being surveilled
- [POSITION] - Job title
- [CONTACT_DESCRIPTION] - Handler's physical description
- [LOCATION] - Meeting locations
- [DATE], [TIME] - Surveillance timestamps
- [VEHICLE_DESCRIPTION] - Handler's vehicle
- [OPERATION_CODE_NAME] - Surveillance op name
**7 Photo Scenarios:**
**Photo 1-3: Initial Meeting**
- Coffee shop, 42-minute meeting
- Document exchange (manila envelope, 20-30 pages)
- Cash payment ($2K-$5K, visible $100 bills)
- Subject's nervous behavior documented
**Photo 4-5: Dead Drop**
- Subject depositing USB drive at park bench
- Handwritten note: "Files from [SYSTEM] as requested"
- Handler retrieval 2 hours later (same person from meeting)
- Confirms operational tradecraft
**Photo 6: Follow-up Meeting**
- Different location (shopping mall food court)
- Verbal communication (partial audio captured)
- Smaller cash payment
- Security audit discussion overheard
**Photo 7: Countersurveillance**
- Subject taking circuitous route home
- Multiple U-turns and backtracking
- 45 minutes added to commute
- Professional SDR (surveillance detection route)
**Handler Profile Provided:**
- Physical description template
- Vehicle information (license plate, rental rotation)
- Behavioral indicators (experienced operator)
- Threat assessment (likely cell leader)
**Evidence Strength:**
- Alone: 50% confidence (suspicious but explainable)
- + Financial records: 80% confidence (payments match meetings)
- + Access logs: 85% confidence (timing correlates)
- + All evidence types: 95% confidence
**Best Used For:**
- Visual proof of handler contact
- Handler identification missions
- Pattern establishment (regular meetings)
- Demonstrating tradecraft (dead drops, countersurveillance)
**Gameplay Integration:**
- Unlocks surveillance mission type
- Enables simultaneous handler/asset arrest
- Facial recognition on handler
- Creates "show the photos" confrontation option
---
### 5. TEMPLATE_AGENT_ID_005: Physical Evidence
**File:** `TEMPLATE_AGENT_ID_005_physical_evidence.md`
**Evidence Type:** Physical - Handwritten notes and personal documents
**What It Provides:**
- 3-page handwritten note progression
- Forensic handwriting analysis report
- Legal prosecutorial assessment
- Emotional journey documentation
- Complete chain of custody
- Self-incrimination in subject's own words
**Substitution Variables:**
- [SUBJECT_NAME] - NPC's name
- [HANDLER_CODENAME] - Handler's operational designation
- [MEETING_LOCATION] - Where meetings occur
- [SYSTEM_NAME] - Systems accessed
- [AMOUNT] - Payment amounts
- [DEBT_AMOUNT] - Subject's financial pressure
- [ORGANIZATION] - Company name
**3-Page Emotional Progression:**
**Page 1: Initial Instructions (Nervous Rationalization)**
```
Meeting notes with [HANDLER_CODENAME]
- Files to copy: Customer database, Network diagrams, Employee info
- Payment: $[AMOUNT] on completion
- "Feeling sick about this. But what choice do I have?"
- "[HANDLER] says it's just 'competitive intelligence'"
- "Not really hurting anyone... right?"
- "Delete these notes after memorizing!!!"
```
**Page 2: Escalation (Feeling Trapped)**
```
After meeting - THEY WANT MORE
- [NEW_SYSTEM] access (don't have clearance!)
- Told them might be difficult
- [HANDLER] sounded threatening
- "They have me trapped. Can't stop now."
- "If I refuse, they threaten to tell [ORGANIZATION]"
- "What have I done"
```
**Page 3: Desperation (Cry for Help)**
```
THINGS GETTING WORSE
- Security tightening at work
- [HANDLER] mentioned "permanent solutions for loose ends"
- AM I A LOOSE END??
- Overheard [HANDLER] on phone: "ENTROPY cell needs..."
- WHAT IS ENTROPY?? OH GOD WHAT HAVE I GOTTEN INTO
- "If someone finds these notes: please help me."
