mirror of
https://github.com/cliffe/BreakEscape.git
synced 2026-02-21 11:18:08 +00:00
feat: Add reusable evidence template system for ENTROPY agent identification
Created 5 comprehensive evidence templates with [PLACEHOLDER] substitution system that enable infinite NPC agent identification across scenarios. ## New Files: - TEMPLATE_AGENT_ID_001_encrypted_comms.md * Intercepted PGP-encrypted communications * 40% confidence alone, 90% combined * Red flags: Policy violations, ProtonMail, after-hours timing - TEMPLATE_AGENT_ID_002_financial_records.md * Bank transactions & cryptocurrency forensics * 60% confidence alone, 98% combined * Red flags: Unexplained cash, ENTROPY wallet, shell companies - TEMPLATE_AGENT_ID_003_access_logs.md * IT audit showing unauthorized system access * 70% confidence alone, 98% combined * Documents 5 incidents: Reconnaissance → Exfiltration → Cover-up - TEMPLATE_AGENT_ID_004_surveillance_photos.md * 14-day surveillance op with 7 photo scenarios * 50% confidence alone, 95% combined * Handler identification, dead drops, countersurveillance - TEMPLATE_AGENT_ID_005_physical_evidence.md * Handwritten 3-page emotional confession * 80% confidence alone, 99.9% combined * Enables 95-98% cooperation through empathetic approach * Arc: Willing participant → Trapped → Desperate for help - TEMPLATE_CATALOG.md * Complete template system documentation * Substitution guide & best practices * Evidence chain methodology * Integration strategies & success metrics ## Template System Features: - [PLACEHOLDER] format for runtime substitution - Evidence chain: Single evidence (40-80%) → All 5 (99.9%) - Cooperation likelihood scales with evidence quality - Multiple interrogation approaches unlocked by different combinations - Infinite reusability across NPCs and scenarios ## Integration: - Updated GAMEPLAY_CATALOG.md with template section - Evidence Prosecution category expanded from 1 to 6 fragments - Total gameplay-focused fragments: 13 (8 unique + 5 templates) - Templates work standalone or combine for overwhelming cases ## Educational Value (CyBOK): - Digital forensics (email analysis, blockchain tracing) - Insider threat detection (behavioral indicators) - Investigation methodology (evidence corroboration) - Legal process (admissibility, chain of custody) - Psychological profiling & ethical interrogation ## Gameplay Impact: Each template enables different player actions and unlocks specific interrogation approaches based on evidence collected. System designed to reward thorough investigation while not requiring 100% collection for success.
This commit is contained in:
@@ -6,10 +6,12 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** -
|
||||
|
||||
## Overview Statistics
|
||||
|
||||
**Total Gameplay-Focused Fragments Created:** 7
|
||||
**Total Gameplay-Focused Fragments Created:** 13
|
||||
- Unique Fragments: 8
|
||||
- Evidence Templates: 5 (reusable with NPC substitution)
|
||||
|
||||
**By Gameplay Function:**
|
||||
- Evidence for Prosecution: 1
|
||||
- Evidence for Prosecution: 6 (1 unique + 5 templates)
|
||||
- Tactical Intelligence: 1
|
||||
- Financial Forensics: 1
|
||||
- Recruitment Vectors: 1
|
||||
@@ -22,7 +24,13 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** -
|
||||
- Mission-critical objectives: 5 fragments
|
||||
- Optional depth/context: 2 fragments
|
||||
- Branching choice enablers: 6 fragments
|
||||
- Success metric modifiers: 7 fragments
|
||||
- Success metric modifiers: 13 fragments (templates multiply impact)
|
||||
|
||||
**Template System:**
|
||||
- 5 evidence templates with [PLACEHOLDER] substitution
|
||||
- Infinite NPC agent identification capability
|
||||
- Evidence chain methodology (combine for 99.9% confidence)
|
||||
- See TEMPLATE_CATALOG.md for complete template documentation
|
||||
|
||||
---
|
||||
|
||||
@@ -56,6 +64,347 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** -
|
||||
|
||||
---
|
||||
|
||||
### 📋 EVIDENCE_PROSECUTION - Evidence Templates (Reusable)
|
||||
|
||||
**TEMPLATE SYSTEM OVERVIEW**
|
||||
|
||||
The Evidence Template System provides 5 reusable evidence fragments for identifying ENTROPY agents/assets in any scenario. Each template uses [PLACEHOLDER] format for runtime NPC substitution.
|
||||
|
||||
**Complete Template Documentation:** See `TEMPLATE_CATALOG.md` in this directory
|
||||
|
||||
**Template Integration Philosophy:**
|
||||
- **Single evidence piece:** 40-80% confidence (suspicion only)
|
||||
- **2-3 evidence pieces:** 65-95% confidence (strong case)
|
||||
- **4-5 evidence pieces:** 95-99.9% confidence (overwhelming)
|
||||
- **All 5 templates:** Complete evidence chain, maximum cooperation likelihood (95%)
|
||||
|
||||
**Evidence Chain Methodology:**
|
||||
```
|
||||
Encrypted Comms → Initial suspicion flag
|
||||
↓
|
||||
Financial Records → Payment proof (motive)
|
||||
↓
|
||||
Access Logs → Activity confirmation (what they did)
|
||||
↓
|
||||
Surveillance Photos → Handler identification (who they work for)
|
||||
↓
|
||||
Handwritten Notes → Self-incrimination (confession)
|
||||
↓
|
||||
= Overwhelming evidence, 99.9% confidence
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**TEMPLATE_AGENT_ID_001 - Encrypted Communications**
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_001_encrypted_comms.md`
|
||||
|
||||
- **What It Is:** Intercepted PGP-encrypted email from corporate account to ProtonMail
|
||||
- **What Player Can DO:**
|
||||
- Flag NPC as Person of Interest
|
||||
- Unlock surveillance mission
|
||||
- Trigger financial investigation
|
||||
- Require corroboration for action
|
||||
- **Evidence Type:** Digital communication
|
||||
- **Substitution Variables:** [SUBJECT_NAME], [ORGANIZATION], [POSITION], [CURRENT_DATE]
|
||||
- **Red Flags:**
|
||||
- 🚩 PGP encryption from work email (policy violation)
|
||||
- 🚩 ProtonMail recipient (anonymous service)
|
||||
- 🚩 After-hours timing (23:47, secretive)
|
||||
- 🚩 "Payment arrangement confirmed"
|
||||
- 🚩 Security bypass offers
|
||||
- 🚩 "Documentation transfer via agreed method"
|
||||
- **Evidence Strength:**
|
||||
- Alone: 40% confidence (circumstantial)
|
||||
- + Financial records: 75% confidence
|
||||
- + Access logs: 65% confidence
|
||||
- + All evidence: 90% confidence
|
||||
- **Best Used For:** Initial suspicion, corporate infiltration, data exfiltration
|
||||
- **Rarity:** Common (starting evidence)
|
||||
|
||||
**Example Content:**
|
||||
```
|
||||
From: [SUBJECT_NAME]@[ORGANIZATION].com
|
||||
To: secure-contact-7749@protonmail.com
|
||||
Date: [DATE], 23:47
|
||||
|
||||
...payment arrangement confirmed. Standard terms as before.
|
||||
The documentation you need will be transferred via the
|
||||
agreed method...
|
||||
|
||||
...regarding the security audit team arriving Thursday -
|
||||
I can ensure they have the credentials and building access
|
||||
without additional verification...
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**TEMPLATE_AGENT_ID_002 - Financial Records**
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_002_financial_records.md`
|
||||
|
||||
- **What It Is:** Forensic analysis of suspicious bank transactions and cryptocurrency activity
|
||||
- **What Player Can DO:**
|
||||
- Prove quid pro quo (payment for services)
|
||||
- Seize assets as proceeds of crime
|
||||
- Trace payments to ENTROPY master wallet
|
||||
- Identify financial recruitment vector
|
||||
- Create leverage opportunity
|
||||
- **Evidence Type:** Financial forensics
|
||||
- **Substitution Variables:** [SUBJECT_NAME], [ORGANIZATION], [SALARY], [AMOUNT], [DATE]
|
||||
- **Red Flags:**
|
||||
- 🚩 Unexplained cash deposits ($25K-$75K range)
|
||||
- 🚩 Cryptocurrency to ENTROPY master wallet
|
||||
- 🚩 Shell company payments
|
||||
- 🚩 Offshore transfers
|
||||
- 🚩 Timing correlation with breaches
|
||||
- 🚩 Lifestyle inflation (debt payoff, new car)
|
||||
- **Evidence Strength:**
|
||||
- Alone: 60% confidence (strong suspicion)
|
||||
- + Encrypted comms: 75% confidence
|
||||
- + Access logs: 95% confidence
|
||||
- + All evidence: 98% confidence
|
||||
- **Best Used For:** Payment proof, money laundering, connecting to ENTROPY financial network
|
||||
- **Rarity:** Uncommon (requires warrant/subpoena)
|
||||
|
||||
**Example Content:**
|
||||
```
|
||||
SUSPICIOUS DEPOSIT #1:
|
||||
Date: March 15, 2025
|
||||
Amount: $42,000 (CASH)
|
||||
Source: UNKNOWN
|
||||
Note: Amount matches ENTROPY payment patterns
|
||||
|
||||
CRYPTOCURRENCY TRANSACTION:
|
||||
Date: March 18, 2025
|
||||
Destination: 1A9zW5...3kPm
|
||||
Amount: $15,000 equivalent
|
||||
NOTE: Wallet identified as ENTROPY master wallet!
|
||||
|
||||
Salary: $85,000/year
|
||||
Total suspicious income (6 months): $127,000
|
||||
Percentage above salary: 149% unexplained
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**TEMPLATE_AGENT_ID_003 - Access Logs**
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_003_access_logs.md`
|
||||
|
||||
- **What It Is:** IT audit showing unauthorized system access pattern
|
||||
- **What Player Can DO:**
|
||||
- Prove data theft technically
|
||||
- Show reconnaissance → exfiltration pattern
|
||||
- Demonstrate privilege escalation
|
||||
- Identify what data was compromised
|
||||
- Enable immediate access suspension
|
||||
- **Evidence Type:** Technical forensics
|
||||
- **Substitution Variables:** [SUBJECT_NAME], [POSITION], [SYSTEM_NAME], [DATA_TYPE], [FILE_COUNT]
|
||||
- **Incidents Documented:**
|
||||
1. Sensitive database access (after hours, no business need)
|
||||
2. Network infrastructure mapping (weekend reconnaissance)
|
||||
3. HR database access (500+ employee records, PII theft)
|
||||
4. Executive email access (PowerShell exploitation)
|
||||
5. USB device usage (1.2GB data exfiltration, 847 files)
|
||||
- **Evidence Strength:**
|
||||
- Alone: 70% confidence (technical proof)
|
||||
- + Financial records: 95% confidence
|
||||
- + Encrypted comms: 85% confidence
|
||||
- + All evidence: 98% confidence
|
||||
- **Best Used For:** Data breach proof, showing malicious pattern, technical espionage
|
||||
- **Rarity:** Common (IT audit logs)
|
||||
|
||||
**Example Content:**
|
||||
```
|
||||
INCIDENT 5: USB DEVICE USAGE (DATA EXFILTRATION)
|
||||
Date: March 18, 2025, 22:37
|
||||
USB Device: SanDisk 64GB (Serial: 4C530001...)
|
||||
Files Copied: 847 files
|
||||
Total Size: 1.2GB
|
||||
File Types: .xlsx (customer data), .docx (proprietary)
|
||||
|
||||
PATTERN ANALYSIS:
|
||||
Week 1: Reconnaissance (network mapping)
|
||||
Week 2: Access (privilege escalation)
|
||||
Week 3: Exfiltration (USB transfer)
|
||||
Week 4: Cover-up (deletion attempts)
|
||||
|
||||
Classic espionage attack pattern.
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**TEMPLATE_AGENT_ID_004 - Surveillance Photos**
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_004_surveillance_photos.md`
|
||||
|
||||
- **What It Is:** Complete 14-day surveillance operation with photos and handler profiling
|
||||
- **What Player Can DO:**
|
||||
- Identify ENTROPY handler (facial recognition)
|
||||
- Document in-person meetings
|
||||
- Prove document/cash exchange
|
||||
- Show dead drop usage
|
||||
- Enable simultaneous handler/asset arrest
|
||||
- Demonstrate countersurveillance behavior
|
||||
- **Evidence Type:** Photographic surveillance
|
||||
- **Substitution Variables:** [SUBJECT_NAME], [CONTACT_DESCRIPTION], [LOCATION], [VEHICLE_DESCRIPTION]
|
||||
- **7 Photo Scenarios:**
|
||||
- Photo 1-3: Coffee shop meeting, document exchange, cash payment
|
||||
- Photo 4-5: Dead drop (USB deposit, handler retrieval 2hrs later)
|
||||
- Photo 6: Follow-up meeting, verbal comms
|
||||
- Photo 7: Countersurveillance behavior (SDR route)
|
||||
- **Evidence Strength:**
|
||||
- Alone: 50% confidence (suspicious but explainable)
|
||||
- + Financial records: 80% confidence
|
||||
- + Access logs: 85% confidence
|
||||
- + All evidence: 95% confidence
|
||||
- **Best Used For:** Visual proof, handler identification, meeting patterns, tradecraft documentation
|
||||
- **Rarity:** Uncommon (expensive surveillance operation)
|
||||
|
||||
**Example Content:**
|
||||
```
|
||||
[PHOTO 2: DOCUMENT EXCHANGE]
|
||||
Location: [LOCATION] Coffee Shop
|
||||
Date: [DATE], [TIME + 15 minutes]
|
||||
|
||||
CAPTURED MOMENT:
|
||||
[SUBJECT_NAME] sliding manila envelope across table
|
||||
Unknown individual accepting envelope
|
||||
Envelope thickness: 20-30 pages estimated
|
||||
|
||||
[PHOTO 3: CASH PAYMENT]
|
||||
Same meeting, +28 minutes
|
||||
Unknown individual handing envelope to [SUBJECT_NAME]
|
||||
Cash visible inside (appears to be $100 bills)
|
||||
Estimated amount: $2,000-$5,000
|
||||
[SUBJECT_NAME] shows relief in facial expression
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**TEMPLATE_AGENT_ID_005 - Handwritten Notes**
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_005_physical_evidence.md`
|
||||
|
||||
- **What It Is:** 3-page handwritten notes showing emotional journey from willing participant to desperate victim
|
||||
- **What Player Can DO:**
|
||||
- Devastating confrontation ("your own handwriting")
|
||||
- Enable empathetic approach (subject wants help)
|
||||
- Achieve 95-98% cooperation likelihood
|
||||
- Self-incrimination in subject's own words
|
||||
- Show coercion by ENTROPY (victim characteristics)
|
||||
- **Evidence Type:** Physical - handwritten confession
|
||||
- **Substitution Variables:** [SUBJECT_NAME], [HANDLER_CODENAME], [SYSTEM_NAME], [DEBT_AMOUNT]
|
||||
- **3-Page Emotional Progression:**
|
||||
- **Page 1:** Nervous rationalization ("just competitive intelligence", "not hurting anyone... right?")
|
||||
- **Page 2:** Feeling trapped ("they have me trapped", "if I refuse they expose me")
|
||||
- **Page 3:** Desperate cry for help ("please help me", "what have I gotten into", security hotline written down)
|
||||
- **Evidence Strength:**
|
||||
- Alone: 80% confidence (self-incrimination)
|
||||
- + Financial records: 95% confidence
|
||||
- + Access logs: 95% confidence
|
||||
- + All evidence: 99.9% confidence (overwhelming)
|
||||
- **Cooperation Likelihood:**
|
||||
- Show notes immediately: 95%
|
||||
- Empathetic approach referencing cry for help: 98%
|
||||
- Use as leverage after lies: 90%
|
||||
- **Best Used For:** High cooperation outcome, empathetic interrogation, showing subject as victim
|
||||
- **Rarity:** Uncommon-Rare (lucky find or search warrant)
|
||||
|
||||
**Example Content:**
|
||||
```
|
||||
[PAGE 1 - TRANSCRIPTION]
|
||||
Meeting notes - [DATE]
|
||||
|
||||
THINGS TO REMEMBER:
|
||||
- [HANDLER_CODENAME] wants access to [SYSTEM_NAME]
|
||||
- Payment: $[AMOUNT] on completion
|
||||
- Files to copy: Customer database, Network diagrams
|
||||
- "Delete these notes after memorizing!!!"
|
||||
|
||||
Feeling sick about this. But what choice do I have?
|
||||
$[DEBT_AMOUNT] in debt. Can't keep living like this.
|
||||
[HANDLER] says it's just "competitive intelligence"
|
||||
Not really hurting anyone... right?
|
||||
|
||||
[PAGE 3 - TRANSCRIPTION]
|
||||
THINGS GETTING WORSE
|
||||
|
||||
[HANDLER] mentioned "permanent solutions for loose ends"
|
||||
AM I A LOOSE END??
|
||||
|
||||
Overheard [HANDLER] on phone: "ENTROPY cell needs..."
|
||||
WHAT IS ENTROPY?? OH GOD WHAT HAVE I GOTTEN INTO
|
||||
|
||||
If someone finds these notes: I'm sorry.
|
||||
If you're reading this, please help me.
|
||||
|
||||
[ORGANIZATION] Security Hotline: [NUMBER]
|
||||
(Should I call? Too scared. But maybe...)
|
||||
|
||||
"Please let this end somehow"
|
||||
```
|
||||
|
||||
**Forensic Analysis Included:**
|
||||
- Handwriting verification: 99.7% match to subject
|
||||
- Pen pressure analysis (stress visible in writing)
|
||||
- Ink testing (same pen throughout)
|
||||
- Chain of custody documentation
|
||||
|
||||
**Legal Assessment:**
|
||||
- Admissibility: VERY HIGH (spontaneous confession)
|
||||
- No Miranda issues (not custodial interrogation)
|
||||
- Shows consciousness of guilt
|
||||
- Demonstrates coercion by ENTROPY
|
||||
|
||||
**Recommended Use:**
|
||||
"Use notes as leverage for cooperation, not prosecution. Subject is scared, remorseful, and wants out. Cooperation probability: 95%"
|
||||
|
||||
---
|
||||
|
||||
### Evidence Template Integration Strategy
|
||||
|
||||
**Optimal Discovery Sequence:**
|
||||
1. **TEMPLATE_001 (Encrypted Comms)** → Triggers investigation
|
||||
2. **TEMPLATE_002 (Financial Records)** → Proves motive
|
||||
3. **TEMPLATE_003 (Access Logs)** → Confirms activity
|
||||
4. **TEMPLATE_004 (Surveillance)** → Identifies handler
|
||||
5. **TEMPLATE_005 (Handwritten Notes)** → Seals the case
|
||||
|
||||
**Confidence Progression:**
|
||||
- 1 template: 40-80% (suspicion only, no action)
|
||||
- 2 templates: 65-85% (strong suspicion, investigation warranted)
|
||||
- 3 templates: 85-95% (probable cause, confrontation viable)
|
||||
- 4 templates: 95-98% (very strong case, multiple approaches)
|
||||
- 5 templates: 99.9% (overwhelming, maximum cooperation)
|
||||
|
||||
**Interrogation Approach Unlocks:**
|
||||
- With TEMPLATE_002 (Financial): Offer financial help for cooperation
|
||||
- With TEMPLATE_005 (Notes): Empathetic approach ("we know you want out")
|
||||
- With TEMPLATE_004 (Surveillance): Visual confrontation ("we have photos")
|
||||
- With TEMPLATE_003 (Access Logs): Technical proof ("every keystroke logged")
|
||||
- With All 5: Overwhelming evidence ("no defense, but we can help")
|
||||
|
||||
**Template Reusability:**
|
||||
Each template can be used infinite times across different NPCs by substituting:
|
||||
- [SUBJECT_NAME] → Actual NPC name
|
||||
- [ORGANIZATION] → Company name
|
||||
- [POSITION] → Job title
|
||||
- [HANDLER_CODENAME] → Handler designation
|
||||
- [AMOUNT] → Payment amounts
|
||||
- [DATE] → Appropriate timeline
|
||||
- etc.
