From b5d3ee33c46cca98c548b5c9992aaf342bfffca4 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 19 Nov 2025 17:43:15 +0000 Subject: [PATCH] feat: Add reusable evidence template system for ENTROPY agent identification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Created 5 comprehensive evidence templates with [PLACEHOLDER] substitution system that enable infinite NPC agent identification across scenarios. ## New Files: - TEMPLATE_AGENT_ID_001_encrypted_comms.md * Intercepted PGP-encrypted communications * 40% confidence alone, 90% combined * Red flags: Policy violations, ProtonMail, after-hours timing - TEMPLATE_AGENT_ID_002_financial_records.md * Bank transactions & cryptocurrency forensics * 60% confidence alone, 98% combined * Red flags: Unexplained cash, ENTROPY wallet, shell companies - TEMPLATE_AGENT_ID_003_access_logs.md * IT audit showing unauthorized system access * 70% confidence alone, 98% combined * Documents 5 incidents: Reconnaissance → Exfiltration → Cover-up - TEMPLATE_AGENT_ID_004_surveillance_photos.md * 14-day surveillance op with 7 photo scenarios * 50% confidence alone, 95% combined * Handler identification, dead drops, countersurveillance - TEMPLATE_AGENT_ID_005_physical_evidence.md * Handwritten 3-page emotional confession * 80% confidence alone, 99.9% combined * Enables 95-98% cooperation through empathetic approach * Arc: Willing participant → Trapped → Desperate for help - TEMPLATE_CATALOG.md * Complete template system documentation * Substitution guide & best practices * Evidence chain methodology * Integration strategies & success metrics ## Template System Features: - [PLACEHOLDER] format for runtime substitution - Evidence chain: Single evidence (40-80%) → All 5 (99.9%) - Cooperation likelihood scales with evidence quality - Multiple interrogation approaches unlocked by different combinations - Infinite reusability across NPCs and scenarios ## Integration: - Updated GAMEPLAY_CATALOG.md with template section - Evidence Prosecution category expanded from 1 to 6 fragments - Total gameplay-focused fragments: 13 (8 unique + 5 templates) - Templates work standalone or combine for overwhelming cases ## Educational Value (CyBOK): - Digital forensics (email analysis, blockchain tracing) - Insider threat detection (behavioral indicators) - Investigation methodology (evidence corroboration) - Legal process (admissibility, chain of custody) - Psychological profiling & ethical interrogation ## Gameplay Impact: Each template enables different player actions and unlocks specific interrogation approaches based on evidence collected. System designed to reward thorough investigation while not requiring 100% collection for success. --- .../by_gameplay_function/GAMEPLAY_CATALOG.md | 355 +++++++- .../TEMPLATE_AGENT_ID_001_encrypted_comms.md | 255 ++++++ ...TEMPLATE_AGENT_ID_002_financial_records.md | 430 +++++++++ .../TEMPLATE_AGENT_ID_003_access_logs.md | 598 +++++++++++++ ...MPLATE_AGENT_ID_004_surveillance_photos.md | 563 ++++++++++++ ...TEMPLATE_AGENT_ID_005_physical_evidence.md | 575 ++++++++++++ .../evidence_prosecution/TEMPLATE_CATALOG.md | 846 ++++++++++++++++++ 7 files changed, 3619 insertions(+), 3 deletions(-) create mode 100644 story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_001_encrypted_comms.md create mode 100644 story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_002_financial_records.md create mode 100644 story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_003_access_logs.md create mode 100644 story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_004_surveillance_photos.md create mode 100644 story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_005_physical_evidence.md create mode 100644 story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_CATALOG.md diff --git a/story_design/lore_fragments/by_gameplay_function/GAMEPLAY_CATALOG.md b/story_design/lore_fragments/by_gameplay_function/GAMEPLAY_CATALOG.md index 6e09708..e17d6e7 100644 --- a/story_design/lore_fragments/by_gameplay_function/GAMEPLAY_CATALOG.md +++ b/story_design/lore_fragments/by_gameplay_function/GAMEPLAY_CATALOG.md @@ -6,10 +6,12 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** - ## Overview Statistics -**Total Gameplay-Focused Fragments Created:** 7 +**Total Gameplay-Focused Fragments Created:** 13 + - Unique Fragments: 8 + - Evidence Templates: 5 (reusable with NPC substitution) **By Gameplay Function:** -- Evidence for Prosecution: 1 +- Evidence for Prosecution: 6 (1 unique + 5 templates) - Tactical Intelligence: 1 - Financial Forensics: 1 - Recruitment Vectors: 1 @@ -22,7 +24,13 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** - - Mission-critical objectives: 5 fragments - Optional depth/context: 2 fragments - Branching choice enablers: 6 fragments -- Success metric modifiers: 7 fragments +- Success metric modifiers: 13 fragments (templates multiply impact) + +**Template System:** +- 5 evidence templates with [PLACEHOLDER] substitution +- Infinite NPC agent identification capability +- Evidence chain methodology (combine for 99.9% confidence) +- See TEMPLATE_CATALOG.md for complete template documentation --- @@ -56,6 +64,347 @@ This catalog tracks all LORE fragments organized by their **gameplay purpose** - --- +### 📋 EVIDENCE_PROSECUTION - Evidence Templates (Reusable) + +**TEMPLATE SYSTEM OVERVIEW** + +The Evidence Template System provides 5 reusable evidence fragments for identifying ENTROPY agents/assets in any scenario. Each template uses [PLACEHOLDER] format for runtime NPC substitution. + +**Complete Template Documentation:** See `TEMPLATE_CATALOG.md` in this directory + +**Template Integration Philosophy:** +- **Single evidence piece:** 40-80% confidence (suspicion only) +- **2-3 evidence pieces:** 65-95% confidence (strong case) +- **4-5 evidence pieces:** 95-99.9% confidence (overwhelming) +- **All 5 templates:** Complete evidence chain, maximum cooperation likelihood (95%) + +**Evidence Chain Methodology:** +``` +Encrypted Comms → Initial suspicion flag + ↓ +Financial Records → Payment proof (motive) + ↓ +Access Logs → Activity confirmation (what they did) + ↓ +Surveillance Photos → Handler identification (who they work for) + ↓ +Handwritten Notes → Self-incrimination (confession) + ↓ += Overwhelming evidence, 99.9% confidence +``` + +--- + +**TEMPLATE_AGENT_ID_001 - Encrypted Communications** + +**File:** `TEMPLATE_AGENT_ID_001_encrypted_comms.md` + +- **What It Is:** Intercepted PGP-encrypted email from corporate account to ProtonMail +- **What Player Can DO:** + - Flag NPC as Person of Interest + - Unlock surveillance mission + - Trigger financial investigation + - Require corroboration for action +- **Evidence Type:** Digital communication +- **Substitution Variables:** [SUBJECT_NAME], [ORGANIZATION], [POSITION], [CURRENT_DATE] +- **Red Flags:** + - 🚩 PGP encryption from work email (policy violation) + - 🚩 ProtonMail recipient (anonymous service) + - 🚩 After-hours timing (23:47, secretive) + - 🚩 "Payment arrangement confirmed" + - 🚩 Security bypass offers + - 🚩 "Documentation transfer via agreed method" +- **Evidence Strength:** + - Alone: 40% confidence (circumstantial) + - + Financial records: 75% confidence + - + Access logs: 65% confidence + - + All evidence: 90% confidence +- **Best Used For:** Initial suspicion, corporate infiltration, data exfiltration +- **Rarity:** Common (starting evidence) + +**Example Content:** +``` +From: [SUBJECT_NAME]@[ORGANIZATION].com +To: secure-contact-7749@protonmail.com +Date: [DATE], 23:47 + +...payment arrangement confirmed. Standard terms as before. +The documentation you need will be transferred via the +agreed method... + +...regarding the security audit team arriving Thursday - +I can ensure they have the credentials and building access +without additional verification... +``` + +--- + +**TEMPLATE_AGENT_ID_002 - Financial Records** + +**File:** `TEMPLATE_AGENT_ID_002_financial_records.md` + +- **What It Is:** Forensic analysis of suspicious bank transactions and cryptocurrency activity +- **What Player Can DO:** + - Prove quid pro quo (payment for services) + - Seize assets as proceeds of crime + - Trace payments to ENTROPY master wallet + - Identify financial recruitment vector + - Create leverage opportunity +- **Evidence Type:** Financial forensics +- **Substitution Variables:** [SUBJECT_NAME], [ORGANIZATION], [SALARY], [AMOUNT], [DATE] +- **Red Flags:** + - 🚩 Unexplained cash deposits ($25K-$75K range) + - 🚩 Cryptocurrency to ENTROPY master wallet + - 🚩 Shell company payments + - 🚩 Offshore transfers + - 🚩 Timing correlation with breaches + - 🚩 Lifestyle inflation (debt payoff, new car) +- **Evidence Strength:** + - Alone: 60% confidence (strong suspicion) + - + Encrypted comms: 75% confidence + - + Access logs: 95% confidence + - + All evidence: 98% confidence +- **Best Used For:** Payment proof, money laundering, connecting to ENTROPY financial network +- **Rarity:** Uncommon (requires warrant/subpoena) + +**Example Content:** +``` +SUSPICIOUS DEPOSIT #1: +Date: March 15, 2025 +Amount: $42,000 (CASH) +Source: UNKNOWN +Note: Amount matches ENTROPY payment patterns + +CRYPTOCURRENCY TRANSACTION: +Date: March 18, 2025 +Destination: 1A9zW5...3kPm +Amount: $15,000 equivalent +NOTE: Wallet identified as ENTROPY master wallet! + +Salary: $85,000/year +Total suspicious income (6 months): $127,000 +Percentage above salary: 149% unexplained +``` + +--- + +**TEMPLATE_AGENT_ID_003 - Access Logs** + +**File:** `TEMPLATE_AGENT_ID_003_access_logs.md` + +- **What It Is:** IT audit showing unauthorized system access pattern +- **What Player Can DO:** + - Prove data theft technically + - Show reconnaissance → exfiltration pattern + - Demonstrate privilege escalation + - Identify what data was compromised + - Enable immediate access suspension +- **Evidence Type:** Technical forensics +- **Substitution Variables:** [SUBJECT_NAME], [POSITION], [SYSTEM_NAME], [DATA_TYPE], [FILE_COUNT] +- **Incidents Documented:** + 1. Sensitive database access (after hours, no business need) + 2. Network infrastructure mapping (weekend reconnaissance) + 3. HR database access (500+ employee records, PII theft) + 4. Executive email access (PowerShell exploitation) + 5. USB device usage (1.2GB data exfiltration, 847 files) +- **Evidence Strength:** + - Alone: 70% confidence (technical proof) + - + Financial records: 95% confidence + - + Encrypted comms: 85% confidence + - + All evidence: 98% confidence +- **Best Used For:** Data breach proof, showing malicious pattern, technical espionage +- **Rarity:** Common (IT audit logs) + +**Example Content:** +``` +INCIDENT 5: USB DEVICE USAGE (DATA EXFILTRATION) +Date: March 18, 2025, 22:37 +USB Device: SanDisk 64GB (Serial: 4C530001...) +Files Copied: 847 files +Total Size: 1.2GB +File Types: .xlsx (customer data), .docx (proprietary) + +PATTERN ANALYSIS: +Week 1: Reconnaissance (network mapping) +Week 2: Access (privilege escalation) +Week 3: Exfiltration (USB transfer) +Week 4: Cover-up (deletion attempts) + +Classic espionage attack pattern. +``` + +--- + +**TEMPLATE_AGENT_ID_004 - Surveillance Photos** + +**File:** `TEMPLATE_AGENT_ID_004_surveillance_photos.md` + +- **What It Is:** Complete 14-day surveillance operation with photos and handler profiling +- **What Player Can DO:** + - Identify ENTROPY handler (facial recognition) + - Document in-person meetings + - Prove document/cash exchange + - Show dead drop usage + - Enable simultaneous handler/asset arrest + - Demonstrate countersurveillance behavior +- **Evidence Type:** Photographic surveillance +- **Substitution Variables:** [SUBJECT_NAME], [CONTACT_DESCRIPTION], [LOCATION], [VEHICLE_DESCRIPTION] +- **7 Photo Scenarios:** + - Photo 1-3: Coffee shop meeting, document exchange, cash payment + - Photo 4-5: Dead drop (USB deposit, handler retrieval 2hrs later) + - Photo 6: Follow-up meeting, verbal comms + - Photo 7: Countersurveillance behavior (SDR route) +- **Evidence Strength:** + - Alone: 50% confidence (suspicious but explainable) + - + Financial records: 80% confidence + - + Access logs: 85% confidence + - + All evidence: 95% confidence +- **Best Used For:** Visual proof, handler identification, meeting patterns, tradecraft documentation +- **Rarity:** Uncommon (expensive surveillance operation) + +**Example Content:** +``` +[PHOTO 2: DOCUMENT EXCHANGE] +Location: [LOCATION] Coffee Shop +Date: [DATE], [TIME + 15 minutes] + +CAPTURED MOMENT: +[SUBJECT_NAME] sliding manila envelope across table +Unknown individual accepting envelope +Envelope thickness: 20-30 pages estimated + +[PHOTO 3: CASH PAYMENT] +Same meeting, +28 minutes +Unknown individual handing envelope to [SUBJECT_NAME] +Cash visible inside (appears to be $100 bills) +Estimated amount: $2,000-$5,000 +[SUBJECT_NAME] shows relief in facial expression +``` + +--- + +**TEMPLATE_AGENT_ID_005 - Handwritten Notes** + +**File:** `TEMPLATE_AGENT_ID_005_physical_evidence.md` + +- **What It Is:** 3-page handwritten notes showing emotional journey from willing participant to desperate victim +- **What Player Can DO:** + - Devastating confrontation ("your own handwriting") + - Enable empathetic approach (subject wants help) + - Achieve 95-98% cooperation likelihood + - Self-incrimination in subject's own words + - Show coercion by ENTROPY (victim characteristics) +- **Evidence Type:** Physical - handwritten confession +- **Substitution Variables:** [SUBJECT_NAME], [HANDLER_CODENAME], [SYSTEM_NAME], [DEBT_AMOUNT] +- **3-Page Emotional Progression:** + - **Page 1:** Nervous rationalization ("just competitive intelligence", "not hurting anyone... right?") + - **Page 2:** Feeling trapped ("they have me trapped", "if I refuse they expose me") + - **Page 3:** Desperate cry for help ("please help me", "what have I gotten into", security hotline written down) +- **Evidence Strength:** + - Alone: 80% confidence (self-incrimination) + - + Financial records: 95% confidence + - + Access logs: 95% confidence + - + All evidence: 99.9% confidence (overwhelming) +- **Cooperation Likelihood:** + - Show notes immediately: 95% + - Empathetic approach referencing cry for help: 98% + - Use as leverage after lies: 90% +- **Best Used For:** High cooperation outcome, empathetic interrogation, showing subject as victim +- **Rarity:** Uncommon-Rare (lucky find or search warrant) + +**Example Content:** +``` +[PAGE 1 - TRANSCRIPTION] +Meeting notes - [DATE] + +THINGS TO REMEMBER: +- [HANDLER_CODENAME] wants access to [SYSTEM_NAME] +- Payment: $[AMOUNT] on completion +- Files to copy: Customer database, Network diagrams +- "Delete these notes after memorizing!!!" + +Feeling sick about this. But what choice do I have? +$[DEBT_AMOUNT] in debt. Can't keep living like this. +[HANDLER] says it's just "competitive intelligence" +Not really hurting anyone... right? + +[PAGE 3 - TRANSCRIPTION] +THINGS GETTING WORSE + +[HANDLER] mentioned "permanent solutions for loose ends" +AM I A LOOSE END?? + +Overheard [HANDLER] on phone: "ENTROPY cell needs..." +WHAT IS ENTROPY?? OH GOD WHAT HAVE I GOTTEN INTO + +If someone finds these notes: I'm sorry. +If you're reading this, please help me. + +[ORGANIZATION] Security Hotline: [NUMBER] +(Should I call? Too scared. But maybe...) + +"Please let this end somehow" +``` + +**Forensic Analysis Included:** +- Handwriting verification: 99.7% match to subject +- Pen pressure analysis (stress visible in writing) +- Ink testing (same pen throughout) +- Chain of custody documentation + +**Legal Assessment:** +- Admissibility: VERY HIGH (spontaneous confession) +- No Miranda issues (not custodial interrogation) +- Shows consciousness of guilt +- Demonstrates coercion by ENTROPY + +**Recommended Use:** +"Use notes as leverage for cooperation, not prosecution. Subject is scared, remorseful, and wants out. Cooperation probability: 95%" + +--- + +### Evidence Template Integration Strategy + +**Optimal Discovery Sequence:** +1. **TEMPLATE_001 (Encrypted Comms)** → Triggers investigation +2. **TEMPLATE_002 (Financial Records)** → Proves motive +3. **TEMPLATE_003 (Access Logs)** → Confirms activity +4. **TEMPLATE_004 (Surveillance)** → Identifies handler +5. **TEMPLATE_005 (Handwritten Notes)** → Seals the case + +**Confidence Progression:** +- 1 template: 40-80% (suspicion only, no action) +- 2 templates: 65-85% (strong suspicion, investigation warranted) +- 3 templates: 85-95% (probable cause, confrontation viable) +- 4 templates: 95-98% (very strong case, multiple approaches) +- 5 templates: 99.9% (overwhelming, maximum cooperation) + +**Interrogation Approach Unlocks:** +- With TEMPLATE_002 (Financial): Offer financial help for cooperation +- With TEMPLATE_005 (Notes): Empathetic approach ("we know you want out") +- With TEMPLATE_004 (Surveillance): Visual confrontation ("we have photos") +- With TEMPLATE_003 (Access Logs): Technical proof ("every keystroke logged") +- With All 5: Overwhelming evidence ("no defense, but we can help") + +**Template Reusability:** +Each template can be used infinite times across different NPCs by substituting: +- [SUBJECT_NAME] → Actual NPC name +- [ORGANIZATION] → Company name +- [POSITION] → Job title +- [HANDLER_CODENAME] → Handler designation +- [AMOUNT] → Payment amounts +- [DATE] → Appropriate timeline +- etc. + +**See TEMPLATE_CATALOG.md for:** +- Complete template documentation +- Substitution best practices +- Evidence combination strategies +- Scenario-specific customization +- Technical implementation guide + +--- + ### 🎯 TACTICAL_INTELLIGENCE **TACTICAL_001 - Active Power Grid Attack (48-Hour Countdown)** diff --git a/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_001_encrypted_comms.md b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_001_encrypted_comms.md new file mode 100644 index 0000000..7961b24 --- /dev/null +++ b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_001_encrypted_comms.md @@ -0,0 +1,255 @@ +# TEMPLATE: Suspicious Encrypted Communications + +**Fragment ID:** EVIDENCE_AGENT_ID_001 +**Gameplay Function:** Agent Identification Evidence (Digital) +**Evidence Type:** Intercepted encrypted communication +**Rarity:** Common +**Substitution Required:** [SUBJECT_NAME], [ORGANIZATION], [POSITION] + +--- + +## Evidence Summary + +**Item:** Encrypted email communication from corporate account +**Subject:** [SUBJECT_NAME], [POSITION] at [ORGANIZATION] +**Evidence Quality:** MEDIUM (encrypted but pattern suspicious) +**Admissibility:** Medium (circumstantial, requires corroboration) + +--- + +## Intercepted Communication + +``` +From: [SUBJECT_NAME]@[ORGANIZATION].com +To: secure-contact-7749@protonmail.com +Date: [CURRENT_DATE - 3 days], 23:47 +Subject: Re: Consultation project update +Encryption: PGP encrypted (partial decryption successful) + +[Decrypted portions:] + +...understand the concerns about timeline. The access you +requested will be available during the maintenance window +as discussed. + +[ENCRYPTED BLOCK - Unable to decrypt] + +...payment arrangement confirmed. Standard terms as before. +The documentation you need will be transferred via the +agreed method. + +[ENCRYPTED BLOCK - Unable to decrypt] + +...regarding the security audit team arriving Thursday - +I can ensure they have the credentials and building access +without additional verification. Same procedure as last time. + +Looking forward to our continued partnership. + +Best regards, +[SUBJECT_NAME] +``` + +--- + +## Analysis Flags + +**SUSPICIOUS INDICATORS:** + +🚩 **Encrypted Communication from Work Email** +- Corporate email policy prohibits personal encryption +- PGP usage violates IT security policy +- Suggests deliberate obfuscation of content +- Professional email should not require encryption + +🚩 **ProtonMail Recipient (Anonymous Service)** +- Recipient uses privacy-focused email service +- Address format suggests throwaway account +- No legitimate business contact uses this pattern +- Common in ENTROPY operational communications + +🚩 **After-Hours Timing (23:47)** +- Sent late at night from personal device +- Suggests secretive communication +- Outside normal business hours +- Pattern consistent with covert activity + +🚩 **"Payment Arrangement Confirmed"** +- Reference to financial transaction +- Not related to normal job duties +- "Standard terms as before" suggests ongoing payments +- Typical ENTROPY asset compensation language + +🚩 **Security Audit Team Access** +- Offering to bypass verification procedures +- "Same procedure as last time" suggests repeat behavior +- Willing to violate security protocols +- Classic insider threat action + +🚩 **"Documentation Transfer via Agreed Method"** +- Euphemism for data exfiltration +- "Agreed method" suggests dead drop or covert channel +- Not standard business file sharing +- Matches ENTROPY operational security patterns + +--- + +## Investigation Recommendations + +**IMMEDIATE ACTIONS:** +``` +□ Monitor [SUBJECT_NAME]'s email for additional encrypted messages +□ Check employment records for financial stress indicators +□ Review building access logs for unusual patterns +□ Identify "security audit team" referenced +□ Trace ProtonMail recipient if possible +□ Review past "maintenance windows" for suspicious activity +□ Check for data exfiltration during previous access grants +``` + +**SURVEILLANCE PRIORITIES:** +``` +□ Financial transactions (unusual deposits) +□ Meetings with unknown individuals +□ USB drive usage or file transfers +□ After-hours office access +□ Encrypted communication patterns +□ Dead drop locations (document transfers) +``` + +**CORROBORATING EVIDENCE NEEDED:** +``` +□ Financial records showing unexplained income +□ Access logs showing policy violations +□ Witness testimony of suspicious behavior +□ Technical evidence of data exfiltration +□ Additional encrypted communications +□ Connection to known ENTROPY operatives +``` + +--- + +## Gameplay Integration + +**This Fragment Enables:** + +**Investigation Actions:** +- Flag [SUBJECT_NAME] as suspected ENTROPY asset +- Unlock surveillance mission on subject +- Enable deeper background investigation +- Trigger financial forensics check + +**Player Choices:** + +**APPROACH A: Immediate Confrontation** +- Confront subject with evidence +- Risk: May destroy evidence or alert ENTROPY +- Benefit: Quick resolution if subject cooperates +- Success depends on subject's psychology + +**APPROACH B: Continued Surveillance** +- Monitor for additional evidence +- Build stronger case before action +- Risk: Subject may complete operation +- Benefit: Identify ENTROPY contacts and methods + +**APPROACH C: Controlled Exposure** +- Feed false information through subject +- Use as unwitting double agent +- Risk: Complex operation, may fail +- Benefit: Intelligence on ENTROPY cell operations + +**APPROACH D: Immediate Isolation** +- Suspend subject's access immediately +- Prevent ongoing operation +- Risk: Legal challenges if insufficient evidence +- Benefit: Stop potential breach quickly + +**Success Metrics:** +- Evidence + Financial records = 75% confidence +- Evidence + Access logs = 65% confidence +- Evidence + Surveillance + Financial = 90% confidence +- Evidence alone = 40% confidence (insufficient for action) + +--- + +## Template Substitution Guide + +**When implementing this fragment, replace:** + +``` +[SUBJECT_NAME] → Actual NPC name (e.g., "Jennifer Park", "David Chen") +[ORGANIZATION] → Company/org name (e.g., "TechCorp", "Vanguard Financial") +[POSITION] → Job title (e.g., "Network Administrator", "Security Analyst") +[CURRENT_DATE - 3 days] → Game timeline appropriate date +``` + +**Maintain consistency:** +- Use same substituted name throughout fragment +- Email address format: firstname.lastname@company.com +- Position should match NPC's actual in-game role +- Timeline should fit scenario chronology + +**Example with substitutions:** +``` +From: jennifer.park@techcorp.com +To: secure-contact-7749@protonmail.com +Date: November 12, 2025, 23:47 +Subject: Re: Consultation project update + +...payment arrangement confirmed... + +Best regards, +Jennifer Park +Network Security Analyst +TechCorp Industries +``` + +--- + +## Scenario-Specific Customization + +**For Corporate Infiltration Scenarios:** +- Emphasize "security audit team" access +- Reference "maintenance windows" for data access +- Focus on credential provision + +**For Data Exfiltration Scenarios:** +- Emphasize "documentation transfer" +- Reference specific data types in encrypted blocks +- Focus on file access patterns + +**For Infrastructure Scenarios:** +- Reference SCADA/control system access +- Mention facility access credentials +- Focus on physical security bypass + +**For Research Scenarios:** +- Reference proprietary research data +- Mention lab access or sample transfers +- Focus on intellectual property theft + +--- + +## Related Fragments + +**Supporting Evidence Types:** +- EVIDENCE_AGENT_ID_002: Financial records (shows payments) +- EVIDENCE_AGENT_ID_003: Access log analysis (proves violations) +- EVIDENCE_AGENT_ID_004: Surveillance photos (documents meetings) +- EVIDENCE_AGENT_ID_005: USB usage logs (data exfiltration proof) +- EVIDENCE_AGENT_ID_006: Recruitment approach (how ENTROPY contacted them) + +**Collect Multiple for Higher Certainty:** +- 1 evidence type: 40% confidence (suspicion only) +- 2 evidence types: 65% confidence (strong suspicion) +- 3 evidence types: 85% confidence (probable cause) +- 4+ evidence types: 95% confidence (near certainty) + +--- + +**CLASSIFICATION:** EVIDENCE - AGENT IDENTIFICATION +**TEMPLATE TYPE:** Reusable with substitution +**PRIORITY:** MEDIUM (requires corroboration) +**DISTRIBUTION:** Investigation teams, scenario designers +**USAGE:** Insert into scenarios with suspected insider threats diff --git a/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_002_financial_records.md b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_002_financial_records.md new file mode 100644 index 0000000..e756012 --- /dev/null +++ b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_002_financial_records.md @@ -0,0 +1,430 @@ +# TEMPLATE: Suspicious Financial Activity + +**Fragment ID:** EVIDENCE_AGENT_ID_002 +**Gameplay Function:** Agent Identification Evidence (Financial) +**Evidence Type:** Bank transaction records +**Rarity:** Uncommon +**Substitution Required:** [SUBJECT_NAME], [SALARY], [AMOUNT], [DATE] + +--- + +## Evidence Summary + +**Item:** Bank account transaction analysis +**Subject:** [SUBJECT_NAME] +**Evidence Quality:** HIGH (financial records are hard evidence) +**Admissibility:** HIGH (bank records with proper subpoena) + +--- + +## Financial Analysis Report + +``` +═══════════════════════════════════════════════════════ + SAFETYNET FINANCIAL FORENSICS ANALYSIS + Subject: [SUBJECT_NAME] +═══════════════════════════════════════════════════════ + +ANALYSIS DATE: [CURRENT_DATE] +ANALYST: Agent 0x77, Financial Crimes Division +AUTHORIZATION: Federal subpoena #[SUBPOENA_NUMBER] +BANKS ANALYZED: [PRIMARY_BANK], [SECONDARY_BANK] + +SUMMARY: +Significant unexplained cash deposits inconsistent with +known employment income. Pattern consistent with ENTROPY +asset payment methodology. + +─────────────────────────────────────────────────────── +EMPLOYMENT INCOME VERIFICATION +─────────────────────────────────────────────────────── + +Employer: [ORGANIZATION] +Position: [POSITION] +Declared Salary: $[SALARY] annually +Expected Monthly Net: $[SALARY ÷ 12 × 0.70] (after tax) +Actual Payroll Deposits: VERIFIED (matches declared) + +─────────────────────────────────────────────────────── +SUSPICIOUS DEPOSITS IDENTIFIED +─────────────────────────────────────────────────────── + +DEPOSIT #1: CASH +Date: [DATE_1] +Amount: $[AMOUNT] (exactly) +Location: [BANK_BRANCH] ATM +Time: 22:47 (after hours) +Source: UNKNOWN - Cash deposit +Notes: Amount consistent with ENTROPY payment ($25K-$75K range) + +DEPOSIT #2: CRYPTOCURRENCY EXCHANGE +Date: [DATE_2] (14 days after Deposit #1) +Amount: $[AMOUNT × 0.97] +Source: CryptoExchangePro (Bitcoin conversion) +Notes: Exchange timing suggests cryptocurrency laundering + 97% of original amount (3% lost to fees/exchange) + +DEPOSIT #3: WIRE TRANSFER +Date: [DATE_3] +Amount: $[AMOUNT × 0.5] +Source: "[SHELL_COMPANY_NAME]" + Registration: Delaware LLC (shell company indicators) + Business: "Consulting services" (vague purpose) +Notes: Payment memo: "Security consultation - Project [CODE]" + Company registered 6 months ago, minimal online presence + +DEPOSIT #4: CASH +Date: [DATE_4] +Amount: $[AMOUNT × 0.75] +Location: Different branch (countersurveillance?) +Time: 21:13 (after hours again) +Notes: Deposited in multiple smaller amounts over 3 days + Structured to avoid $10K reporting threshold + +TOTAL SUSPICIOUS DEPOSITS: $[TOTAL_AMOUNT] +TIMEFRAME: [DURATION] months +AVERAGE: $[AVERAGE_PER_MONTH]/month + +─────────────────────────────────────────────────────── +INCOME ANALYSIS +─────────────────────────────────────────────────────── + +DECLARED INCOME (Annual): +Salary: $[SALARY] +Other declared income: $0 +Total: $[SALARY] + +ACTUAL DEPOSITS (Analyzed period): +Regular salary: $[SALARY_DEPOSITS] +Suspicious deposits: $[TOTAL_AMOUNT] +Total: $[SALARY_DEPOSITS + TOTAL_AMOUNT] + +UNEXPLAINED INCOME: $[TOTAL_AMOUNT] +PERCENTAGE OF SALARY: [PERCENTAGE]% + +ASSESSMENT: +Unexplained income of $[TOTAL_AMOUNT] represents +[PERCENTAGE]% of declared salary. No legitimate +source identified for this income. + +─────────────────────────────────────────────────────── +EXPENDITURE PATTERNS +─────────────────────────────────────────────────────── + +FOLLOWING SUSPICIOUS DEPOSITS: + +Large expenditures identified: +• $[DEBT_AMOUNT] - Student loan payoff ([DATE_5]) +• $[DEBT_AMOUNT_2] - Credit card debt clearance ([DATE_6]) +• $[EXPENSE_1] - [EXPENSE_DESCRIPTION] +• $[EXPENSE_2] - [EXPENSE_DESCRIPTION] + +PATTERN ANALYSIS: +Subject used unexplained income to: +1. Pay off existing debt (financial desperation motive) +2. Make purchases previously unaffordable +3. Maintain lifestyle above legitimate income level + +This pattern consistent with ENTROPY asset behavior: +- Recruited through financial desperation +- Paid for specific services/access +- Uses funds to resolve personal financial crisis + +─────────────────────────────────────────────────────── +CRYPTOCURRENCY ACTIVITY +─────────────────────────────────────────────────────── + +EXCHANGE ACCOUNT: CryptoExchangePro +Account Name: [SUBJECT_NAME] +KYC Status: Verified (used real identity) +Activity: + +INCOMING BITCOIN: +Date: [CRYPTO_DATE_1] +Amount: [BTC_AMOUNT] BTC +Value: $[AMOUNT] +Source Wallet: 1A9zW5...3kPm +NOTE: This wallet identified as ENTROPY master wallet! + +CONVERSION TO USD: +Date: [CRYPTO_DATE_2] (same day) +Amount: $[AMOUNT × 0.97] +Transferred to: [BANK_NAME] account +Fees: $[AMOUNT × 0.03] + +CRITICAL FINDING: +Direct transaction from confirmed ENTROPY master wallet +to subject's personal exchange account. This is DIRECT +EVIDENCE of ENTROPY payment. + +─────────────────────────────────────────────────────── +SHELL COMPANY ANALYSIS +─────────────────────────────────────────────────────── + +COMPANY: [SHELL_COMPANY_NAME] +Registration: Delaware LLC +Date Formed: [FORMATION_DATE] (6 months ago) +Registered Agent: Corporate Formations Inc. (mass registrations) +Business Address: Virtual office, no physical presence +Website: [SHELL_COMPANY_URL] (created same month as registration) +Employees: 0 (per state filings) +Revenue: Unknown (no public filings) + +RED FLAGS: +✗ Recently formed (timing suspicious) +✗ No physical office or employees +✗ Generic "consulting" business description +✗ Minimal web presence (likely fake) +✗ Registered agent specializes in shell companies +✗ No verifiable past projects or clients +✗ Payment amounts inconsistent with actual consulting rates + +ASSESSMENT: +[SHELL_COMPANY_NAME] exhibits all characteristics of +ENTROPY front company. Likely exists solely to provide +"legitimate" cover for asset payments. + +─────────────────────────────────────────────────────── +TAX IMPLICATIONS +─────────────────────────────────────────────────────── + +UNREPORTED INCOME: $[TOTAL_AMOUNT] (likely) + +If subject did not declare this income: +• Tax evasion (federal crime) +• Penalties: $[TAX_PENALTY_ESTIMATE] +• Criminal exposure: 1-5 years prison + +Additional leverage for cooperation: +"We can help with IRS if you help us with ENTROPY." + +─────────────────────────────────────────────────────── +CONCLUSIONS +─────────────────────────────────────────────────────── + +EVIDENCE STRENGTH: HIGH + +Multiple indicators of ENTROPY asset payments: +✓ Direct transaction from ENTROPY master wallet +✓ Cash deposits in ENTROPY payment range ($25K-$75K) +✓ Shell company payments with suspicious characteristics +✓ Structured deposits avoiding reporting thresholds +✓ Cryptocurrency conversion (laundering pattern) +✓ Unexplained income [PERCENTAGE]% of legitimate salary +✓ Timing correlates with known ENTROPY operations + +LEGAL ASSESSMENT: +This evidence, combined with other indicators, establishes +probable cause for: +• Money laundering charges +• Tax evasion +• Conspiracy (if operational involvement proven) +• ENTROPY asset designation (administrative) + +RECOMMENDATION: +Subject [SUBJECT_NAME] is receiving payments from ENTROPY. +Financial pressure likely recruitment vector. +High probability of cooperation if offered immunity + +financial assistance alternative. + +─────────────────────────────────────────────────────── + +ANALYST NOTES: + +Subject's financial desperation (debt visible in records) +made them vulnerable to ENTROPY recruitment. The $[AMOUNT] +payments provided relief they couldn't get elsewhere. + +This isn't a career criminal. This is someone who made a +bad choice under extreme financial pressure. + +Recommended approach: Offer help, not just prosecution. +"We can resolve your debt legally. No prison. Fresh start. +Just tell us what ENTROPY wanted you to do." + +Cooperation probability: 75-85% if approached correctly. + +- Agent 0x77 + +═══════════════════════════════════════════════════════ +CLASSIFICATION: FINANCIAL EVIDENCE - HIGH CONFIDENCE +DISTRIBUTION: Investigation team, legal counsel +HANDLING: Subpoena required for admission in court +═══════════════════════════════════════════════════════ +``` + +--- + +## Gameplay Integration + +**This Fragment Enables:** + +**Definitive Identification:** +- Confirms [SUBJECT_NAME] is ENTROPY asset (95% certainty) +- Direct evidence from master wallet transaction +- Legally admissible in court +- Justifies arrest/surveillance/confrontation + +**Player Actions Unlocked:** + +**CONFRONTATION:** +``` +"We know about the payments, [SUBJECT_NAME]. +$[TOTAL_AMOUNT] from ENTROPY over [DURATION] months. +Direct transfer from their master wallet to your account. + +We have the bank records. We have the cryptocurrency trail. +We have everything. + +You can cooperate now, or we can prosecute. Your choice." +``` + +**LEVERAGE:** +``` +"You're facing money laundering charges. Tax evasion. +5-10 years federal prison. + +OR + +You help us. Full immunity. We help you with the debt +legally. Witness protection if needed. Clean slate. + +What's it going to be?" +``` + +**INTELLIGENCE:** +``` +Financial analysis reveals: +→ Payment amounts indicate level of access provided +→ Payment timing correlates with operations +→ Shell company shows ENTROPY front operation +→ Master wallet transaction connects to other assets +``` + +--- + +## Success Metrics + +**Evidence Value:** +- Alone: 60% confidence (suspicious but could have explanation) +- + Encrypted comms: 85% confidence +- + Access logs: 90% confidence +- + Surveillance: 95% confidence +- + Confession: 100% certainty + +**Cooperation Likelihood:** +- Show financial evidence alone: 45% cooperation +- Offer immunity + debt help: 75% cooperation +- Add threat of prison time: 85% cooperation +- Combine all approaches: 90% cooperation + +**Legal Strength:** +- Prosecution without cooperation: 70% conviction rate +- With subject cooperation: 95% conviction rate (against ENTROPY) +- Tax evasion charges alone: 90% conviction rate + +--- + +## Template Substitution Guide + +**Replace these placeholders:** + +``` +[SUBJECT_NAME] → NPC name +[SALARY] → Annual salary matching their position +[AMOUNT] → ENTROPY payment amount ($25,000 - $75,000 typical) +[DATE_1], [DATE_2], etc. → Appropriate dates in game timeline +[ORGANIZATION] → Company name where NPC works +[POSITION] → NPC's job title +[SHELL_COMPANY_NAME] → Generic business name (e.g., "SecureConsult LLC") +[DEBT_AMOUNT] → Amount of debt NPC paid off +[EXPENSE_DESCRIPTION] → What they bought with the money +[PERCENTAGE] → Calculate: (TOTAL_AMOUNT ÷ SALARY) × 100 +``` + +**Formula for realistic amounts:** +``` +Base salary: $40,000 - $80,000 (typical corporate employee) +ENTROPY payment: 50-100% of annual salary +Total suspicious income: $25,000 - $75,000 +Debt paid off: 80% of suspicious income +Remaining spent: 20% of suspicious income +``` + +**Example with substitutions:** +``` +Subject: David Chen +Salary: $52,000 +ENTROPY payment: $50,000 (96% of salary) +Student debt paid: $40,000 +Credit cards cleared: $8,000 +Unexplained income: 96% of declared salary +``` + +--- + +## Scenario Variations + +**High-Value Target (More Money):** +``` +Salary: $120,000 (senior position) +ENTROPY payment: $150,000 (125% of salary) +Justification: Valuable access, sensitive position +``` + +**Low-Value Target (Less Money):** +``` +Salary: $35,000 (junior position) +ENTROPY payment: $25,000 (71% of salary) +Justification: Limited access, lower value +``` + +**Ongoing Asset (Multiple Payments):** +``` +Payment 1: $40,000 (initial recruitment) +Payment 2: $15,000 (after 3 months) +Payment 3: $15,000 (after 6 months) +Total: $70,000 over 6 months +Pattern: Ongoing asset vs. one-time use +``` + +--- + +## Related Evidence Types + +**Combine with:** +- EVIDENCE_AGENT_ID_001: Encrypted communications (motive for payment) +- EVIDENCE_AGENT_ID_003: Access logs (what they did for money) +- EVIDENCE_AGENT_ID_004: Surveillance (meetings with ENTROPY handlers) +- EVIDENCE_AGENT_ID_006: Recruitment approach (how they were contacted) + +**Investigation Sequence:** +1. Find encrypted comms → Suspicion +2. Get financial records → Confirmation +3. Confront subject → Cooperation or arrest +4. Use testimony → Dismantle cell + +--- + +## Educational Context + +**Related CyBOK Topics:** +- Law & Regulation (Money laundering, tax law, financial crimes) +- Forensics (Financial forensics, transaction analysis) +- Human Factors (Financial pressure as vulnerability) + +**Security Lessons:** +- Financial desperation creates insider threats +- Cryptocurrency provides pseudo-anonymity, not true anonymity +- Shell companies are traceable through proper investigation +- Bank records are powerful evidence (hard to deny) +- Structured deposits indicate guilty knowledge +- Employee financial wellness reduces vulnerability + +--- + +**CLASSIFICATION:** EVIDENCE TEMPLATE - FINANCIAL +**PRIORITY:** HIGH (Definitive proof with proper subpoena) +**REUSABILITY:** High (works for any insider threat scenario) +**LEGAL VALUE:** Excellent (bank records highly admissible) +**COOPERATION VALUE:** Excellent (strong leverage for turning asset) diff --git a/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_003_access_logs.md b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_003_access_logs.md new file mode 100644 index 0000000..c7bfe32 --- /dev/null +++ b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_003_access_logs.md @@ -0,0 +1,598 @@ +# TEMPLATE: Unauthorized System Access Pattern + +**Fragment ID:** EVIDENCE_AGENT_ID_003 +**Gameplay Function:** Agent Identification Evidence (Technical) +**Evidence Type:** System access logs and audit trail +**Rarity:** Common +**Substitution Required:** [SUBJECT_NAME], [POSITION], [SYSTEM_NAME], [DATA_TYPE] + +--- + +## Evidence Summary + +**Item:** System access log analysis +**Subject:** [SUBJECT_NAME], [POSITION] +**Evidence Quality:** HIGH (technical logs are objective) +**Admissibility:** HIGH (system logs with proper chain of custody) + +--- + +## Access Log Analysis Report + +``` +╔═══════════════════════════════════════════════════════╗ +║ SYSTEM ACCESS AUDIT REPORT ║ +║ Unauthorized Activity Detection ║ +╚═══════════════════════════════════════════════════════╝ + +REPORT ID: SYS-AUDIT-[REPORT_NUMBER] +GENERATED: [CURRENT_DATE] +ANALYST: IT Security Team / SAFETYNET Technical Division +SUBJECT: [SUBJECT_NAME] +EMPLOYEE ID: [EMP_ID] +POSITION: [POSITION] +DEPARTMENT: [DEPARTMENT] +AUTHORIZED ACCESS LEVEL: [ACCESS_LEVEL] + +═══════════════════════════════════════════════════════ + +SUMMARY: +Comprehensive analysis of system access logs reveals +pattern of unauthorized access to systems and data +outside subject's job responsibilities and clearance level. + +Activity consistent with data exfiltration preparation +and reconnaissance for ENTROPY operations. + +═══════════════════════════════════════════════════════ +BASELINE LEGITIMATE ACCESS +═══════════════════════════════════════════════════════ + +Based on position [POSITION], subject should access: + +AUTHORIZED SYSTEMS: +✓ [SYSTEM_1] - Required for daily work +✓ [SYSTEM_2] - Department shared resources +✓ [SYSTEM_3] - Communication tools +✓ [SYSTEM_4] - Standard employee applications + +AUTHORIZED DATA: +✓ [DATA_TYPE_1] - Related to job function +✓ [DATA_TYPE_2] - Department information +✓ [DATA_TYPE_3] - Public/shared company data + +TYPICAL USAGE PATTERN: +• Login times: 08:00-18:00 (business hours) +• Access frequency: Multiple times daily +• Data volume: Normal for position +• Locations: Office workstation, VPN from home + +═══════════════════════════════════════════════════════ +UNAUTHORIZED ACCESS DETECTED +═══════════════════════════════════════════════════════ + +INCIDENT #1: SENSITIVE DATABASE ACCESS + +Date/Time: [DATE_TIME_1] +System: [SENSITIVE_SYSTEM] +Access Method: SQL query via admin console +User Account: [SUBJECT_NAME]@[ORGANIZATION] +Location: Office workstation (IP: [IP_ADDRESS]) + +QUERY EXECUTED: +SELECT * FROM [DATABASE].