- [ORGANIZATION] Security Hotline: [NUMBER]
- "Should I call? Too scared. But maybe..."
- "Please let this end somehow"
```
**Forensic Analysis Included:**
- Handwriting verification (99.7% match)
- Pen pressure analysis (stress visible)
- Writing deterioration over time
- Scratch-out attempts (concealment)
- Ink testing (same pen throughout)
**Legal Assessment:**
- Admissibility: VERY HIGH (spontaneous confession)
- No Miranda issues (not custodial interrogation)
- Subject's own words incriminating
- Demonstrates consciousness of guilt
- Shows coercion by ENTROPY (victim characteristics)
**Recommended Use:**
"Use notes as leverage for cooperation, not prosecution.
Subject is scared, remorseful, and wants out."
**Evidence Strength:**
- Alone: 80% confidence (self-incrimination)
- + Financial records: 95% confidence (payment confirmation)
- + Access logs: 95% confidence (activity confirmation)
- + Surveillance: 98% confidence (complete picture)
- + All evidence: 99.9% confidence (overwhelming)
**Best Used For:**
- Devastating confrontation ("Your own handwriting")
- Empathetic approach enabled (subject wants help)
- High cooperation likelihood (95% with compassionate approach)
- Emotional player investment (human story)
**Gameplay Integration:**
- Creates powerful interrogation moment
- Enables multiple approach paths:
- Show notes immediately (95% cooperation)
- Use as leverage after lies (90% cooperation)
- Offer help based on cry for help (98% cooperation)
- Provides moral complexity (victim vs. perpetrator)
---
## Evidence Combination Strategies
### Optimal Evidence Chain
The templates are designed to work together in a **progressive revelation** pattern:
```
SEQUENCE 1: Discovery Path
├─ Encrypted Comms (Initial Suspicion)
│ └─ Triggers investigation unlock
├─ Financial Records (Motive Proven)
│ └─ Shows payments for services
├─ Access Logs (Activity Confirmed)
│ └─ Proves what they did
├─ Surveillance Photos (Handler Identified)
│ └─ Shows who they work for
└─ Handwritten Notes (Confession)
└─ Subject's own words seal the case
```
### Confidence Thresholds
**Evidence Count → Confidence Level:**
| Evidence Pieces | Confidence | Prosecution Viable | Cooperation Likely |
|----------------|------------|-------------------|-------------------|
| 1 template | 40-80% | No (insufficient) | 50% |
| 2 templates | 65-85% | Maybe (circumstantial) | 70% |
| 3 templates | 85-95% | Yes (strong case) | 85% |
| 4 templates | 95-98% | Yes (very strong) | 90% |
| 5 templates | 99.9% | Yes (overwhelming) | 95% |
### Best Combinations by Scenario Type
**Corporate Infiltration:**
1. Encrypted Comms (coordination)
2. Access Logs (what they accessed)
3. Financial Records (payment proof)
- Confidence: 95%
**Data Exfiltration:**
1. Access Logs (theft proof)
2. Surveillance (handler delivery)
3. Handwritten Notes (confession)
- Confidence: 98%
**Asset Recruitment:**
1. Financial Records (financial desperation)
2. Handwritten Notes (emotional state)
3. Surveillance (handler contact)
- Confidence: 95%
**Handler Takedown:**
1. Surveillance (handler identification)
2. Financial Records (money trail to cell)
3. Encrypted Comms (coordination proof)
- Confidence: 90%
---
## Gameplay Integration Guide
### Investigation Progression
**Phase 1: Initial Suspicion**
- Player discovers 1 evidence template
- NPC flagged as "Person of Interest"
- Unlocks investigation missions
- Confidence: Insufficient for action
**Phase 2: Building the Case**
- Player collects 2-3 evidence templates
- Pattern emerges (payments, access, meetings)
- NPC upgraded to "Suspected ENTROPY Asset"
- Confidence: Sufficient for confrontation
**Phase 3: Overwhelming Evidence**
- Player has 4-5 evidence templates
- Complete picture of recruitment, activity, handler
- NPC confirmed as "ENTROPY Asset - Confirmed"
- Confidence: Multiple approach options unlocked
### Player Choice Branching
Each evidence combination enables **different interrogation approaches:**
**With Financial Evidence:**
→ Offer: "We can help with your debt, but you need to cooperate"
**With Handwritten Notes:**
→ Empathy: "We read your notes. We know you want out. We can help."