|
||||
|
||||
**See TEMPLATE_CATALOG.md for:**
|
||||
- Complete template documentation
|
||||
- Substitution best practices
|
||||
- Evidence combination strategies
|
||||
- Scenario-specific customization
|
||||
- Technical implementation guide
|
||||
|
||||
---
|
||||
|
||||
### 🎯 TACTICAL_INTELLIGENCE
|
||||
|
||||
**TACTICAL_001 - Active Power Grid Attack (48-Hour Countdown)**
|
||||
|
||||
@@ -0,0 +1,255 @@
|
||||
# TEMPLATE: Suspicious Encrypted Communications
|
||||
|
||||
**Fragment ID:** EVIDENCE_AGENT_ID_001
|
||||
**Gameplay Function:** Agent Identification Evidence (Digital)
|
||||
**Evidence Type:** Intercepted encrypted communication
|
||||
**Rarity:** Common
|
||||
**Substitution Required:** [SUBJECT_NAME], [ORGANIZATION], [POSITION]
|
||||
|
||||
---
|
||||
|
||||
## Evidence Summary
|
||||
|
||||
**Item:** Encrypted email communication from corporate account
|
||||
**Subject:** [SUBJECT_NAME], [POSITION] at [ORGANIZATION]
|
||||
**Evidence Quality:** MEDIUM (encrypted but pattern suspicious)
|
||||
**Admissibility:** Medium (circumstantial, requires corroboration)
|
||||
|
||||
---
|
||||
|
||||
## Intercepted Communication
|
||||
|
||||
```
|
||||
From: [SUBJECT_NAME]@[ORGANIZATION].com
|
||||
To: secure-contact-7749@protonmail.com
|
||||
Date: [CURRENT_DATE - 3 days], 23:47
|
||||
Subject: Re: Consultation project update
|
||||
Encryption: PGP encrypted (partial decryption successful)
|
||||
|
||||
[Decrypted portions:]
|
||||
|
||||
...understand the concerns about timeline. The access you
|
||||
requested will be available during the maintenance window
|
||||
as discussed.
|
||||
|
||||
[ENCRYPTED BLOCK - Unable to decrypt]
|
||||
|
||||
...payment arrangement confirmed. Standard terms as before.
|
||||
The documentation you need will be transferred via the
|
||||
agreed method.
|
||||
|
||||
[ENCRYPTED BLOCK - Unable to decrypt]
|
||||
|
||||
...regarding the security audit team arriving Thursday -
|
||||
I can ensure they have the credentials and building access
|
||||
without additional verification. Same procedure as last time.
|
||||
|
||||
Looking forward to our continued partnership.
|
||||
|
||||
Best regards,
|
||||
[SUBJECT_NAME]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Analysis Flags
|
||||
|
||||
**SUSPICIOUS INDICATORS:**
|
||||
|
||||
🚩 **Encrypted Communication from Work Email**
|
||||
- Corporate email policy prohibits personal encryption
|
||||
- PGP usage violates IT security policy
|
||||
- Suggests deliberate obfuscation of content
|
||||
- Professional email should not require encryption
|
||||
|
||||
🚩 **ProtonMail Recipient (Anonymous Service)**
|
||||
- Recipient uses privacy-focused email service
|
||||
- Address format suggests throwaway account
|
||||
- No legitimate business contact uses this pattern
|
||||
- Common in ENTROPY operational communications
|
||||
|
||||
🚩 **After-Hours Timing (23:47)**
|
||||
- Sent late at night from personal device
|
||||
- Suggests secretive communication
|
||||
- Outside normal business hours
|
||||
- Pattern consistent with covert activity
|
||||
|
||||
🚩 **"Payment Arrangement Confirmed"**
|
||||
- Reference to financial transaction
|
||||
- Not related to normal job duties
|
||||
- "Standard terms as before" suggests ongoing payments
|
||||
- Typical ENTROPY asset compensation language
|
||||
|
||||
🚩 **Security Audit Team Access**
|
||||
- Offering to bypass verification procedures
|
||||
- "Same procedure as last time" suggests repeat behavior
|
||||
- Willing to violate security protocols
|
||||
- Classic insider threat action
|
||||
|
||||
🚩 **"Documentation Transfer via Agreed Method"**
|
||||
- Euphemism for data exfiltration
|
||||
- "Agreed method" suggests dead drop or covert channel
|
||||
- Not standard business file sharing
|
||||
- Matches ENTROPY operational security patterns
|
||||
|
||||
---
|
||||
|
||||
## Investigation Recommendations
|
||||
|
||||
**IMMEDIATE ACTIONS:**
|
||||
```
|
||||
□ Monitor [SUBJECT_NAME]'s email for additional encrypted messages
|
||||
□ Check employment records for financial stress indicators
|
||||
□ Review building access logs for unusual patterns
|
||||
□ Identify "security audit team" referenced
|
||||
□ Trace ProtonMail recipient if possible
|
||||
□ Review past "maintenance windows" for suspicious activity
|
||||
□ Check for data exfiltration during previous access grants
|
||||
```
|
||||
|
||||
**SURVEILLANCE PRIORITIES:**
|
||||
```
|
||||
□ Financial transactions (unusual deposits)
|
||||
□ Meetings with unknown individuals
|
||||
□ USB drive usage or file transfers
|
||||
□ After-hours office access
|
||||
□ Encrypted communication patterns
|
||||
□ Dead drop locations (document transfers)
|
||||
```
|
||||
|
||||
**CORROBORATING EVIDENCE NEEDED:**
|
||||
```
|
||||
□ Financial records showing unexplained income
|
||||
□ Access logs showing policy violations
|
||||
□ Witness testimony of suspicious behavior
|
||||
□ Technical evidence of data exfiltration
|
||||
□ Additional encrypted communications
|
||||
□ Connection to known ENTROPY operatives
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Gameplay Integration
|
||||
|
||||
**This Fragment Enables:**
|
||||
|
||||
**Investigation Actions:**
|
||||
- Flag [SUBJECT_NAME] as suspected ENTROPY asset
|
||||
- Unlock surveillance mission on subject
|
||||
- Enable deeper background investigation
|
||||
- Trigger financial forensics check
|
||||
|
||||
**Player Choices:**
|
||||
|
||||
**APPROACH A: Immediate Confrontation**
|
||||
- Confront subject with evidence
|
||||
- Risk: May destroy evidence or alert ENTROPY
|
||||
- Benefit: Quick resolution if subject cooperates
|
||||
- Success depends on subject's psychology
|
||||
|
||||
**APPROACH B: Continued Surveillance**
|
||||
- Monitor for additional evidence
|
||||
- Build stronger case before action
|
||||
- Risk: Subject may complete operation
|
||||
- Benefit: Identify ENTROPY contacts and methods
|
||||
|
||||
**APPROACH C: Controlled Exposure**
|
||||
- Feed false information through subject
|
||||
- Use as unwitting double agent
|
||||
- Risk: Complex operation, may fail
|
||||
- Benefit: Intelligence on ENTROPY cell operations
|
||||
|
||||
**APPROACH D: Immediate Isolation**
|
||||
- Suspend subject's access immediately
|
||||
- Prevent ongoing operation
|
||||
- Risk: Legal challenges if insufficient evidence
|
||||
- Benefit: Stop potential breach quickly
|
||||
|
||||
**Success Metrics:**
|
||||
- Evidence + Financial records = 75% confidence
|
||||
- Evidence + Access logs = 65% confidence
|
||||
- Evidence + Surveillance + Financial = 90% confidence
|
||||
- Evidence alone = 40% confidence (insufficient for action)
|
||||
|
||||
---
|
||||
|
||||
## Template Substitution Guide
|
||||
|
||||
**When implementing this fragment, replace:**
|
||||
|
||||
```
|
||||
[SUBJECT_NAME] → Actual NPC name (e.g., "Jennifer Park", "David Chen")
|
||||
[ORGANIZATION] → Company/org name (e.g., "TechCorp", "Vanguard Financial")
|
||||
[POSITION] → Job title (e.g., "Network Administrator", "Security Analyst")
|
||||
[CURRENT_DATE - 3 days] → Game timeline appropriate date
|
||||
```
|
||||
|
||||
**Maintain consistency:**
|
||||
- Use same substituted name throughout fragment
|
||||
- Email address format: firstname.lastname@company.com
|
||||
- Position should match NPC's actual in-game role
|
||||
- Timeline should fit scenario chronology
|
||||
|
||||
**Example with substitutions:**
|
||||
```
|
||||
From: jennifer.park@techcorp.com
|
||||
To: secure-contact-7749@protonmail.com
|
||||
Date: November 12, 2025, 23:47
|
||||
Subject: Re: Consultation project update
|
||||
|
||||
...payment arrangement confirmed...
|
||||
|
||||
Best regards,
|
||||
Jennifer Park
|
||||
Network Security Analyst
|
||||
TechCorp Industries
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Scenario-Specific Customization
|
||||
|
||||
**For Corporate Infiltration Scenarios:**
|
||||
- Emphasize "security audit team" access
|
||||
- Reference "maintenance windows" for data access
|
||||
- Focus on credential provision
|
||||
|
||||
**For Data Exfiltration Scenarios:**
|
||||
- Emphasize "documentation transfer"
|
||||
- Reference specific data types in encrypted blocks
|
||||
- Focus on file access patterns
|
||||
|
||||
**For Infrastructure Scenarios:**
|
||||
- Reference SCADA/control system access
|
||||
- Mention facility access credentials
|
||||
- Focus on physical security bypass
|
||||
|
||||
**For Research Scenarios:**
|
||||
- Reference proprietary research data
|
||||
- Mention lab access or sample transfers
|
||||
- Focus on intellectual property theft
|
||||
|
||||
---
|
||||
|
||||
## Related Fragments
|
||||
|
||||
**Supporting Evidence Types:**
|
||||
- EVIDENCE_AGENT_ID_002: Financial records (shows payments)
|
||||
- EVIDENCE_AGENT_ID_003: Access log analysis (proves violations)
|
||||
- EVIDENCE_AGENT_ID_004: Surveillance photos (documents meetings)
|
||||
- EVIDENCE_AGENT_ID_005: USB usage logs (data exfiltration proof)
|
||||
- EVIDENCE_AGENT_ID_006: Recruitment approach (how ENTROPY contacted them)
|
||||
|
||||
**Collect Multiple for Higher Certainty:**
|
||||
- 1 evidence type: 40% confidence (suspicion only)
|
||||
- 2 evidence types: 65% confidence (strong suspicion)
|
||||
- 3 evidence types: 85% confidence (probable cause)
|
||||
- 4+ evidence types: 95% confidence (near certainty)
|
||||
|
||||
---
|
||||
|
||||
**CLASSIFICATION:** EVIDENCE - AGENT IDENTIFICATION
|
||||
**TEMPLATE TYPE:** Reusable with substitution
|
||||
**PRIORITY:** MEDIUM (requires corroboration)
|
||||
**DISTRIBUTION:** Investigation teams, scenario designers
|
||||
**USAGE:** Insert into scenarios with suspected insider threats
|
||||
@@ -0,0 +1,430 @@
|
||||
# TEMPLATE: Suspicious Financial Activity
|
||||
|
||||
**Fragment ID:** EVIDENCE_AGENT_ID_002
|
||||
**Gameplay Function:** Agent Identification Evidence (Financial)
|
||||
**Evidence Type:** Bank transaction records
|
||||
**Rarity:** Uncommon
|
||||
**Substitution Required:** [SUBJECT_NAME], [SALARY], [AMOUNT], [DATE]
|
||||
|
||||
---
|
||||
|
||||
## Evidence Summary
|
||||
|
||||
**Item:** Bank account transaction analysis
|
||||
**Subject:** [SUBJECT_NAME]
|
||||
**Evidence Quality:** HIGH (financial records are hard evidence)
|
||||
**Admissibility:** HIGH (bank records with proper subpoena)
|
||||
|
||||
---
|
||||
|
||||
## Financial Analysis Report
|
||||
|
||||
```
|
||||
═══════════════════════════════════════════════════════
|
||||
SAFETYNET FINANCIAL FORENSICS ANALYSIS
|
||||
Subject: [SUBJECT_NAME]
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
ANALYSIS DATE: [CURRENT_DATE]
|
||||
ANALYST: Agent 0x77, Financial Crimes Division
|
||||
AUTHORIZATION: Federal subpoena #[SUBPOENA_NUMBER]
|
||||
BANKS ANALYZED: [PRIMARY_BANK], [SECONDARY_BANK]
|
||||
|
||||
SUMMARY:
|
||||
Significant unexplained cash deposits inconsistent with
|
||||
known employment income. Pattern consistent with ENTROPY
|
||||
asset payment methodology.
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
EMPLOYMENT INCOME VERIFICATION
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
Employer: [ORGANIZATION]
|
||||
Position: [POSITION]
|
||||
Declared Salary: $[SALARY] annually
|
||||
Expected Monthly Net: $[SALARY ÷ 12 × 0.70] (after tax)
|
||||
Actual Payroll Deposits: VERIFIED (matches declared)
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
SUSPICIOUS DEPOSITS IDENTIFIED
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
DEPOSIT #1: CASH
|
||||
Date: [DATE_1]
|
||||
Amount: $[AMOUNT] (exactly)
|
||||
Location: [BANK_BRANCH] ATM
|
||||
Time: 22:47 (after hours)
|
||||
Source: UNKNOWN - Cash deposit
|
||||
Notes: Amount consistent with ENTROPY payment ($25K-$75K range)
|
||||
|
||||
DEPOSIT #2: CRYPTOCURRENCY EXCHANGE
|
||||
Date: [DATE_2] (14 days after Deposit #1)
|
||||
Amount: $[AMOUNT × 0.97]
|
||||
Source: CryptoExchangePro (Bitcoin conversion)
|
||||
Notes: Exchange timing suggests cryptocurrency laundering
|
||||
97% of original amount (3% lost to fees/exchange)
|
||||
|
||||
DEPOSIT #3: WIRE TRANSFER
|
||||
Date: [DATE_3]
|
||||
Amount: $[AMOUNT × 0.5]
|
||||
Source: "[SHELL_COMPANY_NAME]"
|
||||
Registration: Delaware LLC (shell company indicators)
|
||||
Business: "Consulting services" (vague purpose)
|
||||
Notes: Payment memo: "Security consultation - Project [CODE]"
|
||||
Company registered 6 months ago, minimal online presence
|
||||
|
||||
DEPOSIT #4: CASH
|
||||
Date: [DATE_4]
|
||||
Amount: $[AMOUNT × 0.75]
|
||||
Location: Different branch (countersurveillance?)
|
||||
Time: 21:13 (after hours again)
|
||||
Notes: Deposited in multiple smaller amounts over 3 days
|
||||
Structured to avoid $10K reporting threshold
|
||||
|
||||
TOTAL SUSPICIOUS DEPOSITS: $[TOTAL_AMOUNT]
|
||||
TIMEFRAME: [DURATION] months
|
||||
AVERAGE: $[AVERAGE_PER_MONTH]/month
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
INCOME ANALYSIS
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
DECLARED INCOME (Annual):
|
||||
Salary: $[SALARY]
|
||||
Other declared income: $0
|
||||
Total: $[SALARY]
|
||||
|
||||
ACTUAL DEPOSITS (Analyzed period):
|
||||
Regular salary: $[SALARY_DEPOSITS]
|
||||
Suspicious deposits: $[TOTAL_AMOUNT]
|
||||
Total: $[SALARY_DEPOSITS + TOTAL_AMOUNT]
|
||||
|
||||
UNEXPLAINED INCOME: $[TOTAL_AMOUNT]
|
||||
PERCENTAGE OF SALARY: [PERCENTAGE]%
|
||||
|
||||
ASSESSMENT:
|
||||
Unexplained income of $[TOTAL_AMOUNT] represents
|
||||
[PERCENTAGE]% of declared salary. No legitimate
|
||||
source identified for this income.
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
EXPENDITURE PATTERNS
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
FOLLOWING SUSPICIOUS DEPOSITS:
|
||||
|
||||
Large expenditures identified:
|
||||
• $[DEBT_AMOUNT] - Student loan payoff ([DATE_5])
|
||||
• $[DEBT_AMOUNT_2] - Credit card debt clearance ([DATE_6])
|
||||
• $[EXPENSE_1] - [EXPENSE_DESCRIPTION]
|
||||
• $[EXPENSE_2] - [EXPENSE_DESCRIPTION]
|
||||
|
||||
PATTERN ANALYSIS:
|
||||
Subject used unexplained income to:
|
||||
1. Pay off existing debt (financial desperation motive)
|
||||
2. Make purchases previously unaffordable
|
||||
3. Maintain lifestyle above legitimate income level
|
||||
|
||||
This pattern consistent with ENTROPY asset behavior:
|
||||
- Recruited through financial desperation
|
||||
- Paid for specific services/access
|
||||
- Uses funds to resolve personal financial crisis
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
CRYPTOCURRENCY ACTIVITY
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
EXCHANGE ACCOUNT: CryptoExchangePro
|
||||
Account Name: [SUBJECT_NAME]
|
||||
KYC Status: Verified (used real identity)
|
||||
Activity:
|
||||
|
||||
INCOMING BITCOIN:
|
||||
Date: [CRYPTO_DATE_1]
|
||||
Amount: [BTC_AMOUNT] BTC
|
||||
Value: $[AMOUNT]
|
||||
Source Wallet: 1A9zW5...3kPm
|
||||
NOTE: This wallet identified as ENTROPY master wallet!
|
||||
|
||||
CONVERSION TO USD:
|
||||
Date: [CRYPTO_DATE_2] (same day)
|
||||
Amount: $[AMOUNT × 0.97]
|
||||
Transferred to: [BANK_NAME] account
|
||||
Fees: $[AMOUNT × 0.03]
|
||||
|
||||
CRITICAL FINDING:
|
||||
Direct transaction from confirmed ENTROPY master wallet
|
||||
to subject's personal exchange account. This is DIRECT
|
||||
EVIDENCE of ENTROPY payment.
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
SHELL COMPANY ANALYSIS
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
COMPANY: [SHELL_COMPANY_NAME]
|
||||
Registration: Delaware LLC
|
||||
Date Formed: [FORMATION_DATE] (6 months ago)
|
||||
Registered Agent: Corporate Formations Inc. (mass registrations)
|
||||
Business Address: Virtual office, no physical presence
|
||||
Website: [SHELL_COMPANY_URL] (created same month as registration)
|
||||
Employees: 0 (per state filings)
|
||||
Revenue: Unknown (no public filings)
|
||||
|
||||
RED FLAGS:
|
||||
✗ Recently formed (timing suspicious)
|
||||
✗ No physical office or employees
|
||||
✗ Generic "consulting" business description
|
||||
✗ Minimal web presence (likely fake)
|
||||
✗ Registered agent specializes in shell companies
|
||||
✗ No verifiable past projects or clients
|
||||
✗ Payment amounts inconsistent with actual consulting rates
|
||||
|
||||
ASSESSMENT:
|
||||
[SHELL_COMPANY_NAME] exhibits all characteristics of
|
||||
ENTROPY front company. Likely exists solely to provide
|
||||
"legitimate" cover for asset payments.