[TABLE] +WHERE [CRITERIA] +LIMIT 50000 + +ANALYSIS: +✗ [SUBJECT_NAME] has NO authorized access to [SENSITIVE_SYSTEM] +✗ Position [POSITION] has no business need for this data +✗ Query extracted [DATA_TYPE] for 50,000 records +✗ Data volume far exceeds any legitimate need +✗ Query format suggests data exfiltration intent + +RED FLAGS: +• Access outside job responsibilities +• Large-scale data extraction +• No ticket/request for access +• Used elevated credentials (how obtained?) +• Timing: After hours (22:34) + +─────────────────────────────────────────────────────── + +INCIDENT #2: NETWORK INFRASTRUCTURE MAPPING + +Date/Time: [DATE_TIME_2] +System: Network Management Console +Access Method: Direct login +User Account: [SUBJECT_NAME] (used supervisor's credentials!) +Location: Office (IP: [IP_ADDRESS]) + +ACTIONS PERFORMED: +• Exported network topology diagram +• Downloaded firewall rule configurations +• Accessed VPN server logs +• Queried active directory structure +• Downloaded security camera placement map + +ANALYSIS: +✗ Supervisor credentials compromised/shared (security violation) +✗ Network admin access not authorized for [POSITION] +✗ Infrastructure documentation downloaded (reconnaissance) +✗ Security architecture exposed +✗ No legitimate business justification exists + +RED FLAGS: +• Credential theft/sharing (serious violation) +• Complete infrastructure reconnaissance +• Downloaded security-sensitive diagrams +• Classic pre-attack intelligence gathering +• Timing: Weekend (Saturday 14:23) + +─────────────────────────────────────────────────────── + +INCIDENT #3: HUMAN RESOURCES DATABASE + +Date/Time: [DATE_TIME_3] +System: HR Management System +Access Method: Web portal login +User Account: [SUBJECT_NAME] +Location: Unknown (VPN from residential IP) + +DATA ACCESSED: +• Employee personal information (500+ records) +• Salary and compensation data +• Home addresses and contact info +• Security clearance levels +• Emergency contacts + +ANALYSIS: +✗ HR system access not authorized for [POSITION] +✗ Accessed 500+ employee records (entire department) +✗ No HR-related job responsibilities +✗ Personal data with no legitimate need +✗ Pattern suggests target profiling for ENTROPY + +RED FLAGS: +• Mass employee data access +• Personal information exfiltration +• Possible recruitment target identification +• Social engineering preparation +• Timing: Evening from home (20:15) + +─────────────────────────────────────────────────────── + +INCIDENT #4: EXECUTIVE EMAIL ACCESS + +Date/Time: [DATE_TIME_4] +System: Email server (Exchange) +Access Method: PowerShell remote access +User Account: [SUBJECT_NAME] +Location: Office (IP: [IP_ADDRESS]) + +ACTIVITY: +• Accessed CEO mailbox (unauthorized!) +• Read 127 emails marked "Confidential" +• Exported emails to PST file +• Downloaded email to external drive +• Deleted access logs (attempted cover-up) + +ANALYSIS: +✗ Executive email access STRICTLY prohibited +✗ PowerShell used to bypass security controls +✗ Exported emails for offline viewing +✗ Attempted to delete evidence (consciousness of guilt) +✗ Contains privileged executive communications + +RED FLAGS: +• Highest-level unauthorized access +• Corporate espionage indicators +• Active cover-up attempt (log deletion) +• Technical sophistication (PowerShell usage) +• Timing: Middle of night (02:17) + +─────────────────────────────────────────────────────── + +INCIDENT #5: USB DEVICE USAGE + +Date/Time: [DATE_TIME_5] +System: Endpoint detection (workstation) +Device: USB flash drive (128GB) +User Account: [SUBJECT_NAME] +Location: Office workstation + +ACTIVITY: +• Connected unauthorized USB device +• Copied [FILE_COUNT] files to drive +• Total data: [DATA_SIZE] GB +• File types: .xlsx, .docx, .pdf, .pst +• Encryption detected on USB (secure storage) + +ANALYSIS: +✗ USB devices prohibited by policy (DLP violation) +✗ Large-scale file copying to external media +✗ Included sensitive/confidential documents +✗ USB encrypted (hiding contents) +✗ Classic data exfiltration method + +RED FLAGS: +• Policy violation (USB prohibition) +• Data exfiltration to portable media +• Encryption suggests premeditation +• Volume suggests systematic collection +• Timing: Late evening (19:45) + +═══════════════════════════════════════════════════════ +PATTERN ANALYSIS +═══════════════════════════════════════════════════════ + +TIMELINE OF UNAUTHORIZED ACTIVITY: + +Week 1: [DATE_RANGE_1] +→ Initial reconnaissance (network mapping) +→ Identifying high-value systems + +Week 2-3: [DATE_RANGE_2] +→ Unauthorized data access begins +→ Multiple system compromises +→ Credential elevation/theft + +Week 4: [DATE_RANGE_3] +→ Large-scale data exfiltration +→ Executive communications accessed +→ USB device data export + +PROGRESSION: +Reconnaissance → Access → Exfiltration → Cover-up + +This timeline consistent with ENTROPY operational cadence: +- 2-4 weeks from recruitment to first deliverable +- Systematic approach (not random access) +- Escalating access levels +- Final exfiltration before rotation + +TEMPORAL PATTERNS: + +After-Hours Access: 78% of incidents +• 22:34, 02:17, 19:45, 20:15, 14:23 (weekend) +• Suggests covert activity awareness +• Avoiding daytime supervision +• Consciousness of wrongdoing + +Weekend Access: 23% of incidents +• Saturday access to avoid scrutiny +• Reduced security staffing +• Fewer witnesses to activity + +VPN/Remote Access: 34% of incidents +• From residential IP addresses +• Outside corporate network +• Harder to detect/monitor + +═══════════════════════════════════════════════════════ +TECHNICAL SOPHISTICATION INDICATORS +═══════════════════════════════════════════════════════ + +SKILLS DEMONSTRATED: + +✓ PowerShell scripting (executive email access) +✓ SQL query construction (database extraction) +✓ Credential compromise (supervisor's account) +✓ Log manipulation (attempted deletion) +✓ Encryption usage (USB device) +✓ Network reconnaissance (topology mapping) + +ASSESSMENT: +Subject demonstrates technical capabilities beyond +requirements of [POSITION]. Suggests: + +1. Prior training (possibly ENTROPY-provided) +2. Security background (knows how to evade detection) +3. Deliberate skill application (not accidental) +4. Sophisticated adversary (not amateur mistake) + +This level of sophistication consistent with: +→ Trained ENTROPY operative +→ Professional cyber criminal +→ Insider threat with external guidance +→ Asset with technical handler support + +═══════════════════════════════════════════════════════ +DATA EXFILTRATED (ESTIMATED) +═══════════════════════════════════════════════════════ + +Based on log analysis, subject likely obtained: + +CATEGORY 1: CUSTOMER DATA +• [NUMBER] customer records +• Personal information (PII) +• Financial account details +• Contact information +Estimated Volume: [SIZE] GB + +CATEGORY 2: INFRASTRUCTURE +• Network topology diagrams +• Security architecture docs +• Access control configurations +• Firewall rules and VPN configs +Estimated Volume: [SIZE] MB + +CATEGORY 3: EMPLOYEE DATA +• 500+ employee personal records +• Salary and compensation data +• Security clearance information +• Contact details for recruitment targeting +Estimated Volume: [SIZE] MB + +CATEGORY 4: EXECUTIVE COMMUNICATIONS +• 127 confidential emails +• Strategic planning documents +• Merger/acquisition discussions +• Proprietary business intelligence +Estimated Volume: [SIZE] MB + +CATEGORY 5: PROPRIETARY DATA +• [FILE_COUNT] sensitive documents +• Trade secrets potential +• Intellectual property +• Competitive intelligence +Estimated Volume: [SIZE] GB + +TOTAL ESTIMATED EXFILTRATION: [TOTAL_SIZE] GB + +VALUE ASSESSMENT: +This data highly valuable for: +→ ENTROPY Phase 3 operations (customer targeting) +→ Future social engineering campaigns +→ Competitive intelligence sale +→ Infrastructure attack planning +→ Employee recruitment targeting + +═══════════════════════════════════════════════════════ +POLICY VIOLATIONS +═══════════════════════════════════════════════════════ + +Subject violated the following corporate policies: + +✗ Acceptable Use Policy (Section 3.2) + - Unauthorized system access + +✗ Data Protection Policy (Section 2.1) + - Accessed data without business need + +✗ USB Device Policy (Section 4.7) + - Used prohibited external storage + +✗ Credential Sharing Policy (Section 1.3) + - Used supervisor's credentials + +✗ After-Hours Access Policy (Section 5.2) + - Suspicious access patterns + +✗ Data Classification Policy (Section 6.1) + - Accessed confidential/secret data + +✗ Log Integrity Policy (Section 7.4) + - Attempted log deletion + +RECOMMENDED EMPLOYMENT ACTION: +Immediate termination for cause with policies violated. + +═══════════════════════════════════════════════════════ +LEGAL IMPLICATIONS +═══════════════════════════════════════════════════════ + +CRIMINAL STATUTES POTENTIALLY VIOLATED: + +Federal: +• 18 U.S.C. § 1030 - Computer Fraud and Abuse Act +• 18 U.S.C. § 1831 - Economic Espionage Act +• 18 U.S.C. § 2511 - Wiretap Act (email interception) + +State: +• Computer trespass +• Theft of trade secrets +• Unauthorized access to computer systems + +Civil: +• Breach of employment contract +• Breach of confidentiality agreement +• Trade secret misappropriation + +POTENTIAL SENTENCES: +• Federal CFAA: Up to 10 years per count +• Economic espionage: Up to 15 years +• Multiple counts possible: 25+ years exposure + +═══════════════════════════════════════════════════════ +CONCLUSIONS AND RECOMMENDATIONS +═══════════════════════════════════════════════════════ + +EVIDENCE ASSESSMENT: DEFINITIVE + +Subject [SUBJECT_NAME] engaged in systematic unauthorized +access to corporate systems and data exfiltration over +[TIMEFRAME] period. + +Activity characteristics: +✓ Deliberate and premeditated +✓ Technically sophisticated +✓ Aligned with ENTROPY operational patterns +✓ Resulted in significant data compromise +✓ Included active cover-up attempts + +CONFIDENCE LEVEL: 95% + +This is not accidental access or policy misunderstanding. +This is deliberate espionage/data theft by trained operative +or ENTROPY asset. + +IMMEDIATE RECOMMENDATIONS: + +□ Suspend all system access immediately +□ Confiscate workstation and devices +□ Preserve all log evidence (legal hold) +□ Coordinate with SAFETYNET for investigation +□ Prepare termination documentation +□ Consider criminal prosecution +□ Assess damage and notify affected parties +□ Review security controls that failed + +INVESTIGATION PRIORITIES: + +□ How were supervisor credentials obtained? +□ What happened to exfiltrated data? +□ Are there other compromised employees? +□ What is subject's connection to ENTROPY? +□ Recover USB device if possible +□ Interview subject (with legal counsel present) +□ Coordinate with law enforcement + +═══════════════════════════════════════════════════════ + +ANALYST NOTES: + +The technical sophistication and systematic approach +suggests [SUBJECT_NAME] received external guidance, +likely from ENTROPY handler. + +Pattern matches 12 other cases of ENTROPY asset behavior: +- Reconnaissance phase (2-3 weeks) +- Access escalation (1-2 weeks) +- Exfiltration (final week) +- Attempted cover-up + +Subject likely recruited for specific access, trained on +what to collect, and provided tools/methods for exfiltration. + +Recommend offering cooperation deal: +"Help us understand who recruited you, what they wanted, +and where the data went. We can help you if you help us." + +Without cooperation, prosecution recommended. + +- IT Security Team / SAFETYNET Liaison + +═══════════════════════════════════════════════════════ +CLASSIFICATION: TECHNICAL EVIDENCE - UNAUTHORIZED ACCESS +DISTRIBUTION: Security team, legal, SAFETYNET, management +HANDLING: Preserve original logs, maintain chain of custody +═══════════════════════════════════════════════════════ +``` + +--- + +## Gameplay Integration + +**This Fragment Enables:** + +**Immediate Actions:** +- Suspend [SUBJECT_NAME]'s access (prevent further damage) +- Confiscate devices and conduct forensic analysis +- Initiate formal investigation +- Coordinate with SAFETYNET + +**Confrontation Dialog:** +``` +"We have your access logs, [SUBJECT_NAME]. + +[SENSITIVE_SYSTEM] at 22:34. You're not authorized for that system. + +Network diagrams downloaded on Saturday. Why? + +CEO's emails exported at 02:17. That's a federal crime. + +128GB USB drive. Where did that data go? + +We have timestamps. IP addresses. Exact files accessed. + +This isn't a mistake. This is systematic data theft. + +Who are you working for?" +``` + +**Player Choices:** + +**APPROACH A: Technical Lockdown** +- Immediate suspension +- Forensic investigation +- Criminal prosecution +- No cooperation opportunity + +**APPROACH B: Monitored Access** +- Allow continued access under surveillance +- Track who they contact +- Identify ENTROPY handler +- Build larger case + +**APPROACH C: Confrontation + Deal** +- Show evidence +- Offer immunity for cooperation +- Learn ENTROPY methods +- Turn asset into informant + +**APPROACH D: Counter-Intelligence** +- Feed false data through subject +- Use as unwitting double agent +- Track where data goes +- Identify ENTROPY infrastructure + +--- + +## Success Metrics + +**Evidence Strength:** +- System logs alone: 70% conviction probability +- Logs + financial records: 90% probability +- Logs + financial + surveillance: 95% probability +- Add confession: 99% probability + +**Damage Assessment:** +- Data exfiltrated: [TOTAL_SIZE] GB +- Systems compromised: [NUMBER] +- Policy violations: 7 major +- Potential impact: HIGH (customer data, exec comms) + +**Recovery Actions:** +- Incident response: 2-4 weeks +- Customer notification: Required (data breach laws) +- Security improvements: $[COST_ESTIMATE] +- Reputational damage: Significant + +--- + +## Template Substitution Guide + +**Replace these placeholders:** + +``` +[SUBJECT_NAME] → NPC name +[POSITION] → Job title +[DEPARTMENT] → Department name +[ORGANIZATION] → Company name +[SYSTEM_NAME] → Specific system accessed (e.g., "Customer Database") +[DATA_TYPE] → Type of data (e.g., "financial records") +[SENSITIVE_SYSTEM] → High-value target system +[DATE_TIME_X] → Specific timestamps +[IP_ADDRESS] → Internal IP address +[FILE_COUNT] → Number of files exfiltrated +[DATA_SIZE] → Size of data exfiltrated +[ACCESS_LEVEL] → Authorized clearance level +``` + +**Realistic Technical Details:** +``` +IP addresses: 10.x.x.x or 192.168.x.x (internal) +File counts: 50-500 (believable exfiltration) +Data sizes: 1-10 GB (USB-portable) +Timestamps: Mix of after-hours and weekends +Access levels: User, Power User, Admin +``` + +--- + +**CLASSIFICATION:** EVIDENCE TEMPLATE - TECHNICAL +**PRIORITY:** HIGH (Objective technical proof) +**REUSABILITY:** High (works for any insider threat) +**LEGAL VALUE:** Excellent (system logs are strong evidence) +**INVESTIGATION VALUE:** Excellent (shows what, when, how) diff --git a/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_004_surveillance_photos.md b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_004_surveillance_photos.md new file mode 100644 index 0000000..ce7fe5a --- /dev/null +++ b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_004_surveillance_photos.md @@ -0,0 +1,563 @@ +# TEMPLATE: Surveillance Evidence of ENTROPY Contact + +**Fragment ID:** EVIDENCE_AGENT_ID_004 +**Gameplay Function:** Agent Identification Evidence (Surveillance) +**Evidence Type:** Photographic surveillance and behavioral analysis +**Rarity:** Uncommon +**Substitution Required:** [SUBJECT_NAME], [POSITION], [CONTACT_DESCRIPTION] + +--- + +## Evidence Summary + +**Item:** Surveillance photography and behavioral observation +**Subject:** [SUBJECT_NAME], [POSITION] +**Evidence Quality:** MEDIUM-HIGH (visual evidence corroborates other intel) +**Admissibility:** HIGH (photographic evidence with proper surveillance authorization) + +--- + +## Surveillance Report + +``` +╔═══════════════════════════════════════════════════════╗ +║ SAFETYNET SURVEILLANCE REPORT ║ +║ Suspected ENTROPY Asset Monitoring ║ +╚═══════════════════════════════════════════════════════╝ + +OPERATION: [OPERATION_CODE_NAME] +SUBJECT: [SUBJECT_NAME] +SURVEILLANCE TEAM: Alpha-3 +LEAD AGENT: Agent 0x99 "HAXOLOTTLE" +DURATION: [DURATION] days ([START_DATE] - [END_DATE]) +AUTHORIZATION: Director Netherton, Priority [PRIORITY] +BUDGET: $[BUDGET] (surveillance, tech, analyst time) + +═══════════════════════════════════════════════════════ + +MISSION OBJECTIVE: +Determine if [SUBJECT_NAME] maintains contact with +ENTROPY operatives or handlers. Visual confirmation +of suspicious meetings and behavior patterns. + +═══════════════════════════════════════════════════════ +SURVEILLANCE PHOTOGRAPHY - DAY 1 +═══════════════════════════════════════════════════════ + +[PHOTO 1: UNUSUAL MEETING] + +Location: [LOCATION] (Coffee shop, outdoor seating) +Date: [DATE], [TIME] +Camera: High-resolution telephoto (300mm) +Quality: EXCELLENT (clear facial features, good lighting) + +SUBJECTS VISIBLE: +• [SUBJECT_NAME] - Target (left side of table) +• Unknown individual - [CONTACT_DESCRIPTION] (right side) + +DESCRIPTION: +Meeting duration: 42 minutes +Body language: Serious discussion, no social pleasantries +Documents visible: Papers exchanged across table +Subject's demeanor: Nervous (observed touching face repeatedly) +Unknown individual: Confident, professional bearing + +PHOTOGRAPHIC DETAILS: +- Both leaning in close (secretive conversation) +- [SUBJECT_NAME] looking around frequently (countersurveillance awareness) +- Unknown individual pointing at documents (giving instructions?) +- Paper documents visible but text not legible +- No coffee consumed (not social meeting) + +BEHAVIORAL ANALYSIS: +✗ Meeting location unusual for [SUBJECT_NAME] (30 miles from home/work) +✗ Body language suggests stress/guilt +✗ Countersurveillance behavior (checking for followers) +✗ Document exchange (physical information transfer) +✗ Professional meeting disguised as casual coffee + +RED FLAGS: +• Off-site location (avoiding workplace surveillance) +• Unknown contact (not in subject's social circle or colleagues) +• Document exchange (analog to avoid digital trail) +• Subject's nervous behavior (consciousness of wrongdoing) +• Duration/timing (41 minutes = substantive discussion) + +─────────────────────────────────────────────────────── + +[PHOTO 2: DOCUMENT EXCHANGE] + +Same Location: [LOCATION] +Same Date: [DATE], [TIME + 15 minutes] +Camera: Close-up telephoto zoom +Quality: GOOD (documents partially visible) + +CAPTURED MOMENT: +[SUBJECT_NAME] sliding manila envelope across table +Unknown individual accepting envelope +Envelope appears to contain papers (thickness visible) + +VISIBLE DETAILS: +- Envelope unmarked (no corporate branding) +- Approximately 20-30 pages based on thickness +- [SUBJECT_NAME]'s hand visibly trembling (stress/fear) +- Unknown individual nodding (confirmation received) +- Both glancing around (awareness of surveillance risk) + +ANALYSIS: +Physical document transfer avoids: +→ Email monitoring (corporate IT) +→ Digital forensics trails +→ Cloud storage logging +→ Network activity detection + +Classic tradecraft for covert information transfer. + +─────────────────────────────────────────────────────── + +[PHOTO 3: CASH PAYMENT] + +Same Location: [LOCATION] +Same Date: [DATE], [TIME + 28 minutes] +Camera: High-resolution capture +Quality: EXCELLENT (bills visible) + +CAPTURED TRANSACTION: +Unknown individual handing envelope to [SUBJECT_NAME] +Envelope different from document envelope (smaller, white) +[SUBJECT_NAME] opening envelope briefly +Cash visible inside (bills appear to be $100 denominations) + +OBSERVED BEHAVIOR: +- [SUBJECT_NAME] glancing inside quickly +- Immediate concealment (into jacket pocket) +- No counting of money (trusts amount) +- Relief visible in facial expression +- Handshake after payment + +ESTIMATED AMOUNT: +Based on envelope size and visible bills: $2,000-$5,000 +(Consistent with ENTROPY "installment payment" pattern) + +SIGNIFICANCE: +Cash payment for documents = textbook espionage transaction +Pattern matches ENTROPY asset handling methodology + +═══════════════════════════════════════════════════════ +SURVEILLANCE PHOTOGRAPHY - DAY 5 +═══════════════════════════════════════════════════════ + +[PHOTO 4: SUBJECT AT DEAD DROP LOCATION] + +Location: [DEAD_DROP_LOCATION] (Public park, near bench #7) +Date: [DATE + 5 days], [TIME] +Camera: Long-range surveillance (500mm) +Quality: MEDIUM (distance ~200 meters) + +OBSERVED ACTIVITY: +Subject walking through park (unusual for daily routine) +Stopped at specific bench (#7) +Appeared to place something under bench +Departed quickly without sitting +Total time at location: 47 seconds + +DEAD DROP PROCEDURE (Classic): +1. Arrive at predetermined location +2. Deposit package/message +3. Leave immediately without lingering +4. Handler retrieves later (separate visit) + +RECOVERY OPERATION: +Surveillance team recovered package after subject departed: +• USB flash drive (32GB, encrypted) +• Handwritten note: "Files from [SYSTEM_NAME] as requested" +• Note signed with [SUBJECT_NAME]'s initials + +CRITICAL EVIDENCE: +Subject's own handwriting confirming data exfiltration +Physical USB drive proves ENTROPY dead drop usage + +─────────────────────────────────────────────────────── + +[PHOTO 5: HANDLER RETRIEVAL] + +Same Location: [DEAD_DROP_LOCATION] +Same Date: [DATE + 5 days], [TIME + 2 hours] +Camera: Different angle, concealed position +Quality: GOOD (facial features visible) + +SUBJECT: +Unknown individual (SAME as coffee shop meeting!) +Arrived 2 hours after [SUBJECT_NAME]'s deposit +Retrieved package from under bench +Departed in [VEHICLE_DESCRIPTION] + +CONFIRMATION: +Facial recognition match: 87% confidence +Same clothing as coffee shop meeting +Professional countersurveillance (checked surroundings) +Vehicle license plate captured: [PLATE_NUMBER] (rental car) + +HANDLER IDENTIFICATION: +Subject's contact is confirmed ENTROPY handler +Using classic tradecraft (dead drops, cash payments) +Coordinating multiple assets (likely cell member) + +═══════════════════════════════════════════════════════ +SURVEILLANCE PHOTOGRAPHY - DAY 12 +═══════════════════════════════════════════════════════ + +[PHOTO 6: SECOND MEETING AT DIFFERENT LOCATION] + +Location: [SECOND_LOCATION] (Shopping mall food court) +Date: [DATE + 12 days], [TIME] +Camera: Concealed body camera (agent in proximity) +Quality: EXCELLENT (close range ~10 meters) + +MEETING DETAILS: +Same unknown individual as before +Meeting duration: 18 minutes (brief check-in) +No visible document exchange (verbal communication only) +Cash payment observed again (smaller envelope) + +AUDIO CAPTURED (Partial): +Agent positioned close enough to hear fragments: + +[SUBJECT_NAME]: "...worried about the security audit..." +Handler: "...completely normal, don't panic..." +[SUBJECT_NAME]: "...access will be more difficult now..." +Handler: "...we can adjust timeline if needed..." + +ANALYSIS: +Conversation references: +→ Security audit (possibly our investigation?) +→ Access difficulties (tightened controls working) +→ Timeline flexibility (operation in progress) +→ Handler providing reassurance (asset management) + +─────────────────────────────────────────────────────── + +[PHOTO 7: COUNTERSURVEILLANCE BEHAVIOR] + +Location: [SUBJECT_NAME]'s vehicle +Date: [DATE + 14 days], [TIME] +Camera: Traffic camera access +Quality: MEDIUM (standard traffic cam) + +OBSERVED: +Subject taking circuitous route home after work +Multiple turns and backtracking +Stopped suddenly, waited, continued +Route added 45 minutes to normal commute + +COUNTERSURVEILLANCE TECHNIQUES OBSERVED: +• Sudden direction changes +• Multiple U-turns +• Extended parking wait (watch for followers) +• Avoided direct route to destination +• Classic surveillance detection route (SDR) + +SIGNIFICANCE: +Subject trained in countersurveillance by ENTROPY +Consciousness of potential surveillance +Professional operational security awareness + +This is NOT amateur behavior. This is trained operative activity. + +═══════════════════════════════════════════════════════ +PATTERN ANALYSIS +═══════════════════════════════════════════════════════ + +MEETING FREQUENCY: +Week 1: Initial coffee shop meeting (Day 1) +Week 2: Dead drop communication (Day 5) +Week 3: Second in-person meeting (Day 12) + +Pattern: Meetings every 5-7 days (weekly handler check-ins) +Consistent with ENTROPY asset handling protocol + +LOCATION SELECTION: +• Different location each time (security) +• Public places with multiple exits +• 20-30 miles from subject's home/work +• Areas subject doesn't normally frequent + +Pattern: Professional tradecraft, avoiding pattern establishment + +PAYMENT STRUCTURE: +Meeting 1: Estimated $3,000-$5,000 (document payment) +Meeting 2: Estimated $1,000-$2,000 (check-in payment) + +Total observed: ~$5,000 over 12 days +Projected: $10,000-$15,000 monthly if pattern continues + +COMMUNICATION METHODS: +• In-person meetings (avoid digital surveillance) +• Physical dead drops (analog security) +• Cash payments (no banking trail) +• Document exchanges (no email trail) + +Assessment: Sophisticated operational security maintained + +═══════════════════════════════════════════════════════ +HANDLER PROFILE +═══════════════════════════════════════════════════════ + +UNKNOWN INDIVIDUAL (ENTROPY HANDLER): + +PHYSICAL DESCRIPTION: +• [GENDER], approximately [AGE] years old +• Height: [HEIGHT] (estimated from photos) +• Build: [BUILD] +• Hair: [HAIR_DESCRIPTION] +• Distinguishing features: [FEATURES] +• Clothing: Professional casual (blend in anywhere) + +BEHAVIORAL INDICATORS: +• Confident bearing (experienced operator) +• Excellent situational awareness +• Professional countersurveillance +• Calm demeanor (not nervous like subject) +• Directive body language (giving orders) + +VEHICLE: +• [VEHICLE_DESCRIPTION] +• License plate: [PLATE_NUMBER] (rental, fake ID used) +• Parked in areas allowing quick exit +• Changed vehicles twice (rental rotation) + +COMMUNICATIONS SECURITY: +• Uses burner phones (observed discarding one) +• Cash transactions only +• No digital footprint visible +• Multiple fake identities suspected + +THREAT ASSESSMENT: HIGH +This is professional ENTROPY cell member, possibly cell leader +Handles multiple assets (subject likely not their only contact) +Trained in intelligence tradecraft +Significant operational security discipline + +═══════════════════════════════════════════════════════ +CONCLUSIONS +═══════════════════════════════════════════════════════ + +EVIDENCE ASSESSMENT: STRONG + +Photographic and surveillance evidence confirms: + +✓ [SUBJECT_NAME] maintains regular contact with ENTROPY operative +✓ Physical exchange of documents for cash payment +✓ Usage of dead drop locations (USB drive recovery) +✓ Subject's handwriting on dead drop note +✓ Countersurveillance behavior (trained operative awareness) +✓ Pattern consistent with ENTROPY asset handling +✓ Weekly handler meetings with payment structure + +CONFIDENCE LEVEL: 85% + +Subject is actively operating as ENTROPY asset, providing +information/data in exchange for cash payments under +direction of experienced ENTROPY handler. + +RECOMMENDATIONS: + +OPTION 1: Arrest Both Subject and Handler +• Simultaneous takedown at next meeting +• Seize evidence (cash, documents, devices) +• Interrogate both separately +• Build case against cell + +OPTION 2: Continue Surveillance +• Identify other assets handler manages +• Map complete cell network +• Build larger case before action +• Risk: Subject completes current operation + +OPTION 3: Approach Subject with Evidence +• Show photos during interview +• "We know about your handler. We have photos." +• Offer cooperation vs. prosecution +• Use surveillance as leverage + +RECOMMENDED: Option 3 (Leverage for cooperation) +Photos are compelling evidence difficult to deny +Subject's fear visible in photos (vulnerable to pressure) +Handler identification valuable intelligence +Turn subject into informant against cell + +═══════════════════════════════════════════════════════ + +SURVEILLANCE TEAM NOTES: + +[SUBJECT_NAME] is clearly uncomfortable with this activity. +Fear and stress visible in every meeting photo. +Not a professional operative - recruited asset under pressure. + +The handler, however, is experienced professional. +Likely cell member with multiple assets under management. +Capturing handler would significantly disrupt cell operations. + +Recommend showing [SUBJECT_NAME] the photos: +"You thought no one was watching. But we have everything. +Every meeting. Every payment. Your handler's face. + +You can keep pretending, or you can help us. +What's it going to be?" + +Prediction: Subject will cooperate when shown evidence. + +- Agent 0x99, Surveillance Lead + +═══════════════════════════════════════════════════════ +CLASSIFICATION: SURVEILLANCE EVIDENCE - PHOTOGRAPHIC +DISTRIBUTION: Investigation team, legal counsel +HANDLING: Maintain photo chain of custody, proper authorization +═══════════════════════════════════════════════════════ +``` + +--- + +## Gameplay Integration + +**This Fragment Enables:** + +**Visual Proof:** +- Photos harder to deny than digital evidence +- Subject's own handwriting on dead drop note +- Handler's face captured (can identify) +- Cash payments documented +- Pattern of meetings established + +**Confrontation Impact:** +``` +Player shows photos during interrogation: + +"This is you, [SUBJECT_NAME]. Meeting your handler. +This photo - you're passing documents. +This one - receiving cash payment. +This one - your handwritten note at the dead drop. + +We have dates, times, locations. Your handler's face. + +You can't talk your way out of photographs. + +So let's skip the denials. Tell us about your handler." +``` + +**Player Choices:** + +**SHOW PHOTOS IMMEDIATELY:** +- High impact confrontation +- Subject rattled by visual proof +- 75% cooperation likelihood +- Quick resolution + +**HOLD PHOTOS IN RESERVE:** +- Let subject lie first +- Catch them in contradictions +- Then