**With Surveillance Photos:**
→ Confrontation: "You can't deny this. We have photos of everything."
**With Access Logs:**
→ Technical: "We have every keystroke. Every file. Every system you touched."
**With All Evidence:**
→ Overwhelming: "Your own handwriting. Photos of meetings. Financial transactions. Access logs. There's no defense. But we can still help you."
### Success Metrics
Each template contributes to multiple success outcomes:
**Cooperation Likelihood:**
- Base (no evidence): 20%
- + Encrypted Comms: +15%
- + Financial Records: +20%
- + Access Logs: +15%
- + Surveillance: +20%
- + Handwritten Notes: +30%
- Maximum: 95% (with all evidence + compassionate approach)
**Prosecution Probability:**
- Base: 30%
- + Each evidence template: +15%
- All 5 templates: 95% conviction probability
**Intelligence Value:**
- Handwritten notes → Handler codename revealed
- Surveillance → Handler facial ID + vehicle
- Financial → ENTROPY payment wallet address
- Access logs → What data was compromised
- Encrypted comms → Communication methods
---
## Substitution Guide - Best Practices
### Creating Consistent NPCs
When substituting template variables, maintain consistency across all evidence types for the same NPC:
**Example: Jennifer Park (Network Security Analyst)**
**Across all 5 templates, use:**
- [SUBJECT_NAME] → "Jennifer Park"
- [ORGANIZATION] → "TechCorp Industries"
- [POSITION] → "Network Security Analyst"
- [SALARY] → "$85,000/year"
- [HANDLER_CODENAME] → "Phoenix"
**Keep timeline consistent:**
- First contact: March 1, 2025
- Payment received: March 15, 2025
- Data exfiltration: March 18, 2025
- Surveillance begins: March 20, 2025
- Notes discovered: April 3, 2025
**Keep amounts consistent:**
- First payment: $42,000
- Second payment: $38,000
- Total debt: $127,000 (student loans)
### Variable Formatting Standards
**Names:**
- Use realistic full names: "Jennifer Park" not "Agent_007"
- Consistent across all templates
**Organizations:**
- Use plausible company names: "TechCorp Industries"
- Match to scenario setting (tech company, hospital, government agency)
**Amounts:**
- ENTROPY payment range: $25,000-$75,000 per operation
- Keep amounts realistic for job role
- Student debt: $80K-$150K typical
- Medical debt: $50K-$200K typical
**Dates:**
- Use absolute dates: "March 15, 2025" not "[DATE_1]"
- Maintain chronological order across templates
- Account for investigation timeline (2-4 weeks typical)
**Codenames:**
- Handler codenames follow ENTROPY patterns:
- Thermodynamic terms: "Entropy", "Cascade", "Equilibrium"
- Phoenix imagery: "Phoenix", "Ash", "Ember"
- Greek letters: "Alpha-07", "Beta-3", "Omega"
### Scenario-Specific Customization
**Corporate Infiltration:**
- Focus on customer data, trade secrets, network diagrams
- Handler wants: "Customer database", "Email backups"
- Access systems: "Finance Server", "Customer CRM"
**Healthcare Breach:**
- Focus on patient records, medical research
- Handler wants: "Patient database", "Clinical trial data"
- Access systems: "EMR System", "Research Database"
**Infrastructure Attack:**
- Focus on SCADA, control systems, facility access
- Handler wants: "Network diagrams", "SCADA access"
- Access systems: "Control Systems", "Facility Management"
**Research Theft:**
- Focus on IP, proprietary research, formulas
- Handler wants: "Research files", "Product designs"
- Access systems: "Lab Database", "Patent Filing System"
---
## Cross-References
### Related Gameplay Fragments
These templates complement other gameplay-function fragments:
**RECRUITMENT_001** (Financial Exploitation Playbook)
- Shows HOW NPCs are recruited
- Templates show RESULT of recruitment