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
TAX IMPLICATIONS
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
UNREPORTED INCOME: $[TOTAL_AMOUNT] (likely)
|
||||
|
||||
If subject did not declare this income:
|
||||
• Tax evasion (federal crime)
|
||||
• Penalties: $[TAX_PENALTY_ESTIMATE]
|
||||
• Criminal exposure: 1-5 years prison
|
||||
|
||||
Additional leverage for cooperation:
|
||||
"We can help with IRS if you help us with ENTROPY."
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
CONCLUSIONS
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
EVIDENCE STRENGTH: HIGH
|
||||
|
||||
Multiple indicators of ENTROPY asset payments:
|
||||
✓ Direct transaction from ENTROPY master wallet
|
||||
✓ Cash deposits in ENTROPY payment range ($25K-$75K)
|
||||
✓ Shell company payments with suspicious characteristics
|
||||
✓ Structured deposits avoiding reporting thresholds
|
||||
✓ Cryptocurrency conversion (laundering pattern)
|
||||
✓ Unexplained income [PERCENTAGE]% of legitimate salary
|
||||
✓ Timing correlates with known ENTROPY operations
|
||||
|
||||
LEGAL ASSESSMENT:
|
||||
This evidence, combined with other indicators, establishes
|
||||
probable cause for:
|
||||
• Money laundering charges
|
||||
• Tax evasion
|
||||
• Conspiracy (if operational involvement proven)
|
||||
• ENTROPY asset designation (administrative)
|
||||
|
||||
RECOMMENDATION:
|
||||
Subject [SUBJECT_NAME] is receiving payments from ENTROPY.
|
||||
Financial pressure likely recruitment vector.
|
||||
High probability of cooperation if offered immunity +
|
||||
financial assistance alternative.
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
ANALYST NOTES:
|
||||
|
||||
Subject's financial desperation (debt visible in records)
|
||||
made them vulnerable to ENTROPY recruitment. The $[AMOUNT]
|
||||
payments provided relief they couldn't get elsewhere.
|
||||
|
||||
This isn't a career criminal. This is someone who made a
|
||||
bad choice under extreme financial pressure.
|
||||
|
||||
Recommended approach: Offer help, not just prosecution.
|
||||
"We can resolve your debt legally. No prison. Fresh start.
|
||||
Just tell us what ENTROPY wanted you to do."
|
||||
|
||||
Cooperation probability: 75-85% if approached correctly.
|
||||
|
||||
- Agent 0x77
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
CLASSIFICATION: FINANCIAL EVIDENCE - HIGH CONFIDENCE
|
||||
DISTRIBUTION: Investigation team, legal counsel
|
||||
HANDLING: Subpoena required for admission in court
|
||||
═══════════════════════════════════════════════════════
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Gameplay Integration
|
||||
|
||||
**This Fragment Enables:**
|
||||
|
||||
**Definitive Identification:**
|
||||
- Confirms [SUBJECT_NAME] is ENTROPY asset (95% certainty)
|
||||
- Direct evidence from master wallet transaction
|
||||
- Legally admissible in court
|
||||
- Justifies arrest/surveillance/confrontation
|
||||
|
||||
**Player Actions Unlocked:**
|
||||
|
||||
**CONFRONTATION:**
|
||||
```
|
||||
"We know about the payments, [SUBJECT_NAME].
|
||||
$[TOTAL_AMOUNT] from ENTROPY over [DURATION] months.
|
||||
Direct transfer from their master wallet to your account.
|
||||
|
||||
We have the bank records. We have the cryptocurrency trail.
|
||||
We have everything.
|
||||
|
||||
You can cooperate now, or we can prosecute. Your choice."
|
||||
```
|
||||
|
||||
**LEVERAGE:**
|
||||
```
|
||||
"You're facing money laundering charges. Tax evasion.
|
||||
5-10 years federal prison.
|
||||
|
||||
OR
|
||||
|
||||
You help us. Full immunity. We help you with the debt
|
||||
legally. Witness protection if needed. Clean slate.
|
||||
|
||||
What's it going to be?"
|
||||
```
|
||||
|
||||
**INTELLIGENCE:**
|
||||
```
|
||||
Financial analysis reveals:
|
||||
→ Payment amounts indicate level of access provided
|
||||
→ Payment timing correlates with operations
|
||||
→ Shell company shows ENTROPY front operation
|
||||
→ Master wallet transaction connects to other assets
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Success Metrics
|
||||
|
||||
**Evidence Value:**
|
||||
- Alone: 60% confidence (suspicious but could have explanation)
|
||||
- + Encrypted comms: 85% confidence
|
||||
- + Access logs: 90% confidence
|
||||
- + Surveillance: 95% confidence
|
||||
- + Confession: 100% certainty
|
||||
|
||||
**Cooperation Likelihood:**
|
||||
- Show financial evidence alone: 45% cooperation
|
||||
- Offer immunity + debt help: 75% cooperation
|
||||
- Add threat of prison time: 85% cooperation
|
||||
- Combine all approaches: 90% cooperation
|
||||
|
||||
**Legal Strength:**
|
||||
- Prosecution without cooperation: 70% conviction rate
|
||||
- With subject cooperation: 95% conviction rate (against ENTROPY)
|
||||
- Tax evasion charges alone: 90% conviction rate
|
||||
|
||||
---
|
||||
|
||||
## Template Substitution Guide
|
||||
|
||||
**Replace these placeholders:**
|
||||
|
||||
```
|
||||
[SUBJECT_NAME] → NPC name
|
||||
[SALARY] → Annual salary matching their position
|
||||
[AMOUNT] → ENTROPY payment amount ($25,000 - $75,000 typical)
|
||||
[DATE_1], [DATE_2], etc. → Appropriate dates in game timeline
|
||||
[ORGANIZATION] → Company name where NPC works
|
||||
[POSITION] → NPC's job title
|
||||
[SHELL_COMPANY_NAME] → Generic business name (e.g., "SecureConsult LLC")
|
||||
[DEBT_AMOUNT] → Amount of debt NPC paid off
|
||||
[EXPENSE_DESCRIPTION] → What they bought with the money
|
||||
[PERCENTAGE] → Calculate: (TOTAL_AMOUNT ÷ SALARY) × 100
|
||||
```
|
||||
|
||||
**Formula for realistic amounts:**
|
||||
```
|
||||
Base salary: $40,000 - $80,000 (typical corporate employee)
|
||||
ENTROPY payment: 50-100% of annual salary
|
||||
Total suspicious income: $25,000 - $75,000
|
||||
Debt paid off: 80% of suspicious income
|
||||
Remaining spent: 20% of suspicious income
|
||||
```
|
||||
|
||||
**Example with substitutions:**
|
||||
```
|
||||
Subject: David Chen
|
||||
Salary: $52,000
|
||||
ENTROPY payment: $50,000 (96% of salary)
|
||||
Student debt paid: $40,000
|
||||
Credit cards cleared: $8,000
|
||||
Unexplained income: 96% of declared salary
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Scenario Variations
|
||||
|
||||
**High-Value Target (More Money):**
|
||||
```
|
||||
Salary: $120,000 (senior position)
|
||||
ENTROPY payment: $150,000 (125% of salary)
|
||||
Justification: Valuable access, sensitive position
|
||||
```
|
||||
|
||||
**Low-Value Target (Less Money):**
|
||||
```
|
||||
Salary: $35,000 (junior position)
|
||||
ENTROPY payment: $25,000 (71% of salary)
|
||||
Justification: Limited access, lower value
|
||||
```
|
||||
|
||||
**Ongoing Asset (Multiple Payments):**
|
||||
```
|
||||
Payment 1: $40,000 (initial recruitment)
|
||||
Payment 2: $15,000 (after 3 months)
|
||||
Payment 3: $15,000 (after 6 months)
|
||||
Total: $70,000 over 6 months
|
||||
Pattern: Ongoing asset vs. one-time use
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Related Evidence Types
|
||||
|
||||
**Combine with:**
|
||||
- EVIDENCE_AGENT_ID_001: Encrypted communications (motive for payment)
|
||||
- EVIDENCE_AGENT_ID_003: Access logs (what they did for money)
|
||||
- EVIDENCE_AGENT_ID_004: Surveillance (meetings with ENTROPY handlers)
|
||||
- EVIDENCE_AGENT_ID_006: Recruitment approach (how they were contacted)
|
||||
|
||||
**Investigation Sequence:**
|
||||
1. Find encrypted comms → Suspicion
|
||||
2. Get financial records → Confirmation
|
||||
3. Confront subject → Cooperation or arrest
|
||||
4. Use testimony → Dismantle cell
|
||||
|
||||
---
|
||||
|
||||
## Educational Context
|
||||
|
||||
**Related CyBOK Topics:**
|
||||
- Law & Regulation (Money laundering, tax law, financial crimes)
|
||||
- Forensics (Financial forensics, transaction analysis)
|
||||
- Human Factors (Financial pressure as vulnerability)
|
||||
|
||||
**Security Lessons:**
|
||||
- Financial desperation creates insider threats
|
||||
- Cryptocurrency provides pseudo-anonymity, not true anonymity
|
||||
- Shell companies are traceable through proper investigation
|
||||
- Bank records are powerful evidence (hard to deny)
|
||||
- Structured deposits indicate guilty knowledge
|
||||
- Employee financial wellness reduces vulnerability
|
||||
|
||||
---
|
||||
|
||||
**CLASSIFICATION:** EVIDENCE TEMPLATE - FINANCIAL
|
||||
**PRIORITY:** HIGH (Definitive proof with proper subpoena)
|
||||
**REUSABILITY:** High (works for any insider threat scenario)
|
||||
**LEGAL VALUE:** Excellent (bank records highly admissible)
|
||||
**COOPERATION VALUE:** Excellent (strong leverage for turning asset)
|
||||
@@ -0,0 +1,598 @@
|
||||
# TEMPLATE: Unauthorized System Access Pattern
|
||||
|
||||
**Fragment ID:** EVIDENCE_AGENT_ID_003
|
||||
**Gameplay Function:** Agent Identification Evidence (Technical)
|
||||
**Evidence Type:** System access logs and audit trail
|
||||
**Rarity:** Common
|
||||
**Substitution Required:** [SUBJECT_NAME], [POSITION], [SYSTEM_NAME], [DATA_TYPE]
|
||||
|
||||
---
|
||||
|
||||
## Evidence Summary
|
||||
|
||||
**Item:** System access log analysis
|
||||
**Subject:** [SUBJECT_NAME], [POSITION]
|
||||
**Evidence Quality:** HIGH (technical logs are objective)
|
||||
**Admissibility:** HIGH (system logs with proper chain of custody)
|
||||
|
||||
---
|
||||
|
||||
## Access Log Analysis Report
|
||||
|
||||
```
|
||||
╔═══════════════════════════════════════════════════════╗
|
||||
║ SYSTEM ACCESS AUDIT REPORT ║
|
||||
║ Unauthorized Activity Detection ║
|
||||
╚═══════════════════════════════════════════════════════╝
|
||||
|
||||
REPORT ID: SYS-AUDIT-[REPORT_NUMBER]
|
||||
GENERATED: [CURRENT_DATE]
|
||||
ANALYST: IT Security Team / SAFETYNET Technical Division
|
||||
SUBJECT: [SUBJECT_NAME]
|
||||
EMPLOYEE ID: [EMP_ID]
|
||||
POSITION: [POSITION]
|
||||
DEPARTMENT: [DEPARTMENT]
|
||||
AUTHORIZED ACCESS LEVEL: [ACCESS_LEVEL]
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
SUMMARY:
|
||||
Comprehensive analysis of system access logs reveals
|
||||
pattern of unauthorized access to systems and data
|
||||
outside subject's job responsibilities and clearance level.
|
||||
|
||||
Activity consistent with data exfiltration preparation
|
||||
and reconnaissance for ENTROPY operations.
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
BASELINE LEGITIMATE ACCESS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
Based on position [POSITION], subject should access:
|
||||
|
||||
AUTHORIZED SYSTEMS:
|
||||
✓ [SYSTEM_1] - Required for daily work
|
||||
✓ [SYSTEM_2] - Department shared resources
|
||||
✓ [SYSTEM_3] - Communication tools
|
||||
✓ [SYSTEM_4] - Standard employee applications
|
||||
|
||||
AUTHORIZED DATA:
|
||||
✓ [DATA_TYPE_1] - Related to job function
|
||||
✓ [DATA_TYPE_2] - Department information
|
||||
✓ [DATA_TYPE_3] - Public/shared company data
|
||||
|
||||
TYPICAL USAGE PATTERN:
|
||||
• Login times: 08:00-18:00 (business hours)
|
||||
• Access frequency: Multiple times daily
|
||||
• Data volume: Normal for position
|
||||
• Locations: Office workstation, VPN from home
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
UNAUTHORIZED ACCESS DETECTED
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
INCIDENT #1: SENSITIVE DATABASE ACCESS
|
||||
|
||||
Date/Time: [DATE_TIME_1]
|
||||
System: [SENSITIVE_SYSTEM]
|
||||
Access Method: SQL query via admin console
|
||||
User Account: [SUBJECT_NAME]@[ORGANIZATION]
|
||||
Location: Office workstation (IP: [IP_ADDRESS])
|
||||
|
||||
QUERY EXECUTED:
|
||||
SELECT * FROM [DATABASE].[TABLE]
|
||||
WHERE [CRITERIA]
|
||||
LIMIT 50000
|
||||
|
||||
ANALYSIS:
|
||||
✗ [SUBJECT_NAME] has NO authorized access to [SENSITIVE_SYSTEM]
|
||||
✗ Position [POSITION] has no business need for this data
|
||||
✗ Query extracted [DATA_TYPE] for 50,000 records
|
||||
✗ Data volume far exceeds any legitimate need
|
||||
✗ Query format suggests data exfiltration intent
|
||||
|
||||
RED FLAGS:
|
||||
• Access outside job responsibilities
|
||||
• Large-scale data extraction
|
||||
• No ticket/request for access
|
||||
• Used elevated credentials (how obtained?)
|
||||
• Timing: After hours (22:34)
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
INCIDENT #2: NETWORK INFRASTRUCTURE MAPPING
|
||||
|
||||
Date/Time: [DATE_TIME_2]
|
||||
System: Network Management Console
|
||||
Access Method: Direct login
|
||||
User Account: [SUBJECT_NAME] (used supervisor's credentials!)
|
||||
Location: Office (IP: [IP_ADDRESS])
|
||||
|
||||
ACTIONS PERFORMED:
|
||||
• Exported network topology diagram
|
||||
• Downloaded firewall rule configurations
|
||||
• Accessed VPN server logs
|
||||
• Queried active directory structure
|
||||
• Downloaded security camera placement map
|
||||
|
||||
ANALYSIS:
|
||||
✗ Supervisor credentials compromised/shared (security violation)
|
||||
✗ Network admin access not authorized for [POSITION]
|
||||
✗ Infrastructure documentation downloaded (reconnaissance)
|
||||
✗ Security architecture exposed
|
||||
✗ No legitimate business justification exists
|
||||
|
||||
RED FLAGS:
|
||||
• Credential theft/sharing (serious violation)
|
||||
• Complete infrastructure reconnaissance
|
||||
• Downloaded security-sensitive diagrams
|
||||
• Classic pre-attack intelligence gathering
|
||||
• Timing: Weekend (Saturday 14:23)
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
INCIDENT #3: HUMAN RESOURCES DATABASE
|
||||
|
||||
Date/Time: [DATE_TIME_3]
|
||||
System: HR Management System
|
||||
Access Method: Web portal login
|
||||
User Account: [SUBJECT_NAME]
|
||||
Location: Unknown (VPN from residential IP)
|
||||
|
||||
DATA ACCESSED:
|
||||
• Employee personal information (500+ records)
|
||||
• Salary and compensation data
|
||||
• Home addresses and contact info
|
||||
• Security clearance levels
|
||||
• Emergency contacts
|
||||
|
||||
ANALYSIS:
|
||||
✗ HR system access not authorized for [POSITION]
|
||||
✗ Accessed 500+ employee records (entire department)
|
||||
✗ No HR-related job responsibilities
|
||||
✗ Personal data with no legitimate need
|
||||
✗ Pattern suggests target profiling for ENTROPY
|
||||
|
||||
RED FLAGS:
|
||||
• Mass employee data access
|
||||
• Personal information exfiltration
|
||||
• Possible recruitment target identification
|
||||
• Social engineering preparation
|
||||
• Timing: Evening from home (20:15)
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
INCIDENT #4: EXECUTIVE EMAIL ACCESS
|
||||
|
||||
Date/Time: [DATE_TIME_4]
|
||||
System: Email server (Exchange)
|
||||
Access Method: PowerShell remote access
|
||||
User Account: [SUBJECT_NAME]
|
||||
Location: Office (IP: [IP_ADDRESS])
|
||||
|
||||
ACTIVITY:
|
||||
• Accessed CEO mailbox (unauthorized!)