reveal photos (devastation) +- 85% cooperation (broken by own lies + photos) + +**USE FOR HANDLER IDENTIFICATION:** +- Facial recognition on handler photos +- Vehicle tracking via plate number +- Pattern analysis for next meeting +- Attempt to arrest both simultaneously + +--- + +## Success Metrics + +**Evidence Value:** +- Photos alone: 50% (suspicious but could be explained) +- Photos + financial records: 80% (payments match meetings) +- Photos + access logs: 85% (timing correlates with data theft) +- Photos + encrypted comms + financial + access: 95% + +**Cooperation Likelihood:** +- Text evidence only: 50% cooperation +- Financial evidence: 60% cooperation +- Surveillance photos: 75% cooperation (harder to deny) +- All evidence combined: 90% cooperation + +**Handler Capture Value:** +- Handler ID'd: +Intelligence on cell structure +- Handler arrested: Major cell disruption +- Handler turned: Complete cell compromise (rare) + +--- + +## Template Substitution Guide + +**Replace placeholders:** + +``` +[SUBJECT_NAME] → NPC name +[POSITION] → Job title +[CONTACT_DESCRIPTION] → Handler description (e.g., "Male, 35-40, professional attire") +[LOCATION] → Meeting location (e.g., "Riverside Coffee House") +[DATE], [TIME] → Appropriate timestamps +[OPERATION_CODE_NAME] → Surveillance op name +[DURATION] → Days of surveillance (e.g., "14 days") +[BUDGET] → Surveillance cost (e.g., "$47,000") +[DEAD_DROP_LOCATION] → Park, parking lot, etc. +[SYSTEM_NAME] → System data came from +[VEHICLE_DESCRIPTION] → Handler's vehicle +[PLATE_NUMBER] → License plate +[SECOND_LOCATION] → Different meeting spot +``` + +**Photo Description Templates:** + +``` +Coffee Shop Meeting: +"Outdoor seating, telephoto lens, both visible in profile, +document exchange captured, nervous body language visible" + +Dead Drop: +"Park bench #7, subject depositing package, 47 seconds at location, +USB drive recovered, handwritten note with initials" + +Payment: +"Cash envelope visible, $100 bills, quick concealment, +relief in facial expression, handshake afterward" + +Handler Retrieval: +"Same location 2 hours later, same individual from first meeting, +package retrieval, vehicle departure, license plate captured" +``` + +--- + +## Related Evidence Combination + +**Optimal Evidence Set:** + +1. **Surveillance photos** (this fragment) → WHO they met +2. **Financial records** (TEMPLATE_002) → PAYMENT received +3. **Access logs** (TEMPLATE_003) → WHAT they stole +4. **Encrypted comms** (TEMPLATE_001) → COORDINATION details + +**Evidence Chain:** +``` +Encrypted email → Arranges meeting +Surveillance photo → Documents meeting occurred +Access logs → Shows data theft timing matches meeting +Financial records → Payment received after theft +Dead drop photo → Physical data transfer captured +Handler photo → ENTROPY operative identified +``` + +**Overwhelming Evidence:** +When presented together, subject has no defense. +Each piece corroborates the others. +Cooperation becomes only logical choice. + +--- + +**CLASSIFICATION:** EVIDENCE TEMPLATE - SURVEILLANCE +**PRIORITY:** HIGH (Visual proof compelling) +**REUSABILITY:** High (works for any handler-asset relationship) +**LEGAL VALUE:** Excellent (photos highly admissible) +**PSYCHOLOGICAL VALUE:** Excellent (harder to deny than text) diff --git a/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_005_physical_evidence.md b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_005_physical_evidence.md new file mode 100644 index 0000000..28f180c --- /dev/null +++ b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_AGENT_ID_005_physical_evidence.md @@ -0,0 +1,575 @@ +# TEMPLATE: Handwritten Notes and Physical Evidence + +**Fragment ID:** EVIDENCE_AGENT_ID_005 +**Gameplay Function:** Agent Identification Evidence (Physical) +**Evidence Type:** Handwritten document, personal notes +**Rarity:** Common +**Substitution Required:** [SUBJECT_NAME], [HANDLER_CODENAME], [MEETING_LOCATION] + +--- + +## Evidence Summary + +**Item:** Handwritten notes recovered from subject's personal effects +**Subject:** [SUBJECT_NAME] +**Evidence Quality:** HIGH (subject's own handwriting, direct confession) +**Admissibility:** HIGH (physical evidence with chain of custody) + +--- + +## Recovered Physical Evidence + +``` +╔═══════════════════════════════════════════════════════╗ +║ EVIDENCE RECOVERY REPORT ║ +║ Physical Document Analysis ║ +╚═══════════════════════════════════════════════════════╝ + +EVIDENCE ID: PHYS-[EVIDENCE_NUMBER] +RECOVERY DATE: [CURRENT_DATE] +RECOVERY LOCATION: [SUBJECT_NAME]'s desk drawer (work) +RECOVERED BY: Agent 0x99 "HAXOLOTTLE" +AUTHORIZATION: Search warrant #[WARRANT_NUMBER] + +DESCRIPTION: +Handwritten notes on yellow legal pad pages (3 pages) +Torn from larger notepad, edges ragged +Blue ink, ballpoint pen +Subject's handwriting (verified by comparison samples) + +CHAIN OF CUSTODY: +[CURRENT_DATE] 14:23 - Discovered by Agent 0x99 +[CURRENT_DATE] 14:47 - Photographed in situ +[CURRENT_DATE] 15:12 - Bagged and tagged (Evidence locker #447) +[CURRENT_DATE] 16:30 - Handwriting analysis (confirmed match) + +STATUS: Preserved as evidence, copies made for investigation +``` + +--- + +## Handwritten Note - Page 1 + +``` +[IMAGE: Photo of handwritten note on yellow legal pad paper] + +[TRANSCRIPTION - Exact text as written, including errors/strikeouts] + +Meeting notes - [DATE] + +THINGS TO REMEMBER: +- [HANDLER_CODENAME] wants access to [SYSTEM_NAME] by next week +- Password for [SYSTEM]: [REDACTED] (wrote it down - delete this!) +- Files to copy: + * Customer database (all records) + * Network diagrams + * Employee info spreadsheet + * Email backup from [EXECUTIVE_NAME] + +PAYMENT: $[AMOUNT] on completion +(Need this for student loans - almost there!) + +Next meeting: [MEETING_LOCATION], [DATE], [TIME] +Code word if problems: "The project is delayed" + +DON'T FORGET TO: +- Clear browser history after each session +- Use VPN from home +- USB drive hidden in [HIDING_LOCATION] +- Delete these notes after memorizing!!! + +[Several lines scratched out heavily - attempted concealment] + +Feeling sick about this. But what choice do I have? +$[DEBT_AMOUNT] in debt. Can't keep living like this. +[HANDLER_CODENAME] says it's just "competitive intelligence" +Not really hurting anyone... right? + +[Bottom of page has doodles - nervous energy visible] +``` + +--- + +## Analysis: Page 1 + +**CRITICAL EVIDENCE ELEMENTS:** + +🔴 **Direct Admission of Activity** +- "Files to copy" - consciousness of data theft +- Lists specific systems and data targets +- Acknowledges payment for services +- Planning future meeting with handler + +🔴 **Handler Reference** +- "[HANDLER_CODENAME]" - ENTROPY operative designation +- Subject takes instructions from external party +- Codename suggests operational security awareness + +🔴 **Operational Details** +- Specific system names and access methods +- Password written down (poor OPSEC but great evidence) +- File exfiltration plan documented +- USB drive location noted + +🔴 **Payment Information** +- "$[AMOUNT] on completion" - quid pro quo documented +- Financial motivation explicitly stated +- Student loan debt referenced (recruitment vector) + +🔴 **Security Evasion Tactics** +- "Clear browser history" +- "Use VPN from home" +- "Delete these notes" (consciousness of wrongdoing) +- Hiding physical evidence (USB drive) + +🔴 **Guilty Knowledge** +- "Feeling sick about this" - knows it's wrong +- "What choice do I have?" - rationalization +- Handler's reassurance ("just competitive intelligence") +- Self-doubt visible ("Not really hurting anyone... right?") + +--- + +## Handwritten Note - Page 2 + +``` +[IMAGE: Photo of second page, different date] + +[TRANSCRIPTION] + +After meeting with [HANDLER_CODENAME] - [LATER_DATE] + +THEY WANT MORE: +- [NEW_SYSTEM] access (don't have clearance for this!) +- Told them might be difficult +- [HANDLER_CODENAME] said "find a way" - sounded threatening? +- Offered another $[AMOUNT_2] if I get it + +FEELING WORSE: +This isn't what I signed up for +Thought it would be one-time thing +Now they keep asking for more +What if I get caught? +What if I refuse and they expose me? + +MEETING NOTES: +- [HANDLER_CODENAME] asked about security audit happening +- Seemed worried about it +- Told me to "act normal" and "don't panic" +- Gave me encrypted phone number: [PHONE_NUMBER] + (Only for emergencies - burner phone) + +PAYMENT RECEIVED: +$[PREVIOUS_AMOUNT] - cash, small bills +Paid off credit card #1 +Still owe $[REMAINING_DEBT] + +They have me trapped. Can't stop now. +If I refuse, they threaten to tell [ORGANIZATION]. +I'd be fired. Maybe arrested. +Have to keep going... + +[Heavy pen marks - stress visible in writing pressure] + +Maybe I should talk to someone? But who? +Can't tell [FRIEND_NAME] - they'd be horrified +Can't tell work - I'd be fired immediately +Can't tell police - I'd go to jail + +STUCK. + +[Last line heavily scratched out but still partially visible: +"What have I done"] +``` + +--- + +## Analysis: Page 2 + +**ESCALATION PATTERN:** + +🔴 **Increasing Demands** +- "They want more" - scope creep +- System beyond clearance level (escalation) +- Handler "sounded threatening" (coercion emerging) +- Can't refuse without consequences + +🔴 **Emotional Deterioration** +- "FEELING WORSE" (capitalized - emphasis) +- "Wasn't what I signed up for" +- Explicit fear of being caught +- Recognition of being trapped + +🔴 **Coercion Evidence** +- "If I refuse they threaten to tell [ORGANIZATION]" +- Subject feels unable to stop +- Fear of exposure keeping them compliant +- Classic ENTROPY asset control tactic + +🔴 **Handler Security Concerns** +- Handler worried about security audit (our investigation?) +- Gave burner phone number (emergency contact) +- Instructions to "act normal" (aware of surveillance risk) + +🔴 **Payment Tracking** +- Specific amount documented +- Used for debt payoff (confirmation of financial motive) +- Remaining debt noted (ongoing vulnerability) + +🔴 **Isolation** +- Can't tell friends (social isolation) +- Can't tell work (professional isolation) +- Can't tell police (legal isolation) +- Psychological trap documented in own words + +--- + +## Handwritten Note - Page 3 + +``` +[IMAGE: Photo of third page, most recent date] + +[TRANSCRIPTION - Writing appears rushed, stressed] + +[RECENT_DATE] - THINGS GETTING WORSE + +Security is tightening at work +[IT_SECURITY_NAME] asking questions about access logs +Trying to stay calm but panicking inside + +[HANDLER_CODENAME] wants me to: +1. Get [EXECUTIVE_NAME]'s emails (IMPOSSIBLE - don't have access) +2. Network diagrams (already gave these??) +3. Something about "SCADA systems" - don't even know what that means + +THEY'RE PUSHING TOO HARD + +Last payment only $[REDUCED_AMOUNT] - said it's "installment" +Was supposed to be $[PROMISED_AMOUNT] +Are they cheating me now too? + +Meeting got scary: +[HANDLER_CODENAME] mentioned "permanent solutions for loose ends" +When I asked what that meant, they just smiled +AM I A LOOSE END?? + +Found out they're not even "competitive intelligence" +Overheard [HANDLER_CODENAME] on phone: "ENTROPY cell needs..." +WHAT IS ENTROPY?? +Googled it - sounds like criminal organization +OH GOD WHAT HAVE I GOTTEN INTO + +CONSIDERING OPTIONS: +1. Keep going - might get caught, might get hurt +2. Refuse - they expose me, I lose everything +3. Run - they'd find me? +4. Go to police - I'd go to jail but maybe safer? +5. Talk to [ORGANIZATION] security? Would they help or arrest me? + +DON'T KNOW WHAT TO DO + +If someone finds these notes: I'm sorry. I made terrible choices. +Started because of debt. Kept going because of fear. +I know it's wrong. I know I hurt people. +But I'm scared and don't know how to get out. + +If you're reading this, please help me. + +[Phone number written at bottom:] +[ORGANIZATION] Security Hotline: [SECURITY_NUMBER] +(Should I call? Too scared. But maybe...) + +[Final line, barely legible:] +"Please let this end somehow" + +[EVIDENCE NOTE: This page was on top of stack, most recent entry] +``` + +--- + +## Analysis: Page 3 + +**CRITICAL DEVELOPMENTS:** + +🔴 **Handler Becoming Threatening** +- "Permanent solutions for loose ends" - death threat implication +- Subject recognizes danger to self +- Handler reducing payments (exploitation) +- Coercion escalating to potential violence + +🔴 **Discovery of True Nature** +- Overheard "ENTROPY cell" reference +- Subject researched ENTROPY +- Realization they're involved with criminals +- "OH GOD WHAT HAVE I GOTTEN INTO" - genuine shock + +🔴 **Desperate Consideration of Options** +- Explicitly considering coming forward +- Recognizes jail as possibility +- Still paralyzed by fear +- Reaching toward help but unable to commit + +🔴 **Cry for Help** +- "If you're reading this, please help me" +- Security hotline number written down +- "Should I call? Too scared." +- Subject wants out but doesn't know how + +🔴 **Remorse and Self-Awareness** +- "I made terrible choices" +- "I know I hurt people" +- "I know it's wrong" +- Genuine guilt and regret documented + +--- + +## Forensic Analysis + +``` +═══════════════════════════════════════════════════════ +HANDWRITING ANALYSIS REPORT +═══════════════════════════════════════════════════════ + +ANALYST: Forensic Document Examiner, SAFETYNET Lab +SAMPLES COMPARED: Known exemplars from [SUBJECT_NAME]'s + employment records, signatures, forms + +CONCLUSION: DEFINITIVE MATCH + +Handwriting characteristics consistent across all samples: +✓ Letter formation (unique 'g' and 'y' descenders) +✓ Pen pressure patterns (heavy initial strokes) +✓ Slant and spacing (consistent rightward 15° slant) +✓ Baseline consistency +✓ Unique character formations ('e', 'a', 'r') + +PROBABILITY: 99.7% that notes written by [SUBJECT_NAME] + +ADDITIONAL OBSERVATIONS: +• Pen pressure increases in stressed sections (visible anxiety) +• Writing becomes more hurried/less legible over time +• Scratch-outs indicate attempts at concealment +• Doodles/pressure marks indicate nervous energy +• Ink testing: Blue ballpoint, same pen throughout + +EVIDENCE INTEGRITY: EXCELLENT +Notes are authentic, unaltered, written by subject. + +═══════════════════════════════════════════════════════ +``` + +--- + +## Legal Assessment + +``` +═══════════════════════════════════════════════════════ +PROSECUTORIAL ANALYSIS +═══════════════════════════════════════════════════════ + +From: Federal Prosecutor's Office +Re: Evidence value of recovered handwritten notes + +ADMISSIBILITY: VERY HIGH + +These notes constitute direct confession written by +subject's own hand. Elements present: + +✓ Subject's own handwriting (verified by forensic analysis) +✓ Specific admission of criminal activity +✓ Documentation of quid pro quo (services for payment) +✓ Knowledge of wrongdoing (guilty conscience expressed) +✓ Operational details (systems, methods, targets) +✓ Handler identification (ENTROPY operative) +✓ Payment records (money laundering evidence) + +LEGAL STRENGTH: + +Confession in writing is powerful evidence: +• No Miranda issues (not custodial interrogation) +• No coercion by law enforcement (spontaneous) +• Subject's own words incriminating themselves +• Corroborates other evidence (financial, technical) +• Demonstrates consciousness of guilt + +However, notes also show: +• Coercion by ENTROPY (threatens subject) +• Fear and remorse (victim characteristics) +• Desire for help (reaching toward authorities) +• Financial desperation (mitigating factor) + +RECOMMENDATION: + +Use notes as leverage for cooperation, not prosecution. + +Subject is scared, remorseful, and wants out. +Show them the notes: +"We found your notes. We know everything. We know you're +scared. We know they threatened you. We can help. But you +need to help us first." + +Cooperation probability: 95% +Prosecution without cooperation: Unnecessary (better uses for this evidence) + +Notes make subject perfect witness against ENTROPY: +• Credible (genuine fear and remorse) +• Detailed (operational knowledge documented) +• Motivated (wants to escape ENTROPY control) + +Turn them. Don't prosecute them. + +═══════════════════════════════════════════════════════ +``` + +--- + +## Gameplay Integration + +**This Fragment Enables:** + +**Devastating Confrontation:** +``` +Agent places notes on interrogation table: + +"We found your notes, [SUBJECT_NAME]. +In your own handwriting. + +'Files to copy... Payment $[AMOUNT]... Delete these notes.' + +You documented everything. Your meetings with [HANDLER_CODENAME]. +The systems you accessed. The payments you received. + +And this: 'Please help me.' You wrote that. + +We're here to help. But first, you need to tell us everything." +``` + +**Empathetic Approach Enabled:** +``` +"We read all three pages. We know you're scared. +We know they threatened you with 'permanent solutions.' +We know you want out. + +That security hotline number you wrote down? Consider this us +calling you instead. + +We can protect you from ENTROPY. We can help with your debt. +We can make this right. + +But we need your full cooperation. Everything about [HANDLER_CODENAME]. +Everything about what they wanted. Everything about ENTROPY. + +Will you help us?" +``` + +**Player Choices:** + +**SHOW NOTES IMMEDIATELY:** +- Maximum emotional impact +- Subject realizes everything documented +- 95% cooperation likelihood +- Compassionate approach available + +**USE NOTES AS LEVERAGE:** +- Build case with other evidence first +- Show notes as final proof +- Subject has no defense remaining +- 90% cooperation (through overwhelming evidence) + +**OFFER HELP BASED ON NOTES:** +- Reference their cry for help +- Show notes prove they want out +- Emphasize protection from ENTROPY +- 95% cooperation (relief at rescue) + +--- + +## Success Metrics + +**Evidence Value:** +- Handwritten notes alone: 80% (self-incrimination) +- Notes + financial records: 95% (payment confirmation) +- Notes + access logs: 95% (activity confirmation) +- Notes + surveillance: 98% (complete picture) +- All evidence combined: 99.9% (overwhelming) + +**Cooperation Likelihood:** +- Notes showing guilt: 85% (fear of prosecution) +- Notes showing fear of ENTROPY: 90% (protection offer) +- Notes showing cry for help: 95% (rescue opportunity) +- Empathetic approach: 98% (genuine care shown) + +**Psychological Impact:** +- Subject's own words used against them: High impact +- Recognition they documented everything: Devastating +- Cry for help acknowledged: Relief and cooperation +- Protection from ENTROPY offered: Gratitude + +--- + +## Template Substitution Guide + +**Replace placeholders:** + +``` +[SUBJECT_NAME] → NPC name +[HANDLER_CODENAME] → Handler's code designation (e.g., "Phoenix", "Architect", "Alpha-07") +[SYSTEM_NAME] → System accessed (e.g., "Customer Database", "Finance Server") +[AMOUNT] → Payment amount +[DATE], [TIME] → Appropriate dates and times +[MEETING_LOCATION] → Meeting place +[ORGANIZATION] → Company name +[EXECUTIVE_NAME] → Target executive +[DEBT_AMOUNT] → Subject's total debt +[PHONE_NUMBER] → Burner phone number +[HIDING_LOCATION] → Where USB drive hidden +[IT_SECURITY_NAME] → IT security person's name +[SECURITY_NUMBER] → Organization security hotline +``` + +**Emotional Progression:** +``` +Page 1: Nervous but rationalizing ("just competitive intelligence") +Page 2: Trapped and afraid ("they have me trapped") +Page 3: Desperate for escape ("please help me") + +Arc: Willing participant → Coerced asset → Victim seeking rescue +``` + +--- + +## Related Evidence Combination + +**Optimal Evidence Set (All Templates Together):** + +1. **Encrypted comms** (TEMPLATE_001) → Initial contact +2. **Financial records** (TEMPLATE_002) → Payments match notes +3. **Access logs** (TEMPLATE_003) → Activity matches notes +4. **Surveillance photos** (TEMPLATE_004) → Meetings documented +5. **Handwritten notes** (this) → Subject's confession in own words + +**Complete Evidence Chain:** +``` +Encrypted email arranges meeting + ↓ +Surveillance photo documents meeting occurred + ↓ +Handwritten notes describe what handler wanted + ↓ +Access logs show subject accessed those exact systems + ↓ +Financial records show payment received as noted + ↓ +Handwritten notes express guilt and fear + ↓ +Overwhelming evidence = cooperation inevitable +``` + +--- + +**CLASSIFICATION:** EVIDENCE TEMPLATE - PHYSICAL +**PRIORITY:** VERY HIGH (Self-incrimination in writing) +**REUSABILITY:** High (works for any documentary evidence) +**LEGAL VALUE:** Excellent (handwriting verified, admissible) +**PSYCHOLOGICAL VALUE:** Maximum (subject's own words, genuine emotion) +**COOPERATION VALUE:** Excellent (empathy possible, rescue narrative) diff --git a/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_CATALOG.md b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_CATALOG.md new file mode 100644 index 0000000..c641383 --- /dev/null +++ b/story_design/lore_fragments/by_gameplay_function/evidence_prosecution/TEMPLATE_CATALOG.md @@ -0,0 +1,846 @@ +# Evidence Template Catalog - ENTROPY Agent Identification + +**Purpose:** Reusable evidence templates for identifying NPCs as ENTROPY agents/assets +**Location:** `story_design/lore_fragments/by_gameplay_function/evidence_prosecution/` +**Template Count:** 5 comprehensive evidence types +**Substitution System:** [PLACEHOLDER] format for runtime NPC assignment + +--- + +## Template System Overview + +### How Templates Work + +Each template is a **complete evidence fragment** with placeholder variables that can be substituted at game runtime with specific NPC names, organizations, dates, and other contextual details. + +**Template Format:** +```markdown +[SUBJECT_NAME] → Actual NPC name +[ORGANIZATION] → Company/organization name +[POSITION] → Job title/role +[AMOUNT] → Dollar amounts +[DATE] → Appropriate game timeline dates +``` + +**Usage in Game:** +1. Select template based on evidence type needed +2. Substitute all [PLACEHOLDER] variables with scenario-specific values +3. Adjust details to match NPC's role and storyline +4. Deploy as discoverable LORE fragment + +--- + +## The Five Evidence Templates + +### 1. TEMPLATE_AGENT_ID_001: Encrypted Communications + +**File:** `TEMPLATE_AGENT_ID_001_encrypted_comms.md` + +**Evidence Type:** Digital - Suspicious encrypted email communications + +**What It Provides:** +- Intercepted PGP-encrypted email from corporate account to ProtonMail +- After-hours communication (23:47 timestamp) +- References to "payment arrangement" and "documentation transfer" +- Security policy violations (encryption on corporate email) +- References to bypassing security procedures + +**Substitution Variables:** +- [SUBJECT_NAME] - NPC's name +- [ORGANIZATION] - Company name +- [POSITION] - Job title +- [CURRENT_DATE] - Appropriate game date + +**Red Flags Documented:** +🚩 Encrypted communication from work email (policy violation) +🚩 ProtonMail recipient (anonymous service) +🚩 After-hours timing (secretive) +🚩 "Payment arrangement confirmed" (financial transaction) +🚩 Security audit bypass offer (insider threat) +🚩 "Documentation transfer via agreed method" (covert exfiltration) + +**Evidence Strength:** +- Alone: 40% confidence (circumstantial) +- + Financial records: 75% confidence +- + Access logs: 65% confidence +- + All evidence types: 90% confidence + +**Best Used For:** +- Initial suspicion flag +- Corporate infiltration scenarios +- Data exfiltration cases +- Insider threat identification + +**Gameplay Integration:** +- Triggers investigation unlock on NPC +- Enables surveillance mission +- Requires corroboration for action +- Multiple approach choices (immediate confrontation vs. continued monitoring) + +--- + +### 2. TEMPLATE_AGENT_ID_002: Financial Records + +**File:** `TEMPLATE_AGENT_ID_002_financial_records.md` + +**Evidence Type:** Financial - Suspicious bank transactions and cryptocurrency activity + +**What It Provides:** +- Complete forensic analysis of NPC's financial records +- Employment verification and salary baseline +- Suspicious cash deposits ($25K-$75K range, ENTROPY payment pattern) +- Cryptocurrency wallet activity linked to ENTROPY master wallet +- Shell company connections +- Offshore account activity +- Lifestyle vs. income discrepancy analysis + +**Substitution Variables:** +- [SUBJECT_NAME] - NPC's name +- [ORGANIZATION] - Employer +- [POSITION] - Job title +- [SALARY] - Base salary +- [AMOUNT] - Payment amounts +- [DATE] - Transaction dates + +**Red Flags Documented:** +🚩 Unexplained cash deposits (15-30% above salary) +🚩 Cryptocurrency transactions to known ENTROPY wallet +🚩 Shell company payments (obfuscation) +🚩 Offshore transfers (tax evasion, hiding wealth) +🚩 Timing correlation with data breaches +🚩 Lifestyle inflation (new car, debt payoff) + +**Financial Timeline Example:** +``` +March 15: Cash deposit $42,000 (source unknown) +March 18: Cryptocurrency transfer to ENTROPY master wallet +March 20: Student loan payment $15,000 +April 2: Cash deposit $38,000 +April 5: New vehicle purchase $45,000 (cash) +``` + +**Evidence Strength:** +- Alone: 60% confidence (strong suspicion) +- + Encrypted comms: 75% confidence +- + Access logs: 95% confidence (quid pro quo proven) +- + All evidence types: 98% confidence + +**Best Used For:** +- Proving payment for services (quid pro quo) +- Asset recruitment scenarios (financial desperation) +- Money laundering investigations +- Connecting to ENTROPY financial network + +**Gameplay Integration:** +- Unlocks financial forensics mission +- Enables asset seizure actions +- Shows ENTROPY payment patterns +- Creates leverage opportunity (financial crimes) + +--- + +### 3. TEMPLATE_AGENT_ID_003: Access Logs + +**File:** `TEMPLATE_AGENT_ID_003_access_logs.md` + +**Evidence Type:** Technical - Unauthorized system access patterns + +**What It Provides:** +- Comprehensive IT audit of NPC's system activity +- 5 documented security incidents with technical details +- Pattern analysis showing reconnaissance → access → exfiltration → cover-up +- Behavioral analysis (after-hours access, weekend activity) +- Technical evidence (PowerShell exploitation, USB usage) +- Data exfiltration proof (1.2GB transferred to USB) + +**Substitution Variables:** +- [SUBJECT_NAME] - NPC's name +- [POSITION] - Job title/role +- [SYSTEM_NAME] - Accessed systems +- [DATA_TYPE] - Type of data stolen +- [FILE_COUNT] - Number of files accessed +- [DATE], [TIME] - Activity timestamps + +**Incidents Documented:** +1. **Sensitive Database Access** (after hours, no business need) +2. **Network Infrastructure Mapping** (weekend, reconnaissance) +3. **HR Database Access** (500+ employee records, PII theft) +4. **Executive Email Access** (PowerShell exploitation, privilege escalation) +5. **USB Device Usage** (data exfiltration, 1.2GB, 847 files) + +**Technical Details:** +- PowerShell commands used (Get-MailboxPermission, Add-MailboxPermission) +- Database queries executed (SELECT * FROM sensitive_tables) +- Network mapping tools (Nmap, NetDiscover patterns) +- USB device IDs and transfer volumes +- Deletion attempts (ClearEventLog commands) + +**Evidence Strength:** +- Alone: 70% confidence (technical proof) +- + Financial records: 95% confidence (motive + activity) +- + Encrypted comms: 85% confidence (coordination proven) +- + All evidence types: 98% confidence + +**Best Used For:** +- Data breach investigations +- Proving unauthorized access +- Technical espionage scenarios +- Demonstrating pattern of malicious activity + +**Gameplay Integration:** +- Unlocks technical analysis mission +- Shows what data was compromised +- Creates urgency (active exfiltration) +- Enables immediate access suspension + +--- + +### 4. TEMPLATE_AGENT_ID_004: Surveillance Photos + +**File:** `TEMPLATE_AGENT_ID_004_surveillance_photos.md` + +**Evidence Type:** Physical - Photographic surveillance and behavioral observation + +**What It Provides:** +- Complete 14-day surveillance operation report +- 7 photographic scenarios with detailed descriptions +- Handler identification and profiling +- Pattern analysis (meeting frequency, locations, payment structure) +- Countersurveillance behavior documentation +- Dead drop usage evidence +- Behavioral indicators analysis + +**Substitution Variables:** +- [SUBJECT_NAME] - NPC being surveilled +- [POSITION] - Job title +- [CONTACT_DESCRIPTION] - Handler's physical description +- [LOCATION] - Meeting locations +- [DATE], [TIME] - Surveillance timestamps +- [VEHICLE_DESCRIPTION] - Handler's vehicle +- [OPERATION_CODE_NAME] - Surveillance op name + +**7 Photo Scenarios:** + +**Photo 1-3: Initial Meeting** +- Coffee shop, 42-minute meeting +- Document exchange (manila envelope, 20-30 pages) +- Cash payment ($2K-$5K, visible $100 bills) +- Subject's nervous behavior documented + +**Photo 4-5: Dead Drop** +- Subject depositing USB drive at park bench +- Handwritten note: "Files from [SYSTEM] as