- Combined: Complete recruitment → operation → capture arc
**LEVERAGE_001** (Cascade Family Intel)
- Shows leverage used TO turn operatives
- Templates provide evidence ENABLING leverage
- Combined: Evidence → leverage → defection
**TACTICAL_001** (Active Operation Clock)
- Shows ONGOING operation
- Templates show PAST operations (evidence)
- Combined: Historical pattern → predict current op
**VICTIM_001** (Hospital Administrator)
- Shows IMPACT of ENTROPY operations
- Templates show WHO enabled the attack
- Combined: Perpetrator → consequence emotional arc
### Related Content Fragments
**ENTROPY_PERSONNEL_001** (Cascade Profile)
- Could BE the [SUBJECT_NAME] in these templates
- Templates provide evidence supporting profile
- Combined: Profile → evidence → confirmed identity
**CHAR_SARAH_001** (Sarah Martinez Confession)
- Similar emotional arc to handwritten notes template
- Both show recruited asset's regret and fear
- Combined: Multiple sympathetic insider threats
**ARCHITECT_STRATEGIC_001** (Phase 3 Directive)
- Shows ENTROPY's master plan
- Templates show individual assets executing plan
- Combined: Strategic directive → tactical execution
---
## Technical Implementation Notes
### For Game Developers
**Substitution System:**
```python
# Example pseudocode
template = load_template("TEMPLATE_AGENT_ID_001_encrypted_comms.md")
npc = get_npc("jennifer_park")
substitutions = {
"[SUBJECT_NAME]": npc.full_name,
"[ORGANIZATION]": npc.employer,
"[POSITION]": npc.job_title,
"[CURRENT_DATE]": game_date - timedelta(days=3)
}
evidence_fragment = template.substitute(substitutions)
game.add_discoverable_lore(evidence_fragment, location=npc.desk_drawer)
```
**Evidence Collection Tracking:**
```python
class NPCInvestigation:
def __init__(self, npc_id):
self.npc_id = npc_id
self.evidence_collected = []
self.confidence_level = 0
def add_evidence(self, template_type):
self.evidence_collected.append(template_type)
self.confidence_level = calculate_confidence(self.evidence_collected)
if self.confidence_level >= 85:
unlock_interrogation_mission(self.npc_id)
```
**Branching Logic:**
```python
def get_interrogation_options(evidence_list):
options = ["Standard Questioning"]
if "TEMPLATE_002" in evidence_list: # Financial
options.append("Offer Financial Help")
if "TEMPLATE_005" in evidence_list: # Handwritten notes
options.append("Empathetic Approach - Reference Their Notes")
if "TEMPLATE_004" in evidence_list: # Surveillance
options.append("Show Photos - Visual Confrontation")
if len(evidence_list) >= 4:
options.append("Overwhelming Evidence - All Cards on Table")
return options
```
### Discovery Placement Recommendations
**TEMPLATE_001 (Encrypted Comms):**
- Location: Email server logs, IT security alerts
- Timing: Early investigation (triggers suspicion)
- Difficulty: Medium (requires email access or IT cooperation)
**TEMPLATE_002 (Financial Records):**
- Location: Subpoenaed bank records, financial audit
- Timing: Mid investigation (requires legal authority)
- Difficulty: Hard (requires warrant/subpoena)
**TEMPLATE_003 (Access Logs):**
- Location: IT audit reports, SIEM alerts
- Timing: Mid investigation (requires IT forensics)
- Difficulty: Medium (technical analysis needed)
**TEMPLATE_004 (Surveillance Photos):**
- Location: Surveillance team reports
- Timing: Late investigation (requires active surveillance op)
- Difficulty: Very Hard (expensive, time-consuming)
**TEMPLATE_005 (Handwritten Notes):**
- Location: Desk drawer, personal effects, home search
- Timing: Variable (lucky find or late-game search warrant)
- Difficulty: Medium-Hard (requires physical access)
---