|
||||
• Read 127 emails marked "Confidential"
|
||||
• Exported emails to PST file
|
||||
• Downloaded email to external drive
|
||||
• Deleted access logs (attempted cover-up)
|
||||
|
||||
ANALYSIS:
|
||||
✗ Executive email access STRICTLY prohibited
|
||||
✗ PowerShell used to bypass security controls
|
||||
✗ Exported emails for offline viewing
|
||||
✗ Attempted to delete evidence (consciousness of guilt)
|
||||
✗ Contains privileged executive communications
|
||||
|
||||
RED FLAGS:
|
||||
• Highest-level unauthorized access
|
||||
• Corporate espionage indicators
|
||||
• Active cover-up attempt (log deletion)
|
||||
• Technical sophistication (PowerShell usage)
|
||||
• Timing: Middle of night (02:17)
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
INCIDENT #5: USB DEVICE USAGE
|
||||
|
||||
Date/Time: [DATE_TIME_5]
|
||||
System: Endpoint detection (workstation)
|
||||
Device: USB flash drive (128GB)
|
||||
User Account: [SUBJECT_NAME]
|
||||
Location: Office workstation
|
||||
|
||||
ACTIVITY:
|
||||
• Connected unauthorized USB device
|
||||
• Copied [FILE_COUNT] files to drive
|
||||
• Total data: [DATA_SIZE] GB
|
||||
• File types: .xlsx, .docx, .pdf, .pst
|
||||
• Encryption detected on USB (secure storage)
|
||||
|
||||
ANALYSIS:
|
||||
✗ USB devices prohibited by policy (DLP violation)
|
||||
✗ Large-scale file copying to external media
|
||||
✗ Included sensitive/confidential documents
|
||||
✗ USB encrypted (hiding contents)
|
||||
✗ Classic data exfiltration method
|
||||
|
||||
RED FLAGS:
|
||||
• Policy violation (USB prohibition)
|
||||
• Data exfiltration to portable media
|
||||
• Encryption suggests premeditation
|
||||
• Volume suggests systematic collection
|
||||
• Timing: Late evening (19:45)
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
PATTERN ANALYSIS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
TIMELINE OF UNAUTHORIZED ACTIVITY:
|
||||
|
||||
Week 1: [DATE_RANGE_1]
|
||||
→ Initial reconnaissance (network mapping)
|
||||
→ Identifying high-value systems
|
||||
|
||||
Week 2-3: [DATE_RANGE_2]
|
||||
→ Unauthorized data access begins
|
||||
→ Multiple system compromises
|
||||
→ Credential elevation/theft
|
||||
|
||||
Week 4: [DATE_RANGE_3]
|
||||
→ Large-scale data exfiltration
|
||||
→ Executive communications accessed
|
||||
→ USB device data export
|
||||
|
||||
PROGRESSION:
|
||||
Reconnaissance → Access → Exfiltration → Cover-up
|
||||
|
||||
This timeline consistent with ENTROPY operational cadence:
|
||||
- 2-4 weeks from recruitment to first deliverable
|
||||
- Systematic approach (not random access)
|
||||
- Escalating access levels
|
||||
- Final exfiltration before rotation
|
||||
|
||||
TEMPORAL PATTERNS:
|
||||
|
||||
After-Hours Access: 78% of incidents
|
||||
• 22:34, 02:17, 19:45, 20:15, 14:23 (weekend)
|
||||
• Suggests covert activity awareness
|
||||
• Avoiding daytime supervision
|
||||
• Consciousness of wrongdoing
|
||||
|
||||
Weekend Access: 23% of incidents
|
||||
• Saturday access to avoid scrutiny
|
||||
• Reduced security staffing
|
||||
• Fewer witnesses to activity
|
||||
|
||||
VPN/Remote Access: 34% of incidents
|
||||
• From residential IP addresses
|
||||
• Outside corporate network
|
||||
• Harder to detect/monitor
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
TECHNICAL SOPHISTICATION INDICATORS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
SKILLS DEMONSTRATED:
|
||||
|
||||
✓ PowerShell scripting (executive email access)
|
||||
✓ SQL query construction (database extraction)
|
||||
✓ Credential compromise (supervisor's account)
|
||||
✓ Log manipulation (attempted deletion)
|
||||
✓ Encryption usage (USB device)
|
||||
✓ Network reconnaissance (topology mapping)
|
||||
|
||||
ASSESSMENT:
|
||||
Subject demonstrates technical capabilities beyond
|
||||
requirements of [POSITION]. Suggests:
|
||||
|
||||
1. Prior training (possibly ENTROPY-provided)
|
||||
2. Security background (knows how to evade detection)
|
||||
3. Deliberate skill application (not accidental)
|
||||
4. Sophisticated adversary (not amateur mistake)
|
||||
|
||||
This level of sophistication consistent with:
|
||||
→ Trained ENTROPY operative
|
||||
→ Professional cyber criminal
|
||||
→ Insider threat with external guidance
|
||||
→ Asset with technical handler support
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
DATA EXFILTRATED (ESTIMATED)
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
Based on log analysis, subject likely obtained:
|
||||
|
||||
CATEGORY 1: CUSTOMER DATA
|
||||
• [NUMBER] customer records
|
||||
• Personal information (PII)
|
||||
• Financial account details
|
||||
• Contact information
|
||||
Estimated Volume: [SIZE] GB
|
||||
|
||||
CATEGORY 2: INFRASTRUCTURE
|
||||
• Network topology diagrams
|
||||
• Security architecture docs
|
||||
• Access control configurations
|
||||
• Firewall rules and VPN configs
|
||||
Estimated Volume: [SIZE] MB
|
||||
|
||||
CATEGORY 3: EMPLOYEE DATA
|
||||
• 500+ employee personal records
|
||||
• Salary and compensation data
|
||||
• Security clearance information
|
||||
• Contact details for recruitment targeting
|
||||
Estimated Volume: [SIZE] MB
|
||||
|
||||
CATEGORY 4: EXECUTIVE COMMUNICATIONS
|
||||
• 127 confidential emails
|
||||
• Strategic planning documents
|
||||
• Merger/acquisition discussions
|
||||
• Proprietary business intelligence
|
||||
Estimated Volume: [SIZE] MB
|
||||
|
||||
CATEGORY 5: PROPRIETARY DATA
|
||||
• [FILE_COUNT] sensitive documents
|
||||
• Trade secrets potential
|
||||
• Intellectual property
|
||||
• Competitive intelligence
|
||||
Estimated Volume: [SIZE] GB
|
||||
|
||||
TOTAL ESTIMATED EXFILTRATION: [TOTAL_SIZE] GB
|
||||
|
||||
VALUE ASSESSMENT:
|
||||
This data highly valuable for:
|
||||
→ ENTROPY Phase 3 operations (customer targeting)
|
||||
→ Future social engineering campaigns
|
||||
→ Competitive intelligence sale
|
||||
→ Infrastructure attack planning
|
||||
→ Employee recruitment targeting
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
POLICY VIOLATIONS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
Subject violated the following corporate policies:
|
||||
|
||||
✗ Acceptable Use Policy (Section 3.2)
|
||||
- Unauthorized system access
|
||||
|
||||
✗ Data Protection Policy (Section 2.1)
|
||||
- Accessed data without business need
|
||||
|
||||
✗ USB Device Policy (Section 4.7)
|
||||
- Used prohibited external storage
|
||||
|
||||
✗ Credential Sharing Policy (Section 1.3)
|
||||
- Used supervisor's credentials
|
||||
|
||||
✗ After-Hours Access Policy (Section 5.2)
|
||||
- Suspicious access patterns
|
||||
|
||||
✗ Data Classification Policy (Section 6.1)
|
||||
- Accessed confidential/secret data
|
||||
|
||||
✗ Log Integrity Policy (Section 7.4)
|
||||
- Attempted log deletion
|
||||
|
||||
RECOMMENDED EMPLOYMENT ACTION:
|
||||
Immediate termination for cause with policies violated.
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
LEGAL IMPLICATIONS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
CRIMINAL STATUTES POTENTIALLY VIOLATED:
|
||||
|
||||
Federal:
|
||||
• 18 U.S.C. § 1030 - Computer Fraud and Abuse Act
|
||||
• 18 U.S.C. § 1831 - Economic Espionage Act
|
||||
• 18 U.S.C. § 2511 - Wiretap Act (email interception)
|
||||
|
||||
State:
|
||||
• Computer trespass
|
||||
• Theft of trade secrets
|
||||
• Unauthorized access to computer systems
|
||||
|
||||
Civil:
|
||||
• Breach of employment contract
|
||||
• Breach of confidentiality agreement
|
||||
• Trade secret misappropriation
|
||||
|
||||
POTENTIAL SENTENCES:
|
||||
• Federal CFAA: Up to 10 years per count
|
||||
• Economic espionage: Up to 15 years
|
||||
• Multiple counts possible: 25+ years exposure
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
CONCLUSIONS AND RECOMMENDATIONS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
EVIDENCE ASSESSMENT: DEFINITIVE
|
||||
|
||||
Subject [SUBJECT_NAME] engaged in systematic unauthorized
|
||||
access to corporate systems and data exfiltration over
|
||||
[TIMEFRAME] period.
|
||||
|
||||
Activity characteristics:
|
||||
✓ Deliberate and premeditated
|
||||
✓ Technically sophisticated
|
||||
✓ Aligned with ENTROPY operational patterns
|
||||
✓ Resulted in significant data compromise
|
||||
✓ Included active cover-up attempts
|
||||
|
||||
CONFIDENCE LEVEL: 95%
|
||||
|
||||
This is not accidental access or policy misunderstanding.
|
||||
This is deliberate espionage/data theft by trained operative
|
||||
or ENTROPY asset.
|
||||
|
||||
IMMEDIATE RECOMMENDATIONS:
|
||||
|
||||
□ Suspend all system access immediately
|
||||
□ Confiscate workstation and devices
|
||||
□ Preserve all log evidence (legal hold)
|
||||
□ Coordinate with SAFETYNET for investigation
|
||||
□ Prepare termination documentation
|
||||
□ Consider criminal prosecution
|
||||
□ Assess damage and notify affected parties
|
||||
□ Review security controls that failed
|
||||
|
||||
INVESTIGATION PRIORITIES:
|
||||
|
||||
□ How were supervisor credentials obtained?
|
||||
□ What happened to exfiltrated data?
|
||||
□ Are there other compromised employees?
|
||||
□ What is subject's connection to ENTROPY?
|
||||
□ Recover USB device if possible
|
||||
□ Interview subject (with legal counsel present)
|
||||
□ Coordinate with law enforcement
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
ANALYST NOTES:
|
||||
|
||||
The technical sophistication and systematic approach
|
||||
suggests [SUBJECT_NAME] received external guidance,
|
||||
likely from ENTROPY handler.
|
||||
|
||||
Pattern matches 12 other cases of ENTROPY asset behavior:
|
||||
- Reconnaissance phase (2-3 weeks)
|
||||
- Access escalation (1-2 weeks)
|
||||
- Exfiltration (final week)
|
||||
- Attempted cover-up
|
||||
|
||||
Subject likely recruited for specific access, trained on
|
||||
what to collect, and provided tools/methods for exfiltration.
|
||||
|
||||
Recommend offering cooperation deal:
|
||||
"Help us understand who recruited you, what they wanted,
|
||||
and where the data went. We can help you if you help us."
|
||||
|
||||
Without cooperation, prosecution recommended.
|
||||
|
||||
- IT Security Team / SAFETYNET Liaison
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
CLASSIFICATION: TECHNICAL EVIDENCE - UNAUTHORIZED ACCESS
|
||||
DISTRIBUTION: Security team, legal, SAFETYNET, management
|
||||
HANDLING: Preserve original logs, maintain chain of custody
|
||||
═══════════════════════════════════════════════════════
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Gameplay Integration
|
||||
|
||||
**This Fragment Enables:**
|
||||
|
||||
**Immediate Actions:**
|
||||
- Suspend [SUBJECT_NAME]'s access (prevent further damage)
|
||||
- Confiscate devices and conduct forensic analysis
|
||||
- Initiate formal investigation
|
||||
- Coordinate with SAFETYNET
|
||||
|
||||
**Confrontation Dialog:**
|
||||
```
|
||||
"We have your access logs, [SUBJECT_NAME].
|
||||
|
||||
[SENSITIVE_SYSTEM] at 22:34. You're not authorized for that system.
|
||||
|
||||
Network diagrams downloaded on Saturday. Why?
|
||||
|
||||
CEO's emails exported at 02:17. That's a federal crime.
|
||||
|
||||
128GB USB drive. Where did that data go?
|
||||
|
||||
We have timestamps. IP addresses. Exact files accessed.
|
||||
|
||||
This isn't a mistake. This is systematic data theft.
|
||||
|
||||
Who are you working for?"
|
||||
```
|
||||
|
||||
**Player Choices:**
|
||||
|
||||
**APPROACH A: Technical Lockdown**
|
||||
- Immediate suspension
|
||||
- Forensic investigation
|
||||
- Criminal prosecution
|
||||
- No cooperation opportunity
|
||||
|
||||
**APPROACH B: Monitored Access**
|
||||
- Allow continued access under surveillance
|
||||
- Track who they contact
|
||||
- Identify ENTROPY handler
|
||||
- Build larger case
|
||||
|
||||
**APPROACH C: Confrontation + Deal**
|
||||
- Show evidence
|
||||
- Offer immunity for cooperation
|
||||
- Learn ENTROPY methods
|
||||
- Turn asset into informant
|
||||
|
||||
**APPROACH D: Counter-Intelligence**
|
||||
- Feed false data through subject
|
||||
- Use as unwitting double agent
|
||||
- Track where data goes
|
||||
- Identify ENTROPY infrastructure
|
||||
|
||||
---
|
||||
|
||||
## Success Metrics
|
||||
|
||||
**Evidence Strength:**
|
||||
- System logs alone: 70% conviction probability
|
||||
- Logs + financial records: 90% probability
|
||||
- Logs + financial + surveillance: 95% probability
|
||||
- Add confession: 99% probability
|
||||
|
||||
**Damage Assessment:**
|
||||
- Data exfiltrated: [TOTAL_SIZE] GB
|
||||
- Systems compromised: [NUMBER]
|
||||
- Policy violations: 7 major
|
||||
- Potential impact: HIGH (customer data, exec comms)
|
||||
|
||||
**Recovery Actions:**
|
||||
- Incident response: 2-4 weeks
|
||||
- Customer notification: Required (data breach laws)
|
||||
- Security improvements: $[COST_ESTIMATE]
|
||||
- Reputational damage: Significant
|
||||
|
||||
---
|
||||
|
||||
## Template Substitution Guide
|
||||
|
||||
**Replace these placeholders:**
|
||||
|
||||
```
|
||||
[SUBJECT_NAME] → NPC name
|
||||
[POSITION] → Job title
|
||||
[DEPARTMENT] → Department name
|
||||
[ORGANIZATION] → Company name
|
||||
[SYSTEM_NAME] → Specific system accessed (e.g., "Customer Database")
|
||||
[DATA_TYPE] → Type of data (e.g., "financial records")
|
||||
[SENSITIVE_SYSTEM] → High-value target system
|
||||
[DATE_TIME_X] → Specific timestamps
|
||||
[IP_ADDRESS] → Internal IP address
|
||||
[FILE_COUNT] → Number of files exfiltrated
|
||||
[DATA_SIZE] → Size of data exfiltrated
|
||||
[ACCESS_LEVEL] → Authorized clearance level
|
||||
```
|
||||
|
||||
**Realistic Technical Details:**
|
||||
```
|
||||
IP addresses: 10.x.x.x or 192.168.x.x (internal)
|
||||
File counts: 50-500 (believable exfiltration)
|
||||
Data sizes: 1-10 GB (USB-portable)
|
||||
Timestamps: Mix of after-hours and weekends
|
||||
Access levels: User, Power User, Admin
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**CLASSIFICATION:** EVIDENCE TEMPLATE - TECHNICAL
|
||||
**PRIORITY:** HIGH (Objective technical proof)
|
||||
**REUSABILITY:** High (works for any insider threat)
|
||||
**LEGAL VALUE:** Excellent (system logs are strong evidence)
|
||||
**INVESTIGATION VALUE:** Excellent (shows what, when, how)
|
||||
@@ -0,0 +1,563 @@
|
||||
# TEMPLATE: Surveillance Evidence of ENTROPY Contact
|
||||
|
||||
**Fragment ID:** EVIDENCE_AGENT_ID_004
|
||||
**Gameplay Function:** Agent Identification Evidence (Surveillance)
|
||||
**Evidence Type:** Photographic surveillance and behavioral analysis
|
||||
**Rarity:** Uncommon
|
||||
**Substitution Required:** [SUBJECT_NAME], [POSITION], [CONTACT_DESCRIPTION]
|
||||
|
||||
---
|
||||
|
||||
## Evidence Summary
|
||||
|
||||
**Item:** Surveillance photography and behavioral observation
|
||||
**Subject:** [SUBJECT_NAME], [POSITION]
|
||||
**Evidence Quality:** MEDIUM-HIGH (visual evidence corroborates other intel)
|
||||
**Admissibility:** HIGH (photographic evidence with proper surveillance authorization)
|
||||
|
||||
---
|
||||
|
||||
## Surveillance Report
|
||||
|
||||
```
|
||||
╔═══════════════════════════════════════════════════════╗
|
||||
║ SAFETYNET SURVEILLANCE REPORT ║
|
||||
║ Suspected ENTROPY Asset Monitoring ║
|
||||
╚═══════════════════════════════════════════════════════╝
|
||||
|
||||
OPERATION: [OPERATION_CODE_NAME]
|
||||
SUBJECT: [SUBJECT_NAME]
|
||||
SURVEILLANCE TEAM: Alpha-3
|
||||
LEAD AGENT: Agent 0x99 "HAXOLOTTLE"
|
||||
DURATION: [DURATION] days ([START_DATE] - [END_DATE])
|
||||
AUTHORIZATION: Director Netherton, Priority [PRIORITY]
|
||||
BUDGET: $[BUDGET] (surveillance, tech, analyst time)
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
MISSION OBJECTIVE:
|
||||
Determine if [SUBJECT_NAME] maintains contact with
|
||||
ENTROPY operatives or handlers. Visual confirmation
|
||||
of suspicious meetings and behavior patterns.
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
SURVEILLANCE PHOTOGRAPHY - DAY 1
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
[PHOTO 1: UNUSUAL MEETING]
|
||||
|
||||
Location: [LOCATION] (Coffee shop, outdoor seating)
|
||||
Date: [DATE], [TIME]
|
||||
Camera: High-resolution telephoto (300mm)
|
||||
Quality: EXCELLENT (clear facial features, good lighting)
|
||||
|
||||
SUBJECTS VISIBLE:
|
||||
• [SUBJECT_NAME] - Target (left side of table)
|
||||
• Unknown individual - [CONTACT_DESCRIPTION] (right side)
|
||||
|
||||
DESCRIPTION:
|
||||
Meeting duration: 42 minutes
|
||||
Body language: Serious discussion, no social pleasantries
|
||||
Documents visible: Papers exchanged across table
|
||||
Subject's demeanor: Nervous (observed touching face repeatedly)
|
||||
Unknown individual: Confident, professional bearing
|
||||
|
||||
PHOTOGRAPHIC DETAILS:
|
||||
- Both leaning in close (secretive conversation)
|
||||
- [SUBJECT_NAME] looking around frequently (countersurveillance awareness)
|
||||
- Unknown individual pointing at documents (giving instructions?)
|
||||
- Paper documents visible but text not legible
|
||||
- No coffee consumed (not social meeting)
|
||||
|
||||
BEHAVIORAL ANALYSIS:
|
||||
✗ Meeting location unusual for [SUBJECT_NAME] (30 miles from home/work)
|
||||
✗ Body language suggests stress/guilt
|
||||
✗ Countersurveillance behavior (checking for followers)
|
||||
✗ Document exchange (physical information transfer)
|
||||
✗ Professional meeting disguised as casual coffee
|
||||
|
||||
RED FLAGS:
|
||||
• Off-site location (avoiding workplace surveillance)
|
||||
• Unknown contact (not in subject's social circle or colleagues)
|
||||
• Document exchange (analog to avoid digital trail)
|
||||
• Subject's nervous behavior (consciousness of wrongdoing)
|
||||
• Duration/timing (41 minutes = substantive discussion)
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
[PHOTO 2: DOCUMENT EXCHANGE]
|
||||
|
||||
Same Location: [LOCATION]
|
||||
Same Date: [DATE], [TIME + 15 minutes]
|
||||
Camera: Close-up telephoto zoom
|
||||
Quality: GOOD (documents partially visible)
|
||||
|
||||
CAPTURED MOMENT:
|
||||
[SUBJECT_NAME] sliding manila envelope across table
|
||||
Unknown individual accepting envelope
|
||||
Envelope appears to contain papers (thickness visible)
|
||||
|
||||
VISIBLE DETAILS:
|
||||
- Envelope unmarked (no corporate branding)
|
||||
- Approximately 20-30 pages based on thickness
|
||||
- [SUBJECT_NAME]'s hand visibly trembling (stress/fear)
|
||||
- Unknown individual nodding (confirmation received)
|
||||
- Both glancing around (awareness of surveillance risk)
|
||||
|
||||
ANALYSIS:
|
||||
Physical document transfer avoids:
|
||||
→ Email monitoring (corporate IT)
|
||||
→ Digital forensics trails
|
||||
→ Cloud storage logging
|
||||
→ Network activity detection
|
||||
|
||||
Classic tradecraft for covert information transfer.
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
[PHOTO 3: CASH PAYMENT]
|
||||
|
||||
Same Location: [LOCATION]
|
||||
Same Date: [DATE], [TIME + 28 minutes]
|
||||
Camera: High-resolution capture
|
||||
Quality: EXCELLENT (bills visible)
|
||||
|
||||
CAPTURED TRANSACTION:
|
||||
Unknown individual handing envelope to [SUBJECT_NAME]
|
||||
Envelope different from document envelope (smaller, white)
|
||||
[SUBJECT_NAME] opening envelope briefly
|
||||
Cash visible inside (bills appear to be $100 denominations)
|
||||
|
||||
OBSERVED BEHAVIOR:
|
||||
- [SUBJECT_NAME] glancing inside quickly
|
||||
- Immediate concealment (into jacket pocket)
|
||||
- No counting of money (trusts amount)
|
||||
- Relief visible in facial expression
|
||||
- Handshake after payment
|
||||
|
||||
ESTIMATED AMOUNT:
|
||||
Based on envelope size and visible bills: $2,000-$5,000
|
||||
(Consistent with ENTROPY "installment payment" pattern)
|
||||
|
||||
SIGNIFICANCE:
|
||||
Cash payment for documents = textbook espionage transaction
|
||||
Pattern matches ENTROPY asset handling methodology
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
SURVEILLANCE PHOTOGRAPHY - DAY 5
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
[PHOTO 4: SUBJECT AT DEAD DROP LOCATION]
|
||||
|
||||
Location: [DEAD_DROP_LOCATION] (Public park, near bench #7)
|
||||
Date: [DATE + 5 days], [TIME]
|
||||
Camera: Long-range surveillance (500mm)
|
||||
Quality: MEDIUM (distance ~200 meters)
|
||||
|
||||
OBSERVED ACTIVITY:
|
||||
Subject walking through park (unusual for daily routine)
|
||||
Stopped at specific bench (#7)
|
||||
Appeared to place something under bench
|
||||
Departed quickly without sitting
|
||||
Total time at location: 47 seconds
|
||||
|
||||
DEAD DROP PROCEDURE (Classic):
|
||||
1. Arrive at predetermined location
|
||||
2. Deposit package/message
|
||||
3. Leave immediately without lingering
|
||||
4. Handler retrieves later (separate visit)
|
||||
|
||||
RECOVERY OPERATION:
|
||||
Surveillance team recovered package after subject departed:
|
||||
• USB flash drive (32GB, encrypted)
|
||||
• Handwritten note: "Files from [SYSTEM_NAME] as requested"
|
||||
• Note signed with [SUBJECT_NAME]'s initials
|
||||
|
||||
CRITICAL EVIDENCE:
|
||||
Subject's own handwriting confirming data exfiltration
|
||||
Physical USB drive proves ENTROPY dead drop usage
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
[PHOTO 5: HANDLER RETRIEVAL]
|
||||
|
||||
Same Location: [DEAD_DROP_LOCATION]
|
||||
Same Date: [DATE + 5 days], [TIME + 2 hours]
|
||||
Camera: Different angle, concealed position
|
||||
Quality: GOOD (facial features visible)
|
||||
|
||||
SUBJECT:
|
||||
Unknown individual (SAME as coffee shop meeting!)
|
||||
Arrived 2 hours after [SUBJECT_NAME]'s deposit
|
||||
Retrieved package from under bench
|
||||
Departed in [VEHICLE_DESCRIPTION]
|
||||
|
||||
CONFIRMATION:
|
||||
Facial recognition match: 87% confidence
|
||||
Same clothing as coffee shop meeting
|
||||
Professional countersurveillance (checked surroundings)
|
||||
Vehicle license plate captured: [PLATE_NUMBER] (rental car)
|
||||
|
||||
HANDLER IDENTIFICATION:
|
||||
Subject's contact is confirmed ENTROPY handler
|
||||
Using classic tradecraft (dead drops, cash payments)
|
||||
Coordinating multiple assets (likely cell member)
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
SURVEILLANCE PHOTOGRAPHY - DAY 12
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
[PHOTO 6: SECOND MEETING AT DIFFERENT LOCATION]
|
||||
|
||||
Location: [SECOND_LOCATION] (Shopping mall food court)
|
||||
Date: [DATE + 12 days], [TIME]
|
||||
Camera: Concealed body camera (agent in proximity)
|
||||
Quality: EXCELLENT (close range ~10 meters)
|
||||
|
||||
MEETING DETAILS:
|
||||
Same unknown individual as before
|
||||
Meeting duration: 18 minutes (brief check-in)
|
||||
No visible document exchange (verbal communication only)
|
||||
Cash payment observed again (smaller envelope)
|
||||
|
||||
AUDIO CAPTURED (Partial):
|
||||
Agent positioned close enough to hear fragments:
|
||||
|
||||
[SUBJECT_NAME]: "...worried about the security audit..."
|
||||
Handler: "...completely normal, don't panic..."
|
||||
[SUBJECT_NAME]: "...access will be more difficult now..."
|
||||
Handler: "...we can adjust timeline if needed..."
|
||||
|
||||
ANALYSIS:
|
||||
Conversation references:
|
||||
→ Security audit (possibly our investigation?)
|
||||
→ Access difficulties (tightened controls working)
|
||||
→ Timeline flexibility (operation in progress)
|
||||
→ Handler providing reassurance (asset management)
|
||||
|
||||
───────────────────────────────────────────────────────
|
||||
|
||||
[PHOTO 7: COUNTERSURVEILLANCE BEHAVIOR]
|
||||
|
||||
Location: [SUBJECT_NAME]'s vehicle
|
||||
Date: [DATE + 14 days], [TIME]
|
||||
Camera: Traffic camera access
|
||||
Quality: MEDIUM (standard traffic cam)
|
||||
|
||||
OBSERVED:
|
||||
Subject taking circuitous route home after work
|
||||
Multiple turns and backtracking
|
||||
Stopped suddenly, waited, continued
|
||||
Route added 45 minutes to normal commute
|
||||
|
||||
COUNTERSURVEILLANCE TECHNIQUES OBSERVED:
|
||||
• Sudden direction changes
|
||||
• Multiple U-turns
|
||||
• Extended parking wait (watch for followers)
|
||||
• Avoided direct route to destination
|
||||
• Classic surveillance detection route (SDR)
|
||||
|
||||
SIGNIFICANCE:
|
||||
Subject trained in countersurveillance by ENTROPY
|
||||
Consciousness of potential surveillance
|
||||
Professional operational security awareness
|
||||
|
||||
This is NOT amateur behavior. This is trained operative activity.
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
PATTERN ANALYSIS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
MEETING FREQUENCY:
|
||||
Week 1: Initial coffee shop meeting (Day 1)
|
||||
Week 2: Dead drop communication (Day 5)
|
||||
Week 3: Second in-person meeting (Day 12)
|
||||
|
||||
Pattern: Meetings every 5-7 days (weekly handler check-ins)
|
||||
Consistent with ENTROPY asset handling protocol
|
||||
|
||||
LOCATION SELECTION:
|
||||
• Different location each time (security)
|
||||
• Public places with multiple exits
|
||||
• 20-30 miles from subject's home/work
|
||||
• Areas subject doesn't normally frequent
|
||||
|
||||
Pattern: Professional tradecraft, avoiding pattern establishment
|
||||
|
||||
PAYMENT STRUCTURE:
|
||||
Meeting 1: Estimated $3,000-$5,000 (document payment)
|
||||
Meeting 2: Estimated $1,000-$2,000 (check-in payment)
|
||||
|
||||
Total observed: ~$5,000 over 12 days
|
||||
Projected: $10,000-$15,000 monthly if pattern continues
|
||||
|
||||
COMMUNICATION METHODS:
|
||||
• In-person meetings (avoid digital surveillance)
|
||||
• Physical dead drops (analog security)
|
||||
• Cash payments (no banking trail)
|
||||
• Document exchanges (no email trail)
|
||||
|
||||
Assessment: Sophisticated operational security maintained
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
HANDLER PROFILE
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
UNKNOWN INDIVIDUAL (ENTROPY HANDLER):
|
||||
|
||||
PHYSICAL DESCRIPTION:
|
||||
• [GENDER], approximately [AGE] years old
|
||||
• Height: [HEIGHT] (estimated from photos)
|
||||
• Build: [BUILD]
|
||||
• Hair: [HAIR_DESCRIPTION]
|
||||
• Distinguishing features: [FEATURES]
|
||||
• Clothing: Professional casual (blend in anywhere)
|
||||
|
||||
BEHAVIORAL INDICATORS:
|
||||
• Confident bearing (experienced operator)
|
||||
• Excellent situational awareness
|
||||
• Professional countersurveillance
|
||||
• Calm demeanor (not nervous like subject)
|
||||
• Directive body language (giving orders)
|
||||
|
||||
VEHICLE:
|
||||
• [VEHICLE_DESCRIPTION]
|
||||
• License plate: [PLATE_NUMBER] (rental, fake ID used)
|
||||
• Parked in areas allowing quick exit
|
||||
• Changed vehicles twice (rental rotation)
|
||||
|
||||
COMMUNICATIONS SECURITY:
|
||||
• Uses burner phones (observed discarding one)
|
||||
• Cash transactions only
|
||||
• No digital footprint visible
|
||||
• Multiple fake identities suspected
|
||||
|
||||
THREAT ASSESSMENT: HIGH
|
||||
This is professional ENTROPY cell member, possibly cell leader
|
||||
Handles multiple assets (subject likely not their only contact)
|
||||
Trained in intelligence tradecraft
|
||||
Significant operational security discipline
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
CONCLUSIONS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
EVIDENCE ASSESSMENT: STRONG
|
||||
|
||||
Photographic and surveillance evidence confirms:
|
||||
|
||||
✓ [SUBJECT_NAME] maintains regular contact with ENTROPY operative
|
||||
✓ Physical exchange of documents for cash payment
|
||||
✓ Usage of dead drop locations (USB drive recovery)
|
||||
✓ Subject's handwriting on dead drop note
|
||||
✓ Countersurveillance behavior (trained operative awareness)
|
||||
✓ Pattern consistent with ENTROPY asset handling
|
||||
✓ Weekly handler meetings with payment structure
|
||||
|
||||
CONFIDENCE LEVEL: 85%
|
||||
|
||||
Subject is actively operating as ENTROPY asset, providing
|
||||
information/data in exchange for cash payments under
|
||||
direction of experienced ENTROPY handler.
|
||||
|
||||
RECOMMENDATIONS:
|
||||
|
||||
OPTION 1: Arrest Both Subject and Handler
|
||||
• Simultaneous takedown at next meeting
|
||||
• Seize evidence (cash, documents, devices)
|
||||
• Interrogate both separately
|
||||
• Build case against cell
|
||||
|
||||
OPTION 2: Continue Surveillance
|
||||
• Identify other assets handler manages
|
||||
• Map complete cell network
|
||||
• Build larger case before action
|
||||
• Risk: Subject completes current operation
|
||||
|
||||
OPTION 3: Approach Subject with Evidence
|
||||
• Show photos during interview
|
||||
• "We know about your handler. We have photos."
|
||||
• Offer cooperation vs. prosecution
|
||||
• Use surveillance as leverage
|
||||
|
||||
RECOMMENDED: Option 3 (Leverage for cooperation)
|
||||
Photos are compelling evidence difficult to deny
|
||||
Subject's fear visible in photos (vulnerable to pressure)
|
||||
Handler identification valuable intelligence
|
||||
Turn subject into informant against cell
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
SURVEILLANCE TEAM NOTES:
|
||||
|
||||
[SUBJECT_NAME] is clearly uncomfortable with this activity.
|
||||
Fear and stress visible in every meeting photo.
|
||||
Not a professional operative - recruited asset under pressure.
|
||||
|
||||
The handler, however, is experienced professional.
|
||||
Likely cell member with multiple assets under management.
|
||||
Capturing handler would significantly disrupt cell operations.
|
||||
|
||||
Recommend showing [SUBJECT_NAME] the photos:
|
||||
"You thought no one was watching. But we have everything.
|
||||
Every meeting. Every payment. Your handler's face.
|
||||
|
||||
You can keep pretending, or you can help us.
|
||||
What's it going to be?"
|
||||
|
||||
Prediction: Subject will cooperate when shown evidence.
|
||||
|
||||
- Agent 0x99, Surveillance Lead
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
CLASSIFICATION: SURVEILLANCE EVIDENCE - PHOTOGRAPHIC
|
||||
DISTRIBUTION: Investigation team, legal counsel
|
||||
HANDLING: Maintain photo chain of custody, proper authorization
|
||||
═══════════════════════════════════════════════════════
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Gameplay Integration
|
||||
|
||||
**This Fragment Enables:**
|
||||
|
||||
**Visual Proof:**
|
||||
- Photos harder to deny than digital evidence
|
||||
- Subject's own handwriting on dead drop note
|
||||
- Handler's face captured (can identify)
|
||||
- Cash payments documented
|
||||
- Pattern of meetings established
|
||||
|
||||
**Confrontation Impact:**
|
||||
```
|
||||
Player shows photos during interrogation:
|
||||
|
||||
"This is you, [SUBJECT_NAME]. Meeting your handler.
|
||||
This photo - you're passing documents.
|
||||
This one - receiving cash payment.
|
||||
This one - your handwritten note at the dead drop.
|
||||
|
||||
We have dates, times, locations. Your handler's face.
|
||||
|
||||
You can't talk your way out of photographs.
|
||||
|
||||
So let's skip the denials. Tell us about your handler."
|
||||
```
|
||||
|
||||
**Player Choices:**
|
||||
|
||||
**SHOW PHOTOS IMMEDIATELY:**
|
||||
- High impact confrontation
|
||||
- Subject rattled by visual proof
|
||||
- 75% cooperation likelihood
|
||||
- Quick resolution
|
||||
|
||||
**HOLD PHOTOS IN RESERVE:**
|
||||
- Let subject lie first
|
||||
- Catch them in contradictions
|
||||
- Then reveal photos (devastation)
|
||||
- 85% cooperation (broken by own lies + photos)
|
||||
|
||||
**USE FOR HANDLER IDENTIFICATION:**
|
||||
- Facial recognition on handler photos
|
||||
- Vehicle tracking via plate number
|
||||
- Pattern analysis for next meeting
|
||||
- Attempt to arrest both simultaneously
|
||||
|
||||
---
|
||||
|
||||
## Success Metrics
|
||||
|
||||
**Evidence Value:**
|
||||
- Photos alone: 50% (suspicious but could be explained)
|
||||
- Photos + financial records: 80% (payments match meetings)
|
||||
- Photos + access logs: 85% (timing correlates with data theft)
|
||||
- Photos + encrypted comms + financial + access: 95%
|
||||
|
||||
**Cooperation Likelihood:**
|
||||
- Text evidence only: 50% cooperation
|
||||
- Financial evidence: 60% cooperation
|
||||
- Surveillance photos: 75% cooperation (harder to deny)
|
||||
- All evidence combined: 90% cooperation
|
||||
|
||||
**Handler Capture Value:**
|
||||
- Handler ID'd: +Intelligence on cell structure
|
||||
- Handler arrested: Major cell disruption
|
||||
- Handler turned: Complete cell compromise (rare)
|
||||
|
||||
---
|
||||
|
||||
## Template Substitution Guide
|
||||
|
||||
**Replace placeholders:**
|
||||
|
||||
```
|
||||
[SUBJECT_NAME] → NPC name
|
||||
[POSITION] → Job title
|
||||
[CONTACT_DESCRIPTION] → Handler description (e.g., "Male, 35-40, professional attire")
|
||||
[LOCATION] → Meeting location (e.g., "Riverside Coffee House")
|
||||
[DATE], [TIME] → Appropriate timestamps
|
||||
[OPERATION_CODE_NAME] → Surveillance op name
|
||||
[DURATION] → Days of surveillance (e.g., "14 days")
|
||||
[BUDGET] → Surveillance cost (e.g., "$47,000")
|
||||
[DEAD_DROP_LOCATION] → Park, parking lot, etc.
|
||||
[SYSTEM_NAME] → System data came from
|
||||
[VEHICLE_DESCRIPTION] → Handler's vehicle
|
||||
[PLATE_NUMBER] → License plate
|
||||
[SECOND_LOCATION] → Different meeting spot
|
||||
```
|
||||
|
||||
**Photo Description Templates:**
|
||||
|
||||
```
|
||||
Coffee Shop Meeting:
|
||||
"Outdoor seating, telephoto lens, both visible in profile,
|
||||
document exchange captured, nervous body language visible"
|
||||
|
||||
Dead Drop:
|
||||
"Park bench #7, subject depositing package, 47 seconds at location,
|
||||
USB drive recovered, handwritten note with initials"
|
||||
|
||||
Payment:
|
||||
"Cash envelope visible, $100 bills, quick concealment,
|
||||
relief in facial expression, handshake afterward"
|
||||
|
||||
Handler Retrieval:
|
||||
"Same location 2 hours later, same individual from first meeting,
|
||||
package retrieval, vehicle departure, license plate captured"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Related Evidence Combination
|
||||
|
||||
**Optimal Evidence Set:**
|
||||
|
||||
1. **Surveillance photos** (this fragment) → WHO they met
|
||||
2. **Financial records** (TEMPLATE_002) → PAYMENT received
|
||||
3. **Access logs** (TEMPLATE_003) → WHAT they stole
|
||||
4. **Encrypted comms** (TEMPLATE_001) → COORDINATION details
|
||||
|
||||
**Evidence Chain:**
|
||||
```
|
||||
Encrypted email → Arranges meeting
|
||||
Surveillance photo → Documents meeting occurred
|
||||
Access logs → Shows data theft timing matches meeting
|
||||
Financial records → Payment received after theft
|
||||
Dead drop photo → Physical data transfer captured
|
||||
Handler photo → ENTROPY operative identified
|
||||
```
|
||||
|
||||
**Overwhelming Evidence:**
|
||||
When presented together, subject has no defense.
|
||||
Each piece corroborates the others.
|
||||
Cooperation becomes only logical choice.
|
||||
|
||||
---
|
||||
|
||||
**CLASSIFICATION:** EVIDENCE TEMPLATE - SURVEILLANCE
|
||||
**PRIORITY:** HIGH (Visual proof compelling)
|
||||
**REUSABILITY:** High (works for any handler-asset relationship)
|
||||
**LEGAL VALUE:** Excellent (photos highly admissible)
|
||||
**PSYCHOLOGICAL VALUE:** Excellent (harder to deny than text)
|
||||
@@ -0,0 +1,575 @@
|
||||
# TEMPLATE: Handwritten Notes and Physical Evidence
|
||||
|
||||
**Fragment ID:** EVIDENCE_AGENT_ID_005
|
||||
**Gameplay Function:** Agent Identification Evidence (Physical)
|
||||
**Evidence Type:** Handwritten document, personal notes
|
||||
**Rarity:** Common
|
||||
**Substitution Required:** [SUBJECT_NAME], [HANDLER_CODENAME], [MEETING_LOCATION]
|
||||
|
||||
---
|
||||
|
||||
## Evidence Summary
|
||||
|
||||
**Item:** Handwritten notes recovered from subject's personal effects
|
||||
**Subject:** [SUBJECT_NAME]
|
||||
**Evidence Quality:** HIGH (subject's own handwriting, direct confession)
|
||||
**Admissibility:** HIGH (physical evidence with chain of custody)
|
||||
|
||||
---
|
||||
|
||||
## Recovered Physical Evidence
|
||||
|
||||
```
|
||||
╔═══════════════════════════════════════════════════════╗
|
||||
║ EVIDENCE RECOVERY REPORT ║
|
||||
║ Physical Document Analysis ║
|
||||
╚═══════════════════════════════════════════════════════╝
|
||||
|
||||
EVIDENCE ID: PHYS-[EVIDENCE_NUMBER]
|
||||
RECOVERY DATE: [CURRENT_DATE]
|
||||
RECOVERY LOCATION: [SUBJECT_NAME]'s desk drawer (work)
|
||||
RECOVERED BY: Agent 0x99 "HAXOLOTTLE"
|
||||
AUTHORIZATION: Search warrant #[WARRANT_NUMBER]
|
||||
|
||||
DESCRIPTION:
|
||||
Handwritten notes on yellow legal pad pages (3 pages)
|
||||
Torn from larger notepad, edges ragged
|
||||
Blue ink, ballpoint pen
|
||||
Subject's handwriting (verified by comparison samples)
|
||||
|
||||
CHAIN OF CUSTODY:
|
||||
[CURRENT_DATE] 14:23 - Discovered by Agent 0x99
|
||||
[CURRENT_DATE] 14:47 - Photographed in situ
|
||||
[CURRENT_DATE] 15:12 - Bagged and tagged (Evidence locker #447)
|
||||
[CURRENT_DATE] 16:30 - Handwriting analysis (confirmed match)
|
||||
|
||||
STATUS: Preserved as evidence, copies made for investigation
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Handwritten Note - Page 1
|
||||
|
||||
```
|
||||
[IMAGE: Photo of handwritten note on yellow legal pad paper]
|
||||
|
||||
[TRANSCRIPTION - Exact text as written, including errors/strikeouts]
|
||||
|
||||
Meeting notes - [DATE]
|
||||
|
||||
THINGS TO REMEMBER:
|
||||
- [HANDLER_CODENAME] wants access to [SYSTEM_NAME] by next week
|
||||
- Password for [SYSTEM]: [REDACTED] (wrote it down - delete this!)