## Educational Value (CyBOK Alignment)
### Security Concepts Demonstrated
**Digital Forensics:**
- Email header analysis (TEMPLATE_001)
- Financial transaction tracing (TEMPLATE_002)
- System log correlation (TEMPLATE_003)
- Chain of custody (all templates)
**Insider Threat Detection:**
- Behavioral indicators (after-hours access)
- Financial pressure recognition
- Access pattern anomalies
- Communication analysis
**Investigation Methodology:**
- Evidence corroboration (multiple sources)
- Confidence level progression
- Legal admissibility considerations
- Forensic analysis procedures
**Human Factors:**
- Recruitment vulnerability factors
- Psychological pressure and coercion
- Empathetic interrogation techniques
- Ethical evidence usage
### Learning Outcomes
Players using these templates will learn:
1. **Evidence Collection**: How multiple evidence types build a case
2. **Pattern Recognition**: Identifying suspicious behavior across domains
3. **Legal Process**: Warrants, subpoenas, chain of custody
4. **Psychology**: Understanding why people become insider threats
5. **Ethics**: Balancing effective investigation with humane treatment
---
## Expansion Opportunities
### Additional Template Ideas
**TEMPLATE_006: Phone Records**
- Call logs to burner phones
- Timing correlation with operations
- Location data (cell tower triangulation)
**TEMPLATE_007: Social Media OSINT**
- Lifestyle changes visible on social media
- Travel patterns (meetings with handler)
- Unusual purchases or activities
**TEMPLATE_008: Witness Testimony**
- Coworker observations
- "They've been acting strange lately"
- Suspicious conversations overheard
**TEMPLATE_009: Digital Forensics**
- Deleted file recovery
- Browser history analysis
- VPN usage and encrypted tools
**TEMPLATE_010: Physical Surveillance (Extended)**
- Safe house identification
- Handler's vehicle tracking
- Dead drop location mapping
---
## Version History
**v1.0** - Initial template system creation
- 5 core evidence templates
- Complete substitution system
- Gameplay integration framework
- Cross-reference structure
---
**CLASSIFICATION:** TEMPLATE SYSTEM - EVIDENCE GENERATION
**PRIORITY:** HIGH (Core gameplay mechanic)
**REUSABILITY:** Extremely High (designed for infinite NPC generation)
**DISTRIBUTION:** Game developers, scenario designers, mission creators
**MAINTENANCE:** Templates should remain stable; customize through substitution
---
## Quick Reference Card
```
╔═══════════════════════════════════════════════════════════╗
║ EVIDENCE TEMPLATE QUICK REFERENCE ║
╚═══════════════════════════════════════════════════════════╝
TEMPLATE_001: Encrypted Comms
→ Alone: 40% | Best With: Financial Records
→ Use For: Initial suspicion, policy violations
TEMPLATE_002: Financial Records
→ Alone: 60% | Best With: Access Logs
→ Use For: Payment proof, motive establishment
TEMPLATE_003: Access Logs
→ Alone: 70% | Best With: Financial Records
→ Use For: Activity proof, technical evidence
TEMPLATE_004: Surveillance Photos
→ Alone: 50% | Best With: Financial + Access
→ Use For: Handler ID, visual confirmation
TEMPLATE_005: Handwritten Notes
→ Alone: 80% | Best With: Everything
→ Use For: Confession, empathetic approach
OPTIMAL COMBINATION: All 5 templates = 99.9% confidence
MINIMUM FOR ACTION: 3 templates = 85% confidence
COOPERATION PROBABILITY:
- Compassionate + Notes: 98%
- Overwhelming + All Evidence: 95%
- Standard + Some Evidence: 70%
```
---
**End of Template Catalog**
**For implementation questions, refer to:**
- Individual template files for detailed content
- GAMEPLAY_CATALOG.md for mission integration
- ../README.md for overall LORE system philosophy