|
||||
- Files to copy:
|
||||
* Customer database (all records)
|
||||
* Network diagrams
|
||||
* Employee info spreadsheet
|
||||
* Email backup from [EXECUTIVE_NAME]
|
||||
|
||||
PAYMENT: $[AMOUNT] on completion
|
||||
(Need this for student loans - almost there!)
|
||||
|
||||
Next meeting: [MEETING_LOCATION], [DATE], [TIME]
|
||||
Code word if problems: "The project is delayed"
|
||||
|
||||
DON'T FORGET TO:
|
||||
- Clear browser history after each session
|
||||
- Use VPN from home
|
||||
- USB drive hidden in [HIDING_LOCATION]
|
||||
- Delete these notes after memorizing!!!
|
||||
|
||||
[Several lines scratched out heavily - attempted concealment]
|
||||
|
||||
Feeling sick about this. But what choice do I have?
|
||||
$[DEBT_AMOUNT] in debt. Can't keep living like this.
|
||||
[HANDLER_CODENAME] says it's just "competitive intelligence"
|
||||
Not really hurting anyone... right?
|
||||
|
||||
[Bottom of page has doodles - nervous energy visible]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Analysis: Page 1
|
||||
|
||||
**CRITICAL EVIDENCE ELEMENTS:**
|
||||
|
||||
🔴 **Direct Admission of Activity**
|
||||
- "Files to copy" - consciousness of data theft
|
||||
- Lists specific systems and data targets
|
||||
- Acknowledges payment for services
|
||||
- Planning future meeting with handler
|
||||
|
||||
🔴 **Handler Reference**
|
||||
- "[HANDLER_CODENAME]" - ENTROPY operative designation
|
||||
- Subject takes instructions from external party
|
||||
- Codename suggests operational security awareness
|
||||
|
||||
🔴 **Operational Details**
|
||||
- Specific system names and access methods
|
||||
- Password written down (poor OPSEC but great evidence)
|
||||
- File exfiltration plan documented
|
||||
- USB drive location noted
|
||||
|
||||
🔴 **Payment Information**
|
||||
- "$[AMOUNT] on completion" - quid pro quo documented
|
||||
- Financial motivation explicitly stated
|
||||
- Student loan debt referenced (recruitment vector)
|
||||
|
||||
🔴 **Security Evasion Tactics**
|
||||
- "Clear browser history"
|
||||
- "Use VPN from home"
|
||||
- "Delete these notes" (consciousness of wrongdoing)
|
||||
- Hiding physical evidence (USB drive)
|
||||
|
||||
🔴 **Guilty Knowledge**
|
||||
- "Feeling sick about this" - knows it's wrong
|
||||
- "What choice do I have?" - rationalization
|
||||
- Handler's reassurance ("just competitive intelligence")
|
||||
- Self-doubt visible ("Not really hurting anyone... right?")
|
||||
|
||||
---
|
||||
|
||||
## Handwritten Note - Page 2
|
||||
|
||||
```
|
||||
[IMAGE: Photo of second page, different date]
|
||||
|
||||
[TRANSCRIPTION]
|
||||
|
||||
After meeting with [HANDLER_CODENAME] - [LATER_DATE]
|
||||
|
||||
THEY WANT MORE:
|
||||
- [NEW_SYSTEM] access (don't have clearance for this!)
|
||||
- Told them might be difficult
|
||||
- [HANDLER_CODENAME] said "find a way" - sounded threatening?
|
||||
- Offered another $[AMOUNT_2] if I get it
|
||||
|
||||
FEELING WORSE:
|
||||
This isn't what I signed up for
|
||||
Thought it would be one-time thing
|
||||
Now they keep asking for more
|
||||
What if I get caught?
|
||||
What if I refuse and they expose me?
|
||||
|
||||
MEETING NOTES:
|
||||
- [HANDLER_CODENAME] asked about security audit happening
|
||||
- Seemed worried about it
|
||||
- Told me to "act normal" and "don't panic"
|
||||
- Gave me encrypted phone number: [PHONE_NUMBER]
|
||||
(Only for emergencies - burner phone)
|
||||
|
||||
PAYMENT RECEIVED:
|
||||
$[PREVIOUS_AMOUNT] - cash, small bills
|
||||
Paid off credit card #1
|
||||
Still owe $[REMAINING_DEBT]
|
||||
|
||||
They have me trapped. Can't stop now.
|
||||
If I refuse, they threaten to tell [ORGANIZATION].
|
||||
I'd be fired. Maybe arrested.
|
||||
Have to keep going...
|
||||
|
||||
[Heavy pen marks - stress visible in writing pressure]
|
||||
|
||||
Maybe I should talk to someone? But who?
|
||||
Can't tell [FRIEND_NAME] - they'd be horrified
|
||||
Can't tell work - I'd be fired immediately
|
||||
Can't tell police - I'd go to jail
|
||||
|
||||
STUCK.
|
||||
|
||||
[Last line heavily scratched out but still partially visible:
|
||||
"What have I done"]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Analysis: Page 2
|
||||
|
||||
**ESCALATION PATTERN:**
|
||||
|
||||
🔴 **Increasing Demands**
|
||||
- "They want more" - scope creep
|
||||
- System beyond clearance level (escalation)
|
||||
- Handler "sounded threatening" (coercion emerging)
|
||||
- Can't refuse without consequences
|
||||
|
||||
🔴 **Emotional Deterioration**
|
||||
- "FEELING WORSE" (capitalized - emphasis)
|
||||
- "Wasn't what I signed up for"
|
||||
- Explicit fear of being caught
|
||||
- Recognition of being trapped
|
||||
|
||||
🔴 **Coercion Evidence**
|
||||
- "If I refuse they threaten to tell [ORGANIZATION]"
|
||||
- Subject feels unable to stop
|
||||
- Fear of exposure keeping them compliant
|
||||
- Classic ENTROPY asset control tactic
|
||||
|
||||
🔴 **Handler Security Concerns**
|
||||
- Handler worried about security audit (our investigation?)
|
||||
- Gave burner phone number (emergency contact)
|
||||
- Instructions to "act normal" (aware of surveillance risk)
|
||||
|
||||
🔴 **Payment Tracking**
|
||||
- Specific amount documented
|
||||
- Used for debt payoff (confirmation of financial motive)
|
||||
- Remaining debt noted (ongoing vulnerability)
|
||||
|
||||
🔴 **Isolation**
|
||||
- Can't tell friends (social isolation)
|
||||
- Can't tell work (professional isolation)
|
||||
- Can't tell police (legal isolation)
|
||||
- Psychological trap documented in own words
|
||||
|
||||
---
|
||||
|
||||
## Handwritten Note - Page 3
|
||||
|
||||
```
|
||||
[IMAGE: Photo of third page, most recent date]
|
||||
|
||||
[TRANSCRIPTION - Writing appears rushed, stressed]
|
||||
|
||||
[RECENT_DATE] - THINGS GETTING WORSE
|
||||
|
||||
Security is tightening at work
|
||||
[IT_SECURITY_NAME] asking questions about access logs
|
||||
Trying to stay calm but panicking inside
|
||||
|
||||
[HANDLER_CODENAME] wants me to:
|
||||
1. Get [EXECUTIVE_NAME]'s emails (IMPOSSIBLE - don't have access)
|
||||
2. Network diagrams (already gave these??)
|
||||
3. Something about "SCADA systems" - don't even know what that means
|
||||
|
||||
THEY'RE PUSHING TOO HARD
|
||||
|
||||
Last payment only $[REDUCED_AMOUNT] - said it's "installment"
|
||||
Was supposed to be $[PROMISED_AMOUNT]
|
||||
Are they cheating me now too?
|
||||
|
||||
Meeting got scary:
|
||||
[HANDLER_CODENAME] mentioned "permanent solutions for loose ends"
|
||||
When I asked what that meant, they just smiled
|
||||
AM I A LOOSE END??
|
||||
|
||||
Found out they're not even "competitive intelligence"
|
||||
Overheard [HANDLER_CODENAME] on phone: "ENTROPY cell needs..."
|
||||
WHAT IS ENTROPY??
|
||||
Googled it - sounds like criminal organization
|
||||
OH GOD WHAT HAVE I GOTTEN INTO
|
||||
|
||||
CONSIDERING OPTIONS:
|
||||
1. Keep going - might get caught, might get hurt
|
||||
2. Refuse - they expose me, I lose everything
|
||||
3. Run - they'd find me?
|
||||
4. Go to police - I'd go to jail but maybe safer?
|
||||
5. Talk to [ORGANIZATION] security? Would they help or arrest me?
|
||||
|
||||
DON'T KNOW WHAT TO DO
|
||||
|
||||
If someone finds these notes: I'm sorry. I made terrible choices.
|
||||
Started because of debt. Kept going because of fear.
|
||||
I know it's wrong. I know I hurt people.
|
||||
But I'm scared and don't know how to get out.
|
||||
|
||||
If you're reading this, please help me.
|
||||
|
||||
[Phone number written at bottom:]
|
||||
[ORGANIZATION] Security Hotline: [SECURITY_NUMBER]
|
||||
(Should I call? Too scared. But maybe...)
|
||||
|
||||
[Final line, barely legible:]
|
||||
"Please let this end somehow"
|
||||
|
||||
[EVIDENCE NOTE: This page was on top of stack, most recent entry]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Analysis: Page 3
|
||||
|
||||
**CRITICAL DEVELOPMENTS:**
|
||||
|
||||
🔴 **Handler Becoming Threatening**
|
||||
- "Permanent solutions for loose ends" - death threat implication
|
||||
- Subject recognizes danger to self
|
||||
- Handler reducing payments (exploitation)
|
||||
- Coercion escalating to potential violence
|
||||
|
||||
🔴 **Discovery of True Nature**
|
||||
- Overheard "ENTROPY cell" reference
|
||||
- Subject researched ENTROPY
|
||||
- Realization they're involved with criminals
|
||||
- "OH GOD WHAT HAVE I GOTTEN INTO" - genuine shock
|
||||
|
||||
🔴 **Desperate Consideration of Options**
|
||||
- Explicitly considering coming forward
|
||||
- Recognizes jail as possibility
|
||||
- Still paralyzed by fear
|
||||
- Reaching toward help but unable to commit
|
||||
|
||||
🔴 **Cry for Help**
|
||||
- "If you're reading this, please help me"
|
||||
- Security hotline number written down
|
||||
- "Should I call? Too scared."
|
||||
- Subject wants out but doesn't know how
|
||||
|
||||
🔴 **Remorse and Self-Awareness**
|
||||
- "I made terrible choices"
|
||||
- "I know I hurt people"
|
||||
- "I know it's wrong"
|
||||
- Genuine guilt and regret documented
|
||||
|
||||
---
|
||||
|
||||
## Forensic Analysis
|
||||
|
||||
```
|
||||
═══════════════════════════════════════════════════════
|
||||
HANDWRITING ANALYSIS REPORT
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
ANALYST: Forensic Document Examiner, SAFETYNET Lab
|
||||
SAMPLES COMPARED: Known exemplars from [SUBJECT_NAME]'s
|
||||
employment records, signatures, forms
|
||||
|
||||
CONCLUSION: DEFINITIVE MATCH
|
||||
|
||||
Handwriting characteristics consistent across all samples:
|
||||
✓ Letter formation (unique 'g' and 'y' descenders)
|
||||
✓ Pen pressure patterns (heavy initial strokes)
|
||||
✓ Slant and spacing (consistent rightward 15° slant)
|
||||
✓ Baseline consistency
|
||||
✓ Unique character formations ('e', 'a', 'r')
|
||||
|
||||
PROBABILITY: 99.7% that notes written by [SUBJECT_NAME]
|
||||
|
||||
ADDITIONAL OBSERVATIONS:
|
||||
• Pen pressure increases in stressed sections (visible anxiety)
|
||||
• Writing becomes more hurried/less legible over time
|
||||
• Scratch-outs indicate attempts at concealment
|
||||
• Doodles/pressure marks indicate nervous energy
|
||||
• Ink testing: Blue ballpoint, same pen throughout
|
||||
|
||||
EVIDENCE INTEGRITY: EXCELLENT
|
||||
Notes are authentic, unaltered, written by subject.
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Legal Assessment
|
||||
|
||||
```
|
||||
═══════════════════════════════════════════════════════
|
||||
PROSECUTORIAL ANALYSIS
|
||||
═══════════════════════════════════════════════════════
|
||||
|
||||
From: Federal Prosecutor's Office
|
||||
Re: Evidence value of recovered handwritten notes
|
||||
|
||||
ADMISSIBILITY: VERY HIGH
|
||||
|
||||
These notes constitute direct confession written by
|
||||
subject's own hand. Elements present:
|
||||
|
||||
✓ Subject's own handwriting (verified by forensic analysis)
|
||||
✓ Specific admission of criminal activity
|
||||
✓ Documentation of quid pro quo (services for payment)
|
||||
✓ Knowledge of wrongdoing (guilty conscience expressed)
|
||||
✓ Operational details (systems, methods, targets)
|
||||
✓ Handler identification (ENTROPY operative)
|
||||
✓ Payment records (money laundering evidence)
|
||||
|
||||
LEGAL STRENGTH:
|
||||
|
||||
Confession in writing is powerful evidence:
|
||||
• No Miranda issues (not custodial interrogation)
|
||||
• No coercion by law enforcement (spontaneous)
|
||||
• Subject's own words incriminating themselves
|
||||
• Corroborates other evidence (financial, technical)
|
||||
• Demonstrates consciousness of guilt
|
||||
|
||||
However, notes also show:
|
||||
• Coercion by ENTROPY (threatens subject)
|
||||
• Fear and remorse (victim characteristics)
|
||||
• Desire for help (reaching toward authorities)
|
||||
• Financial desperation (mitigating factor)
|
||||
|
||||
RECOMMENDATION:
|
||||
|
||||
Use notes as leverage for cooperation, not prosecution.
|
||||
|
||||
Subject is scared, remorseful, and wants out.
|
||||
Show them the notes:
|
||||
"We found your notes. We know everything. We know you're
|
||||
scared. We know they threatened you. We can help. But you
|
||||
need to help us first."
|
||||
|
||||
Cooperation probability: 95%
|
||||
Prosecution without cooperation: Unnecessary (better uses for this evidence)
|
||||
|
||||
Notes make subject perfect witness against ENTROPY:
|
||||
• Credible (genuine fear and remorse)
|
||||
• Detailed (operational knowledge documented)
|
||||
• Motivated (wants to escape ENTROPY control)
|
||||
|
||||
Turn them. Don't prosecute them.
|
||||
|
||||
═══════════════════════════════════════════════════════
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Gameplay Integration
|
||||
|
||||
**This Fragment Enables:**
|
||||
|
||||
**Devastating Confrontation:**
|
||||
```
|
||||
Agent places notes on interrogation table:
|
||||
|
||||
"We found your notes, [SUBJECT_NAME].
|
||||
In your own handwriting.
|
||||
|
||||
'Files to copy... Payment $[AMOUNT]... Delete these notes.'
|
||||
|
||||
You documented everything. Your meetings with [HANDLER_CODENAME].
|
||||
The systems you accessed. The payments you received.
|
||||
|
||||
And this: 'Please help me.' You wrote that.
|
||||
|
||||
We're here to help. But first, you need to tell us everything."
|
||||
```
|
||||
|
||||
**Empathetic Approach Enabled:**
|
||||
```
|
||||
"We read all three pages. We know you're scared.
|
||||
We know they threatened you with 'permanent solutions.'
|
||||
We know you want out.
|
||||
|
||||
That security hotline number you wrote down? Consider this us
|
||||
calling you instead.
|
||||
|
||||
We can protect you from ENTROPY. We can help with your debt.
|
||||
We can make this right.
|
||||
|
||||
But we need your full cooperation. Everything about [HANDLER_CODENAME].
|
||||
Everything about what they wanted. Everything about ENTROPY.
|
||||
|
||||
Will you help us?"
|
||||
```
|
||||
|
||||
**Player Choices:**
|
||||
|
||||
**SHOW NOTES IMMEDIATELY:**
|
||||
- Maximum emotional impact
|
||||
- Subject realizes everything documented
|
||||
- 95% cooperation likelihood
|
||||
- Compassionate approach available
|
||||
|
||||
**USE NOTES AS LEVERAGE:**
|
||||
- Build case with other evidence first
|
||||
- Show notes as final proof
|
||||
- Subject has no defense remaining
|
||||
- 90% cooperation (through overwhelming evidence)
|
||||
|
||||
**OFFER HELP BASED ON NOTES:**
|
||||
- Reference their cry for help
|
||||
- Show notes prove they want out
|
||||
- Emphasize protection from ENTROPY
|
||||
- 95% cooperation (relief at rescue)
|
||||
|
||||
---
|
||||
|
||||
## Success Metrics
|
||||
|
||||
**Evidence Value:**
|
||||
- Handwritten notes alone: 80% (self-incrimination)
|
||||
- Notes + financial records: 95% (payment confirmation)
|
||||
- Notes + access logs: 95% (activity confirmation)
|
||||
- Notes + surveillance: 98% (complete picture)
|
||||
- All evidence combined: 99.9% (overwhelming)
|
||||
|
||||
**Cooperation Likelihood:**
|
||||
- Notes showing guilt: 85% (fear of prosecution)
|
||||
- Notes showing fear of ENTROPY: 90% (protection offer)
|
||||
- Notes showing cry for help: 95% (rescue opportunity)
|
||||
- Empathetic approach: 98% (genuine care shown)
|
||||
|
||||
**Psychological Impact:**
|
||||
- Subject's own words used against them: High impact
|
||||
- Recognition they documented everything: Devastating
|
||||
- Cry for help acknowledged: Relief and cooperation
|
||||
- Protection from ENTROPY offered: Gratitude
|
||||
|
||||
---
|
||||
|
||||
## Template Substitution Guide
|
||||
|
||||
**Replace placeholders:**
|
||||
|
||||
```
|
||||
[SUBJECT_NAME] → NPC name
|
||||
[HANDLER_CODENAME] → Handler's code designation (e.g., "Phoenix", "Architect", "Alpha-07")
|
||||
[SYSTEM_NAME] → System accessed (e.g., "Customer Database", "Finance Server")
|
||||
[AMOUNT] → Payment amount
|
||||
[DATE], [TIME] → Appropriate dates and times
|
||||
[MEETING_LOCATION] → Meeting place
|
||||
[ORGANIZATION] → Company name
|
||||
[EXECUTIVE_NAME] → Target executive
|
||||
[DEBT_AMOUNT] → Subject's total debt
|
||||
[PHONE_NUMBER] → Burner phone number
|
||||
[HIDING_LOCATION] → Where USB drive hidden
|
||||
[IT_SECURITY_NAME] → IT security person's name
|
||||
[SECURITY_NUMBER] → Organization security hotline
|
||||
```
|
||||
|
||||
**Emotional Progression:**
|
||||
```
|
||||
Page 1: Nervous but rationalizing ("just competitive intelligence")
|
||||
Page 2: Trapped and afraid ("they have me trapped")
|
||||
Page 3: Desperate for escape ("please help me")
|
||||
|
||||
Arc: Willing participant → Coerced asset → Victim seeking rescue
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Related Evidence Combination
|
||||
|
||||
**Optimal Evidence Set (All Templates Together):**
|
||||
|
||||
1. **Encrypted comms** (TEMPLATE_001) → Initial contact
|
||||
2. **Financial records** (TEMPLATE_002) → Payments match notes
|
||||
3. **Access logs** (TEMPLATE_003) → Activity matches notes
|
||||
4. **Surveillance photos** (TEMPLATE_004) → Meetings documented
|
||||
5. **Handwritten notes** (this) → Subject's confession in own words
|
||||
|
||||
**Complete Evidence Chain:**
|
||||
```
|
||||
Encrypted email arranges meeting
|
||||
↓
|
||||
Surveillance photo documents meeting occurred
|
||||
↓
|
||||
Handwritten notes describe what handler wanted
|
||||
↓
|
||||
Access logs show subject accessed those exact systems
|
||||
↓
|
||||
Financial records show payment received as noted
|
||||
↓
|
||||
Handwritten notes express guilt and fear
|
||||
↓
|
||||
Overwhelming evidence = cooperation inevitable
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**CLASSIFICATION:** EVIDENCE TEMPLATE - PHYSICAL
|
||||
**PRIORITY:** VERY HIGH (Self-incrimination in writing)
|
||||
**REUSABILITY:** High (works for any documentary evidence)
|
||||
**LEGAL VALUE:** Excellent (handwriting verified, admissible)
|
||||
**PSYCHOLOGICAL VALUE:** Maximum (subject's own words, genuine emotion)
|
||||
**COOPERATION VALUE:** Excellent (empathy possible, rescue narrative)
|
||||
@@ -0,0 +1,846 @@
|
||||
# Evidence Template Catalog - ENTROPY Agent Identification
|
||||
|
||||
**Purpose:** Reusable evidence templates for identifying NPCs as ENTROPY agents/assets
|
||||
**Location:** `story_design/lore_fragments/by_gameplay_function/evidence_prosecution/`
|
||||
**Template Count:** 5 comprehensive evidence types
|
||||
**Substitution System:** [PLACEHOLDER] format for runtime NPC assignment
|
||||
|
||||
---
|
||||
|
||||
## Template System Overview
|
||||
|
||||
### How Templates Work
|
||||
|
||||
Each template is a **complete evidence fragment** with placeholder variables that can be substituted at game runtime with specific NPC names, organizations, dates, and other contextual details.
|
||||
|
||||
**Template Format:**
|
||||
```markdown
|
||||
[SUBJECT_NAME] → Actual NPC name
|
||||
[ORGANIZATION] → Company/organization name
|
||||
[POSITION] → Job title/role
|
||||
[AMOUNT] → Dollar amounts
|
||||
[DATE] → Appropriate game timeline dates
|
||||
```
|
||||
|
||||
**Usage in Game:**
|
||||
1. Select template based on evidence type needed
|
||||
2. Substitute all [PLACEHOLDER] variables with scenario-specific values
|
||||
3. Adjust details to match NPC's role and storyline
|
||||
4. Deploy as discoverable LORE fragment
|
||||
|
||||
---
|
||||
|
||||
## The Five Evidence Templates
|
||||
|
||||
### 1. TEMPLATE_AGENT_ID_001: Encrypted Communications
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_001_encrypted_comms.md`
|
||||
|
||||
**Evidence Type:** Digital - Suspicious encrypted email communications
|
||||
|
||||
**What It Provides:**
|
||||
- Intercepted PGP-encrypted email from corporate account to ProtonMail
|
||||
- After-hours communication (23:47 timestamp)
|
||||
- References to "payment arrangement" and "documentation transfer"
|
||||
- Security policy violations (encryption on corporate email)
|
||||
- References to bypassing security procedures
|
||||
|
||||
**Substitution Variables:**
|
||||
- [SUBJECT_NAME] - NPC's name
|
||||
- [ORGANIZATION] - Company name
|
||||
- [POSITION] - Job title
|
||||
- [CURRENT_DATE] - Appropriate game date
|
||||
|
||||
**Red Flags Documented:**
|
||||
🚩 Encrypted communication from work email (policy violation)
|
||||
🚩 ProtonMail recipient (anonymous service)
|
||||
🚩 After-hours timing (secretive)
|
||||
🚩 "Payment arrangement confirmed" (financial transaction)
|
||||
🚩 Security audit bypass offer (insider threat)
|
||||
🚩 "Documentation transfer via agreed method" (covert exfiltration)
|
||||
|
||||
**Evidence Strength:**
|
||||
- Alone: 40% confidence (circumstantial)
|
||||
- + Financial records: 75% confidence
|
||||
- + Access logs: 65% confidence
|
||||
- + All evidence types: 90% confidence
|
||||
|
||||
**Best Used For:**
|
||||
- Initial suspicion flag
|
||||
- Corporate infiltration scenarios
|
||||
- Data exfiltration cases
|
||||
- Insider threat identification
|
||||
|
||||
**Gameplay Integration:**
|
||||
- Triggers investigation unlock on NPC
|
||||
- Enables surveillance mission
|
||||
- Requires corroboration for action
|
||||
- Multiple approach choices (immediate confrontation vs. continued monitoring)
|
||||
|
||||
---
|
||||
|
||||
### 2. TEMPLATE_AGENT_ID_002: Financial Records
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_002_financial_records.md`
|
||||
|
||||
**Evidence Type:** Financial - Suspicious bank transactions and cryptocurrency activity
|
||||
|
||||
**What It Provides:**
|
||||
- Complete forensic analysis of NPC's financial records
|
||||
- Employment verification and salary baseline
|
||||
- Suspicious cash deposits ($25K-$75K range, ENTROPY payment pattern)
|
||||
- Cryptocurrency wallet activity linked to ENTROPY master wallet
|
||||
- Shell company connections
|
||||
- Offshore account activity
|
||||
- Lifestyle vs. income discrepancy analysis
|
||||
|
||||
**Substitution Variables:**
|
||||
- [SUBJECT_NAME] - NPC's name
|
||||
- [ORGANIZATION] - Employer
|
||||
- [POSITION] - Job title
|
||||
- [SALARY] - Base salary
|
||||
- [AMOUNT] - Payment amounts
|
||||
- [DATE] - Transaction dates
|
||||
|
||||
**Red Flags Documented:**
|
||||
🚩 Unexplained cash deposits (15-30% above salary)
|
||||
🚩 Cryptocurrency transactions to known ENTROPY wallet
|
||||
🚩 Shell company payments (obfuscation)
|
||||
🚩 Offshore transfers (tax evasion, hiding wealth)
|
||||
🚩 Timing correlation with data breaches
|
||||
🚩 Lifestyle inflation (new car, debt payoff)
|
||||
|
||||
**Financial Timeline Example:**
|
||||
```
|
||||
March 15: Cash deposit $42,000 (source unknown)
|
||||
March 18: Cryptocurrency transfer to ENTROPY master wallet
|
||||
March 20: Student loan payment $15,000
|
||||
April 2: Cash deposit $38,000
|
||||
April 5: New vehicle purchase $45,000 (cash)
|
||||
```
|
||||
|
||||
**Evidence Strength:**
|
||||
- Alone: 60% confidence (strong suspicion)
|
||||
- + Encrypted comms: 75% confidence
|
||||
- + Access logs: 95% confidence (quid pro quo proven)
|
||||
- + All evidence types: 98% confidence
|
||||
|
||||
**Best Used For:**
|
||||
- Proving payment for services (quid pro quo)
|
||||
- Asset recruitment scenarios (financial desperation)
|
||||
- Money laundering investigations
|
||||
- Connecting to ENTROPY financial network
|
||||
|
||||
**Gameplay Integration:**
|
||||
- Unlocks financial forensics mission
|
||||
- Enables asset seizure actions
|
||||
- Shows ENTROPY payment patterns
|
||||
- Creates leverage opportunity (financial crimes)
|
||||
|
||||
---
|
||||
|
||||
### 3. TEMPLATE_AGENT_ID_003: Access Logs
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_003_access_logs.md`
|
||||
|
||||
**Evidence Type:** Technical - Unauthorized system access patterns
|
||||
|
||||
**What It Provides:**
|
||||
- Comprehensive IT audit of NPC's system activity
|
||||
- 5 documented security incidents with technical details
|
||||
- Pattern analysis showing reconnaissance → access → exfiltration → cover-up
|
||||
- Behavioral analysis (after-hours access, weekend activity)
|
||||
- Technical evidence (PowerShell exploitation, USB usage)
|
||||
- Data exfiltration proof (1.2GB transferred to USB)
|
||||
|
||||
**Substitution Variables:**
|
||||
- [SUBJECT_NAME] - NPC's name
|
||||
- [POSITION] - Job title/role
|
||||
- [SYSTEM_NAME] - Accessed systems
|
||||
- [DATA_TYPE] - Type of data stolen
|
||||
- [FILE_COUNT] - Number of files accessed
|
||||
- [DATE], [TIME] - Activity timestamps
|
||||
|
||||
**Incidents Documented:**
|
||||
1. **Sensitive Database Access** (after hours, no business need)
|
||||
2. **Network Infrastructure Mapping** (weekend, reconnaissance)
|
||||
3. **HR Database Access** (500+ employee records, PII theft)
|
||||
4. **Executive Email Access** (PowerShell exploitation, privilege escalation)
|
||||
5. **USB Device Usage** (data exfiltration, 1.2GB, 847 files)
|
||||
|
||||
**Technical Details:**
|
||||
- PowerShell commands used (Get-MailboxPermission, Add-MailboxPermission)
|
||||
- Database queries executed (SELECT * FROM sensitive_tables)
|
||||
- Network mapping tools (Nmap, NetDiscover patterns)
|
||||
- USB device IDs and transfer volumes
|
||||
- Deletion attempts (ClearEventLog commands)
|
||||
|
||||
**Evidence Strength:**
|
||||
- Alone: 70% confidence (technical proof)
|
||||
- + Financial records: 95% confidence (motive + activity)
|
||||
- + Encrypted comms: 85% confidence (coordination proven)
|
||||
- + All evidence types: 98% confidence
|
||||
|
||||
**Best Used For:**
|
||||
- Data breach investigations
|
||||
- Proving unauthorized access
|
||||
- Technical espionage scenarios
|
||||
- Demonstrating pattern of malicious activity
|
||||
|
||||
**Gameplay Integration:**
|
||||
- Unlocks technical analysis mission
|
||||
- Shows what data was compromised
|
||||
- Creates urgency (active exfiltration)
|
||||
- Enables immediate access suspension
|
||||
|
||||
---
|
||||
|
||||
### 4. TEMPLATE_AGENT_ID_004: Surveillance Photos
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_004_surveillance_photos.md`
|
||||
|
||||
**Evidence Type:** Physical - Photographic surveillance and behavioral observation
|
||||
|
||||
**What It Provides:**
|
||||
- Complete 14-day surveillance operation report
|
||||
- 7 photographic scenarios with detailed descriptions
|
||||
- Handler identification and profiling
|
||||
- Pattern analysis (meeting frequency, locations, payment structure)
|
||||
- Countersurveillance behavior documentation
|
||||
- Dead drop usage evidence
|
||||
- Behavioral indicators analysis
|
||||
|
||||
**Substitution Variables:**
|
||||
- [SUBJECT_NAME] - NPC being surveilled
|
||||
- [POSITION] - Job title
|
||||
- [CONTACT_DESCRIPTION] - Handler's physical description
|
||||
- [LOCATION] - Meeting locations
|
||||
- [DATE], [TIME] - Surveillance timestamps
|
||||
- [VEHICLE_DESCRIPTION] - Handler's vehicle
|
||||
- [OPERATION_CODE_NAME] - Surveillance op name
|
||||
|
||||
**7 Photo Scenarios:**
|
||||
|
||||
**Photo 1-3: Initial Meeting**
|
||||
- Coffee shop, 42-minute meeting
|
||||
- Document exchange (manila envelope, 20-30 pages)
|
||||
- Cash payment ($2K-$5K, visible $100 bills)
|
||||
- Subject's nervous behavior documented
|
||||
|
||||
**Photo 4-5: Dead Drop**
|
||||
- Subject depositing USB drive at park bench
|
||||
- Handwritten note: "Files from [SYSTEM] as requested"
|
||||
- Handler retrieval 2 hours later (same person from meeting)
|
||||
- Confirms operational tradecraft
|
||||
|
||||
**Photo 6: Follow-up Meeting**
|
||||
- Different location (shopping mall food court)
|
||||
- Verbal communication (partial audio captured)
|
||||
- Smaller cash payment
|
||||
- Security audit discussion overheard
|
||||
|
||||
**Photo 7: Countersurveillance**
|
||||
- Subject taking circuitous route home
|
||||
- Multiple U-turns and backtracking
|
||||
- 45 minutes added to commute
|
||||
- Professional SDR (surveillance detection route)
|
||||
|
||||
**Handler Profile Provided:**
|
||||
- Physical description template
|
||||
- Vehicle information (license plate, rental rotation)
|
||||
- Behavioral indicators (experienced operator)
|
||||
- Threat assessment (likely cell leader)
|
||||
|
||||
**Evidence Strength:**
|
||||
- Alone: 50% confidence (suspicious but explainable)
|
||||
- + Financial records: 80% confidence (payments match meetings)
|
||||
- + Access logs: 85% confidence (timing correlates)
|
||||
- + All evidence types: 95% confidence
|
||||
|
||||
**Best Used For:**
|
||||
- Visual proof of handler contact
|
||||
- Handler identification missions
|
||||
- Pattern establishment (regular meetings)
|
||||
- Demonstrating tradecraft (dead drops, countersurveillance)
|
||||
|
||||
**Gameplay Integration:**
|
||||
- Unlocks surveillance mission type
|
||||
- Enables simultaneous handler/asset arrest
|
||||
- Facial recognition on handler
|
||||
- Creates "show the photos" confrontation option
|
||||
|
||||
---
|
||||
|
||||
### 5. TEMPLATE_AGENT_ID_005: Physical Evidence
|
||||
|
||||
**File:** `TEMPLATE_AGENT_ID_005_physical_evidence.md`
|
||||
|
||||
**Evidence Type:** Physical - Handwritten notes and personal documents
|
||||
|
||||
**What It Provides:**
|
||||
- 3-page handwritten note progression
|
||||
- Forensic handwriting analysis report
|
||||
- Legal prosecutorial assessment
|
||||
- Emotional journey documentation
|
||||
- Complete chain of custody
|
||||
- Self-incrimination in subject's own words
|
||||
|
||||
**Substitution Variables:**
|
||||
- [SUBJECT_NAME] - NPC's name
|
||||
- [HANDLER_CODENAME] - Handler's operational designation
|
||||
- [MEETING_LOCATION] - Where meetings occur
|
||||
- [SYSTEM_NAME] - Systems accessed
|
||||
- [AMOUNT] - Payment amounts
|
||||
- [DEBT_AMOUNT] - Subject's financial pressure
|
||||
- [ORGANIZATION] - Company name
|
||||
|
||||
**3-Page Emotional Progression:**
|
||||
|
||||
**Page 1: Initial Instructions (Nervous Rationalization)**
|
||||
```
|
||||
Meeting notes with [HANDLER_CODENAME]
|
||||
- Files to copy: Customer database, Network diagrams, Employee info
|
||||
- Payment: $[AMOUNT] on completion
|
||||
- "Feeling sick about this. But what choice do I have?"
|
||||
- "[HANDLER] says it's just 'competitive intelligence'"
|
||||
- "Not really hurting anyone... right?"
|
||||
- "Delete these notes after memorizing!!!"
|
||||
```
|
||||
|
||||
**Page 2: Escalation (Feeling Trapped)**
|
||||
```
|
||||
After meeting - THEY WANT MORE
|
||||
- [NEW_SYSTEM] access (don't have clearance!)
|
||||
- Told them might be difficult
|
||||
- [HANDLER] sounded threatening
|
||||
- "They have me trapped. Can't stop now."
|
||||
- "If I refuse, they threaten to tell [ORGANIZATION]"
|
||||
- "What have I done"
|
||||
```
|
||||
|
||||
**Page 3: Desperation (Cry for Help)**
|
||||
```
|
||||
THINGS GETTING WORSE
|
||||
- Security tightening at work
|
||||
- [HANDLER] mentioned "permanent solutions for loose ends"
|
||||
- AM I A LOOSE END??
|
||||
- Overheard [HANDLER] on phone: "ENTROPY cell needs..."
|
||||
- WHAT IS ENTROPY?? OH GOD WHAT HAVE I GOTTEN INTO
|
||||
- "If someone finds these notes: please help me."
|
||||
- [ORGANIZATION] Security Hotline: [NUMBER]
|
||||
- "Should I call? Too scared. But maybe..."
|
||||
- "Please let this end somehow"
|
||||
```
|
||||
|
||||
**Forensic Analysis Included:**
|
||||
- Handwriting verification (99.7% match)
|
||||
- Pen pressure analysis (stress visible)
|
||||
- Writing deterioration over time
|
||||
- Scratch-out attempts (concealment)
|
||||
- Ink testing (same pen throughout)
|
||||
|
||||
**Legal Assessment:**
|
||||
- Admissibility: VERY HIGH (spontaneous confession)
|
||||
- No Miranda issues (not custodial interrogation)
|
||||
- Subject's own words incriminating
|
||||
- Demonstrates consciousness of guilt
|
||||
- Shows coercion by ENTROPY (victim characteristics)
|
||||
|
||||
**Recommended Use:**
|
||||
"Use notes as leverage for cooperation, not prosecution.
|
||||
Subject is scared, remorseful, and wants out."
|
||||
|
||||
**Evidence Strength:**
|
||||
- Alone: 80% confidence (self-incrimination)
|
||||
- + Financial records: 95% confidence (payment confirmation)
|
||||
- + Access logs: 95% confidence (activity confirmation)
|
||||
- + Surveillance: 98% confidence (complete picture)
|
||||
- + All evidence: 99.9% confidence (overwhelming)
|
||||
|
||||
**Best Used For:**
|
||||
- Devastating confrontation ("Your own handwriting")
|
||||
- Empathetic approach enabled (subject wants help)
|
||||
- High cooperation likelihood (95% with compassionate approach)
|
||||
- Emotional player investment (human story)
|
||||
|
||||
**Gameplay Integration:**
|
||||
- Creates powerful interrogation moment
|
||||
- Enables multiple approach paths:
|
||||
- Show notes immediately (95% cooperation)
|
||||
- Use as leverage after lies (90% cooperation)
|
||||
- Offer help based on cry for help (98% cooperation)
|
||||
- Provides moral complexity (victim vs. perpetrator)
|
||||
|
||||
---
|
||||
|
||||
## Evidence Combination Strategies
|
||||
|
||||
### Optimal Evidence Chain
|
||||
|
||||
The templates are designed to work together in a **progressive revelation** pattern:
|
||||
|
||||
```
|
||||
SEQUENCE 1: Discovery Path
|
||||
├─ Encrypted Comms (Initial Suspicion)
|
||||
│ └─ Triggers investigation unlock
|
||||
├─ Financial Records (Motive Proven)
|
||||
│ └─ Shows payments for services
|
||||
├─ Access Logs (Activity Confirmed)
|
||||
│ └─ Proves what they did
|
||||
├─ Surveillance Photos (Handler Identified)
|
||||
│ └─ Shows who they work for
|
||||
└─ Handwritten Notes (Confession)
|
||||
└─ Subject's own words seal the case
|
||||
```
|
||||
|
||||
### Confidence Thresholds
|
||||
|
||||
**Evidence Count → Confidence Level:**
|
||||
|
||||
| Evidence Pieces | Confidence | Prosecution Viable | Cooperation Likely |
|
||||
|----------------|------------|-------------------|-------------------|
|
||||
| 1 template | 40-80% | No (insufficient) | 50% |
|
||||
| 2 templates | 65-85% | Maybe (circumstantial) | 70% |
|
||||
| 3 templates | 85-95% | Yes (strong case) | 85% |
|
||||
| 4 templates | 95-98% | Yes (very strong) | 90% |
|
||||
| 5 templates | 99.9% | Yes (overwhelming) | 95% |
|
||||
|
||||
### Best Combinations by Scenario Type
|
||||
|
||||
**Corporate Infiltration:**
|
||||
1. Encrypted Comms (coordination)
|
||||
2. Access Logs (what they accessed)
|
||||
3. Financial Records (payment proof)
|
||||
- Confidence: 95%
|
||||
|
||||
**Data Exfiltration:**
|
||||
1. Access Logs (theft proof)
|
||||
2. Surveillance (handler delivery)
|
||||
3. Handwritten Notes (confession)
|
||||
- Confidence: 98%
|
||||
|
||||
**Asset Recruitment:**
|
||||
1. Financial Records (financial desperation)
|
||||
2. Handwritten Notes (emotional state)
|
||||
3. Surveillance (handler contact)
|
||||
- Confidence: 95%
|
||||
|
||||
**Handler Takedown:**
|
||||
1. Surveillance (handler identification)
|
||||
2. Financial Records (money trail to cell)
|
||||
3. Encrypted Comms (coordination proof)
|
||||
- Confidence: 90%
|
||||
|
||||
---
|
||||
|
||||
## Gameplay Integration Guide
|
||||
|
||||
### Investigation Progression
|
||||
|
||||
**Phase 1: Initial Suspicion**
|
||||
- Player discovers 1 evidence template
|
||||
- NPC flagged as "Person of Interest"
|
||||
- Unlocks investigation missions
|
||||
- Confidence: Insufficient for action
|
||||
|
||||
**Phase 2: Building the Case**
|
||||
- Player collects 2-3 evidence templates
|
||||
- Pattern emerges (payments, access, meetings)
|
||||
- NPC upgraded to "Suspected ENTROPY Asset"
|
||||
- Confidence: Sufficient for confrontation
|
||||
|
||||
**Phase 3: Overwhelming Evidence**
|
||||
- Player has 4-5 evidence templates
|
||||
- Complete picture of recruitment, activity, handler
|
||||
- NPC confirmed as "ENTROPY Asset - Confirmed"
|
||||
- Confidence: Multiple approach options unlocked
|
||||
|
||||
### Player Choice Branching
|
||||
|
||||
Each evidence combination enables **different interrogation approaches:**
|
||||
|
||||
**With Financial Evidence:**
|
||||
→ Offer: "We can help with your debt, but you need to cooperate"
|
||||
|
||||
**With Handwritten Notes:**
|
||||
→ Empathy: "We read your notes. We know you want out. We can help."
|
||||
|
||||
**With Surveillance Photos:**
|
||||
→ Confrontation: "You can't deny this. We have photos of everything."
|
||||
|
||||
**With Access Logs:**
|
||||
→ Technical: "We have every keystroke. Every file. Every system you touched."
|
||||
|
||||
**With All Evidence:**
|
||||
→ Overwhelming: "Your own handwriting. Photos of meetings. Financial transactions. Access logs. There's no defense. But we can still help you."
|
||||
|
||||
### Success Metrics
|
||||
|
||||
Each template contributes to multiple success outcomes:
|
||||
|
||||
**Cooperation Likelihood:**
|
||||
- Base (no evidence): 20%
|
||||
- + Encrypted Comms: +15%
|
||||
- + Financial Records: +20%
|
||||
- + Access Logs: +15%
|
||||
- + Surveillance: +20%
|
||||
- + Handwritten Notes: +30%
|
||||
- Maximum: 95% (with all evidence + compassionate approach)
|
||||
|
||||
**Prosecution Probability:**
|
||||
- Base: 30%
|
||||
- + Each evidence template: +15%
|
||||
- All 5 templates: 95% conviction probability
|
||||
|
||||
**Intelligence Value:**
|
||||
- Handwritten notes → Handler codename revealed
|
||||
- Surveillance → Handler facial ID + vehicle
|
||||
- Financial → ENTROPY payment wallet address
|
||||
- Access logs → What data was compromised
|
||||
- Encrypted comms → Communication methods
|
||||
|
||||
---
|
||||
|
||||
## Substitution Guide - Best Practices
|
||||
|
||||
### Creating Consistent NPCs
|
||||
|
||||
When substituting template variables, maintain consistency across all evidence types for the same NPC:
|
||||
|
||||
**Example: Jennifer Park (Network Security Analyst)**
|
||||
|
||||
**Across all 5 templates, use:**
|
||||
- [SUBJECT_NAME] → "Jennifer Park"
|
||||
- [ORGANIZATION] → "TechCorp Industries"
|
||||
- [POSITION] → "Network Security Analyst"
|
||||
- [SALARY] → "$85,000/year"
|
||||
- [HANDLER_CODENAME] → "Phoenix"
|
||||
|
||||
**Keep timeline consistent:**
|
||||
- First contact: March 1, 2025
|
||||
- Payment received: March 15, 2025
|
||||
- Data exfiltration: March 18, 2025
|
||||
- Surveillance begins: March 20, 2025
|
||||
- Notes discovered: April 3, 2025
|
||||
|
||||
**Keep amounts consistent:**
|
||||
- First payment: $42,000
|
||||
- Second payment: $38,000
|
||||
- Total debt: $127,000 (student loans)
|
||||
|
||||
### Variable Formatting Standards
|
||||
|
||||
**Names:**
|
||||
- Use realistic full names: "Jennifer Park" not "Agent_007"
|
||||
- Consistent across all templates
|
||||
|
||||
**Organizations:**
|
||||
- Use plausible company names: "TechCorp Industries"
|
||||
- Match to scenario setting (tech company, hospital, government agency)
|
||||
|
||||
**Amounts:**
|
||||
- ENTROPY payment range: $25,000-$75,000 per operation
|
||||
- Keep amounts realistic for job role
|
||||
- Student debt: $80K-$150K typical
|
||||
- Medical debt: $50K-$200K typical
|
||||
|
||||
**Dates:**
|
||||
- Use absolute dates: "March 15, 2025" not "[DATE_1]"
|
||||
- Maintain chronological order across templates
|
||||
- Account for investigation timeline (2-4 weeks typical)
|
||||
|
||||
**Codenames:**
|
||||
- Handler codenames follow ENTROPY patterns:
|
||||
- Thermodynamic terms: "Entropy", "Cascade", "Equilibrium"
|
||||
- Phoenix imagery: "Phoenix", "Ash", "Ember"
|
||||
- Greek letters: "Alpha-07", "Beta-3", "Omega"
|
||||
|
||||
### Scenario-Specific Customization
|
||||
|
||||
**Corporate Infiltration:**
|
||||
- Focus on customer data, trade secrets, network diagrams
|
||||
- Handler wants: "Customer database", "Email backups"
|
||||
- Access systems: "Finance Server", "Customer CRM"
|
||||
|
||||
**Healthcare Breach:**
|
||||
- Focus on patient records, medical research
|
||||
- Handler wants: "Patient database", "Clinical trial data"
|
||||
- Access systems: "EMR System", "Research Database"
|
||||
|
||||
**Infrastructure Attack:**
|
||||
- Focus on SCADA, control systems, facility access
|
||||
- Handler wants: "Network diagrams", "SCADA access"
|
||||
- Access systems: "Control Systems", "Facility Management"
|
||||
|
||||
**Research Theft:**
|
||||
- Focus on IP, proprietary research, formulas
|
||||
- Handler wants: "Research files", "Product designs"
|
||||
- Access systems: "Lab Database", "Patent Filing System"
|
||||
|
||||
---
|
||||
|
||||
## Cross-References
|
||||
|
||||
### Related Gameplay Fragments
|
||||
|
||||
These templates complement other gameplay-function fragments:
|
||||
|
||||
**RECRUITMENT_001** (Financial Exploitation Playbook)
|
||||
- Shows HOW NPCs are recruited
|
||||
- Templates show RESULT of recruitment
|
||||
- Combined: Complete recruitment → operation → capture arc
|
||||
|
||||
**LEVERAGE_001** (Cascade Family Intel)
|
||||
- Shows leverage used TO turn operatives
|
||||
- Templates provide evidence ENABLING leverage
|
||||
- Combined: Evidence → leverage → defection
|
||||
|
||||
**TACTICAL_001** (Active Operation Clock)
|
||||
- Shows ONGOING operation
|
||||
- Templates show PAST operations (evidence)
|
||||
- Combined: Historical pattern → predict current op
|
||||
|
||||
**VICTIM_001** (Hospital Administrator)
|
||||
- Shows IMPACT of ENTROPY operations
|
||||
- Templates show WHO enabled the attack
|
||||
- Combined: Perpetrator → consequence emotional arc
|
||||
|
||||
### Related Content Fragments
|
||||
|
||||
**ENTROPY_PERSONNEL_001** (Cascade Profile)
|
||||
- Could BE the [SUBJECT_NAME] in these templates
|
||||
- Templates provide evidence supporting profile
|
||||
- Combined: Profile → evidence → confirmed identity
|
||||
|
||||
**CHAR_SARAH_001** (Sarah Martinez Confession)
|
||||
- Similar emotional arc to handwritten notes template
|
||||
- Both show recruited asset's regret and fear
|
||||
- Combined: Multiple sympathetic insider threats
|
||||
|
||||
**ARCHITECT_STRATEGIC_001** (Phase 3 Directive)
|
||||
- Shows ENTROPY's master plan
|
||||
- Templates show individual assets executing plan
|
||||
- Combined: Strategic directive → tactical execution
|
||||
|
||||
---
|
||||
|
||||
## Technical Implementation Notes
|
||||
|
||||
### For Game Developers
|
||||
|
||||
**Substitution System:**
|
||||
```python
|
||||
# Example pseudocode
|
||||
template = load_template("TEMPLATE_AGENT_ID_001_encrypted_comms.md")
|
||||
npc = get_npc("jennifer_park")
|
||||
|
||||
substitutions = {
|
||||
"[SUBJECT_NAME]": npc.full_name,
|
||||
"[ORGANIZATION]": npc.employer,
|
||||
"[POSITION]": npc.job_title,
|
||||
"[CURRENT_DATE]": game_date - timedelta(days=3)
|
||||
}
|
||||
|
||||
evidence_fragment = template.substitute(substitutions)
|
||||
game.add_discoverable_lore(evidence_fragment, location=npc.desk_drawer)
|
||||
```
|
||||
|
||||
**Evidence Collection Tracking:**
|
||||
```python
|
||||
class NPCInvestigation:
|
||||
def __init__(self, npc_id):
|
||||
self.npc_id = npc_id
|
||||
self.evidence_collected = []
|
||||
self.confidence_level = 0
|
||||
|
||||
def add_evidence(self, template_type):
|
||||
self.evidence_collected.append(template_type)
|
||||
self.confidence_level = calculate_confidence(self.evidence_collected)
|
||||
|
||||
if self.confidence_level >= 85:
|
||||
unlock_interrogation_mission(self.npc_id)
|
||||
```
|
||||
|
||||
**Branching Logic:**
|
||||
```python
|
||||
def get_interrogation_options(evidence_list):
|
||||
options = ["Standard Questioning"]
|
||||
|
||||
if "TEMPLATE_002" in evidence_list: # Financial
|
||||
options.append("Offer Financial Help")
|
||||
|
||||
if "TEMPLATE_005" in evidence_list: # Handwritten notes
|
||||
options.append("Empathetic Approach - Reference Their Notes")
|
||||
|
||||
if "TEMPLATE_004" in evidence_list: # Surveillance
|
||||
options.append("Show Photos - Visual Confrontation")
|
||||
|
||||
if len(evidence_list) >= 4:
|
||||
options.append("Overwhelming Evidence - All Cards on Table")
|
||||
|
||||
return options
|
||||
```
|
||||
|
||||
### Discovery Placement Recommendations
|
||||
|
||||
**TEMPLATE_001 (Encrypted Comms):**
|
||||
- Location: Email server logs, IT security alerts
|
||||
- Timing: Early investigation (triggers suspicion)
|
||||
- Difficulty: Medium (requires email access or IT cooperation)
|
||||
|
||||
**TEMPLATE_002 (Financial Records):**
|
||||
- Location: Subpoenaed bank records, financial audit
|
||||
- Timing: Mid investigation (requires legal authority)
|
||||
- Difficulty: Hard (requires warrant/subpoena)
|
||||
|
||||
**TEMPLATE_003 (Access Logs):**
|
||||
- Location: IT audit reports, SIEM alerts
|
||||
- Timing: Mid investigation (requires IT forensics)
|
||||
- Difficulty: Medium (technical analysis needed)
|
||||
|
||||
**TEMPLATE_004 (Surveillance Photos):**
|
||||
- Location: Surveillance team reports
|
||||
- Timing: Late investigation (requires active surveillance op)
|
||||
- Difficulty: Very Hard (expensive, time-consuming)
|
||||
|
||||
**TEMPLATE_005 (Handwritten Notes):**
|
||||
- Location: Desk drawer, personal effects, home search
|
||||
- Timing: Variable (lucky find or late-game search warrant)
|
||||
- Difficulty: Medium-Hard (requires physical access)
|
||||
|
||||
---
|
||||
|
||||
## Educational Value (CyBOK Alignment)
|
||||
|
||||
### Security Concepts Demonstrated
|
||||
|
||||
**Digital Forensics:**
|
||||
- Email header analysis (TEMPLATE_001)
|
||||
- Financial transaction tracing (TEMPLATE_002)
|
||||
- System log correlation (TEMPLATE_003)
|
||||
- Chain of custody (all templates)
|
||||
|
||||
**Insider Threat Detection:**
|
||||
- Behavioral indicators (after-hours access)
|
||||
- Financial pressure recognition
|
||||
- Access pattern anomalies
|
||||
- Communication analysis
|
||||
|
||||
**Investigation Methodology:**
|
||||
- Evidence corroboration (multiple sources)
|
||||
- Confidence level progression
|
||||
- Legal admissibility considerations
|
||||
- Forensic analysis procedures
|
||||
|
||||
**Human Factors:**
|
||||
- Recruitment vulnerability factors
|
||||
- Psychological pressure and coercion
|
||||
- Empathetic interrogation techniques
|
||||
- Ethical evidence usage
|
||||
|
||||
### Learning Outcomes
|
||||
|
||||
Players using these templates will learn:
|
||||
|
||||
1. **Evidence Collection**: How multiple evidence types build a case
|
||||
2. **Pattern Recognition**: Identifying suspicious behavior across domains
|
||||
3. **Legal Process**: Warrants, subpoenas, chain of custody
|
||||
4. **Psychology**: Understanding why people become insider threats
|
||||
5. **Ethics**: Balancing effective investigation with humane treatment
|
||||
|
||||
---
|
||||
|
||||
## Expansion Opportunities
|
||||
|
||||
### Additional Template Ideas
|
||||
|
||||
**TEMPLATE_006: Phone Records**
|
||||
- Call logs to burner phones
|
||||
- Timing correlation with operations
|
||||
- Location data (cell tower triangulation)
|
||||
|
||||
**TEMPLATE_007: Social Media OSINT**
|
||||
- Lifestyle changes visible on social media
|
||||
- Travel patterns (meetings with handler)
|
||||
- Unusual purchases or activities
|
||||
|
||||
**TEMPLATE_008: Witness Testimony**
|
||||
- Coworker observations
|
||||
- "They've been acting strange lately"
|
||||
- Suspicious conversations overheard
|
||||
|
||||
**TEMPLATE_009: Digital Forensics**
|
||||
- Deleted file recovery
|
||||
- Browser history analysis
|
||||
- VPN usage and encrypted tools
|
||||
|
||||
**TEMPLATE_010: Physical Surveillance (Extended)**
|
||||
- Safe house identification
|
||||
- Handler's vehicle tracking
|
||||
- Dead drop location mapping
|
||||
|
||||
---
|
||||
|
||||
## Version History
|
||||
|
||||
**v1.0** - Initial template system creation
|
||||
- 5 core evidence templates
|
||||
- Complete substitution system
|
||||
- Gameplay integration framework
|
||||
- Cross-reference structure
|
||||
|
||||
---
|
||||
|
||||
**CLASSIFICATION:** TEMPLATE SYSTEM - EVIDENCE GENERATION
|
||||
**PRIORITY:** HIGH (Core gameplay mechanic)
|
||||
**REUSABILITY:** Extremely High (designed for infinite NPC generation)
|
||||
**DISTRIBUTION:** Game developers, scenario designers, mission creators
|
||||
**MAINTENANCE:** Templates should remain stable; customize through substitution
|
||||
|
||||
---
|
||||
|
||||
## Quick Reference Card
|
||||
|
||||
```
|
||||
╔═══════════════════════════════════════════════════════════╗
|
||||
║ EVIDENCE TEMPLATE QUICK REFERENCE ║
|
||||
╚═══════════════════════════════════════════════════════════╝
|
||||
|
||||
TEMPLATE_001: Encrypted Comms
|
||||
→ Alone: 40% | Best With: Financial Records
|
||||
→ Use For: Initial suspicion, policy violations
|
||||
|
||||
TEMPLATE_002: Financial Records
|
||||
→ Alone: 60% | Best With: Access Logs
|
||||
→ Use For: Payment proof, motive establishment
|
||||
|
||||
TEMPLATE_003: Access Logs
|
||||
→ Alone: 70% | Best With: Financial Records
|
||||
→ Use For: Activity proof, technical evidence
|
||||
|
||||
TEMPLATE_004: Surveillance Photos
|
||||
→ Alone: 50% | Best With: Financial + Access
|
||||
→ Use For: Handler ID, visual confirmation
|
||||
|
||||
TEMPLATE_005: Handwritten Notes
|
||||
→ Alone: 80% | Best With: Everything
|
||||
→ Use For: Confession, empathetic approach
|
||||
|
||||
OPTIMAL COMBINATION: All 5 templates = 99.9% confidence
|
||||
|
||||
MINIMUM FOR ACTION: 3 templates = 85% confidence
|
||||
|
||||
COOPERATION PROBABILITY:
|
||||
- Compassionate + Notes: 98%
|
||||
- Overwhelming + All Evidence: 95%
|
||||
- Standard + Some Evidence: 70%
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
**End of Template Catalog**
|
||||
|
||||
**For implementation questions, refer to:**
|
||||
- Individual template files for detailed content
|
||||
- GAMEPLAY_CATALOG.md for mission integration
|
||||
- ../README.md for overall LORE system philosophy
|
||||
Reference in New Issue
Block a user