requested" +- Handler retrieval 2 hours later (same person from meeting) +- Confirms operational tradecraft + +**Photo 6: Follow-up Meeting** +- Different location (shopping mall food court) +- Verbal communication (partial audio captured) +- Smaller cash payment +- Security audit discussion overheard + +**Photo 7: Countersurveillance** +- Subject taking circuitous route home +- Multiple U-turns and backtracking +- 45 minutes added to commute +- Professional SDR (surveillance detection route) + +**Handler Profile Provided:** +- Physical description template +- Vehicle information (license plate, rental rotation) +- Behavioral indicators (experienced operator) +- Threat assessment (likely cell leader) + +**Evidence Strength:** +- Alone: 50% confidence (suspicious but explainable) +- + Financial records: 80% confidence (payments match meetings) +- + Access logs: 85% confidence (timing correlates) +- + All evidence types: 95% confidence + +**Best Used For:** +- Visual proof of handler contact +- Handler identification missions +- Pattern establishment (regular meetings) +- Demonstrating tradecraft (dead drops, countersurveillance) + +**Gameplay Integration:** +- Unlocks surveillance mission type +- Enables simultaneous handler/asset arrest +- Facial recognition on handler +- Creates "show the photos" confrontation option + +--- + +### 5. TEMPLATE_AGENT_ID_005: Physical Evidence + +**File:** `TEMPLATE_AGENT_ID_005_physical_evidence.md` + +**Evidence Type:** Physical - Handwritten notes and personal documents + +**What It Provides:** +- 3-page handwritten note progression +- Forensic handwriting analysis report +- Legal prosecutorial assessment +- Emotional journey documentation +- Complete chain of custody +- Self-incrimination in subject's own words + +**Substitution Variables:** +- [SUBJECT_NAME] - NPC's name +- [HANDLER_CODENAME] - Handler's operational designation +- [MEETING_LOCATION] - Where meetings occur +- [SYSTEM_NAME] - Systems accessed +- [AMOUNT] - Payment amounts +- [DEBT_AMOUNT] - Subject's financial pressure +- [ORGANIZATION] - Company name + +**3-Page Emotional Progression:** + +**Page 1: Initial Instructions (Nervous Rationalization)** +``` +Meeting notes with [HANDLER_CODENAME] +- Files to copy: Customer database, Network diagrams, Employee info +- Payment: $[AMOUNT] on completion +- "Feeling sick about this. But what choice do I have?" +- "[HANDLER] says it's just 'competitive intelligence'" +- "Not really hurting anyone... right?" +- "Delete these notes after memorizing!!!" +``` + +**Page 2: Escalation (Feeling Trapped)** +``` +After meeting - THEY WANT MORE +- [NEW_SYSTEM] access (don't have clearance!) +- Told them might be difficult +- [HANDLER] sounded threatening +- "They have me trapped. Can't stop now." +- "If I refuse, they threaten to tell [ORGANIZATION]" +- "What have I done" +``` + +**Page 3: Desperation (Cry for Help)** +``` +THINGS GETTING WORSE +- Security tightening at work +- [HANDLER] mentioned "permanent solutions for loose ends" +- AM I A LOOSE END?? +- Overheard [HANDLER] on phone: "ENTROPY cell needs..." +- WHAT IS ENTROPY?? OH GOD WHAT HAVE I GOTTEN INTO +- "If someone finds these notes: please help me." +- [ORGANIZATION] Security Hotline: [NUMBER] +- "Should I call? Too scared. But maybe..." +- "Please let this end somehow" +``` + +**Forensic Analysis Included:** +- Handwriting verification (99.7% match) +- Pen pressure analysis (stress visible) +- Writing deterioration over time +- Scratch-out attempts (concealment) +- Ink testing (same pen throughout) + +**Legal Assessment:** +- Admissibility: VERY HIGH (spontaneous confession) +- No Miranda issues (not custodial interrogation) +- Subject's own words incriminating +- Demonstrates consciousness of guilt +- Shows coercion by ENTROPY (victim characteristics) + +**Recommended Use:** +"Use notes as leverage for cooperation, not prosecution. +Subject is scared, remorseful, and wants out." + +**Evidence Strength:** +- Alone: 80% confidence (self-incrimination) +- + Financial records: 95% confidence (payment confirmation) +- + Access logs: 95% confidence (activity confirmation) +- + Surveillance: 98% confidence (complete picture) +- + All evidence: 99.9% confidence (overwhelming) + +**Best Used For:** +- Devastating confrontation ("Your own handwriting") +- Empathetic approach enabled (subject wants help) +- High cooperation likelihood (95% with compassionate approach) +- Emotional player investment (human story) + +**Gameplay Integration:** +- Creates powerful interrogation moment +- Enables multiple approach paths: + - Show notes immediately (95% cooperation) + - Use as leverage after lies (90% cooperation) + - Offer help based on cry for help (98% cooperation) +- Provides moral complexity (victim vs. perpetrator) + +--- + +## Evidence Combination Strategies + +### Optimal Evidence Chain + +The templates are designed to work together in a **progressive revelation** pattern: + +``` +SEQUENCE 1: Discovery Path +├─ Encrypted Comms (Initial Suspicion) +│ └─ Triggers investigation unlock +├─ Financial Records (Motive Proven) +│ └─ Shows payments for services +├─ Access Logs (Activity Confirmed) +│ └─ Proves what they did +├─ Surveillance Photos (Handler Identified) +│ └─ Shows who they work for +└─ Handwritten Notes (Confession) + └─ Subject's own words seal the case +``` + +### Confidence Thresholds + +**Evidence Count → Confidence Level:** + +| Evidence Pieces | Confidence | Prosecution Viable | Cooperation Likely | +|----------------|------------|-------------------|-------------------| +| 1 template | 40-80% | No (insufficient) | 50% | +| 2 templates | 65-85% | Maybe (circumstantial) | 70% | +| 3 templates | 85-95% | Yes (strong case) | 85% | +| 4 templates | 95-98% | Yes (very strong) | 90% | +| 5 templates | 99.9% | Yes (overwhelming) | 95% | + +### Best Combinations by Scenario Type + +**Corporate Infiltration:** +1. Encrypted Comms (coordination) +2. Access Logs (what they accessed) +3. Financial Records (payment proof) +- Confidence: 95% + +**Data Exfiltration:** +1. Access Logs (theft proof) +2. Surveillance (handler delivery) +3. Handwritten Notes (confession) +- Confidence: 98% + +**Asset Recruitment:** +1. Financial Records (financial desperation) +2. Handwritten Notes (emotional state) +3. Surveillance (handler contact) +- Confidence: 95% + +**Handler Takedown:** +1. Surveillance (handler identification) +2. Financial Records (money trail to cell) +3. Encrypted Comms (coordination proof) +- Confidence: 90% + +--- + +## Gameplay Integration Guide + +### Investigation Progression + +**Phase 1: Initial Suspicion** +- Player discovers 1 evidence template +- NPC flagged as "Person of Interest" +- Unlocks investigation missions +- Confidence: Insufficient for action + +**Phase 2: Building the Case** +- Player collects 2-3 evidence templates +- Pattern emerges (payments, access, meetings) +- NPC upgraded to "Suspected ENTROPY Asset" +- Confidence: Sufficient for confrontation + +**Phase 3: Overwhelming Evidence** +- Player has 4-5 evidence templates +- Complete picture of recruitment, activity, handler +- NPC confirmed as "ENTROPY Asset - Confirmed" +- Confidence: Multiple approach options unlocked + +### Player Choice Branching + +Each evidence combination enables **different interrogation approaches:** + +**With Financial Evidence:** +→ Offer: "We can help with your debt, but you need to cooperate" + +**With Handwritten Notes:** +→ Empathy: "We read your notes. We know you want out. We can help." + +**With Surveillance Photos:** +→ Confrontation: "You can't deny this. We have photos of everything." + +**With Access Logs:** +→ Technical: "We have every keystroke. Every file. Every system you touched." + +**With All Evidence:** +→ Overwhelming: "Your own handwriting. Photos of meetings. Financial transactions. Access logs. There's no defense. But we can still help you." + +### Success Metrics + +Each template contributes to multiple success outcomes: + +**Cooperation Likelihood:** +- Base (no evidence): 20% +- + Encrypted Comms: +15% +- + Financial Records: +20% +- + Access Logs: +15% +- + Surveillance: +20% +- + Handwritten Notes: +30% +- Maximum: 95% (with all evidence + compassionate approach) + +**Prosecution Probability:** +- Base: 30% +- + Each evidence template: +15% +- All 5 templates: 95% conviction probability + +**Intelligence Value:** +- Handwritten notes → Handler codename revealed +- Surveillance → Handler facial ID + vehicle +- Financial → ENTROPY payment wallet address +- Access logs → What data was compromised +- Encrypted comms → Communication methods + +--- + +## Substitution Guide - Best Practices + +### Creating Consistent NPCs + +When substituting template variables, maintain consistency across all evidence types for the same NPC: + +**Example: Jennifer Park (Network Security Analyst)** + +**Across all 5 templates, use:** +- [SUBJECT_NAME] → "Jennifer Park" +- [ORGANIZATION] → "TechCorp Industries" +- [POSITION] → "Network Security Analyst" +- [SALARY] → "$85,000/year" +- [HANDLER_CODENAME] → "Phoenix" + +**Keep timeline consistent:** +- First contact: March 1, 2025 +- Payment received: March 15, 2025 +- Data exfiltration: March 18, 2025 +- Surveillance begins: March 20, 2025 +- Notes discovered: April 3, 2025 + +**Keep amounts consistent:** +- First payment: $42,000 +- Second payment: $38,000 +- Total debt: $127,000 (student loans) + +### Variable Formatting Standards + +**Names:** +- Use realistic full names: "Jennifer Park" not "Agent_007" +- Consistent across all templates + +**Organizations:** +- Use plausible company names: "TechCorp Industries" +- Match to scenario setting (tech company, hospital, government agency) + +**Amounts:** +- ENTROPY payment range: $25,000-$75,000 per operation +- Keep amounts realistic for job role +- Student debt: $80K-$150K typical +- Medical debt: $50K-$200K typical + +**Dates:** +- Use absolute dates: "March 15, 2025" not "[DATE_1]" +- Maintain chronological order across templates +- Account for investigation timeline (2-4 weeks typical) + +**Codenames:** +- Handler codenames follow ENTROPY patterns: + - Thermodynamic terms: "Entropy", "Cascade", "Equilibrium" + - Phoenix imagery: "Phoenix", "Ash", "Ember" + - Greek letters: "Alpha-07", "Beta-3", "Omega" + +### Scenario-Specific Customization + +**Corporate Infiltration:** +- Focus on customer data, trade secrets, network diagrams +- Handler wants: "Customer database", "Email backups" +- Access systems: "Finance Server", "Customer CRM" + +**Healthcare Breach:** +- Focus on patient records, medical research +- Handler wants: "Patient database", "Clinical trial data" +- Access systems: "EMR System", "Research Database" + +**Infrastructure Attack:** +- Focus on SCADA, control systems, facility access +- Handler wants: "Network diagrams", "SCADA access" +- Access systems: "Control Systems", "Facility Management" + +**Research Theft:** +- Focus on IP, proprietary research, formulas +- Handler wants: "Research files", "Product designs" +- Access systems: "Lab Database", "Patent Filing System" + +--- + +## Cross-References + +### Related Gameplay Fragments + +These templates complement other gameplay-function fragments: + +**RECRUITMENT_001** (Financial Exploitation Playbook) +- Shows HOW NPCs are recruited +- Templates show RESULT of recruitment +- Combined: Complete recruitment → operation → capture arc + +**LEVERAGE_001** (Cascade Family Intel) +- Shows leverage used TO turn operatives +- Templates provide evidence ENABLING leverage +- Combined: Evidence → leverage → defection + +**TACTICAL_001** (Active Operation Clock) +- Shows ONGOING operation +- Templates show PAST operations (evidence) +- Combined: Historical pattern → predict current op + +**VICTIM_001** (Hospital Administrator) +- Shows IMPACT of ENTROPY operations +- Templates show WHO enabled the attack +- Combined: Perpetrator → consequence emotional arc + +### Related Content Fragments + +**ENTROPY_PERSONNEL_001** (Cascade Profile) +- Could BE the [SUBJECT_NAME] in these templates +- Templates provide evidence supporting profile +- Combined: Profile → evidence → confirmed identity + +**CHAR_SARAH_001** (Sarah Martinez Confession) +- Similar emotional arc to handwritten notes template +- Both show recruited asset's regret and fear +- Combined: Multiple sympathetic insider threats + +**ARCHITECT_STRATEGIC_001** (Phase 3 Directive) +- Shows ENTROPY's master plan +- Templates show individual assets executing plan +- Combined: Strategic directive → tactical execution + +--- + +## Technical Implementation Notes + +### For Game Developers + +**Substitution System:** +```python +# Example pseudocode +template = load_template("TEMPLATE_AGENT_ID_001_encrypted_comms.md") +npc = get_npc("jennifer_park") + +substitutions = { + "[SUBJECT_NAME]": npc.full_name, + "[ORGANIZATION]": npc.employer, + "[POSITION]": npc.job_title, + "[CURRENT_DATE]": game_date - timedelta(days=3) +} + +evidence_fragment = template.substitute(substitutions) +game.add_discoverable_lore(evidence_fragment, location=npc.desk_drawer) +``` + +**Evidence Collection Tracking:** +```python +class NPCInvestigation: + def __init__(self, npc_id): + self.npc_id = npc_id + self.evidence_collected = [] + self.confidence_level = 0 + + def add_evidence(self, template_type): + self.evidence_collected.append(template_type) + self.confidence_level = calculate_confidence(self.evidence_collected) + + if self.confidence_level >= 85: + unlock_interrogation_mission(self.npc_id) +``` + +**Branching Logic:** +```python +def get_interrogation_options(evidence_list): + options = ["Standard Questioning"] + + if "TEMPLATE_002" in evidence_list: # Financial + options.append("Offer Financial Help") + + if "TEMPLATE_005" in evidence_list: # Handwritten notes + options.append("Empathetic Approach - Reference Their Notes") + + if "TEMPLATE_004" in evidence_list: # Surveillance + options.append("Show Photos - Visual Confrontation") + + if len(evidence_list) >= 4: + options.append("Overwhelming Evidence - All Cards on Table") + + return options +``` + +### Discovery Placement Recommendations + +**TEMPLATE_001 (Encrypted Comms):** +- Location: Email server logs, IT security alerts +- Timing: Early investigation (triggers suspicion) +- Difficulty: Medium (requires email access or IT cooperation) + +**TEMPLATE_002 (Financial Records):** +- Location: Subpoenaed bank records, financial audit +- Timing: Mid investigation (requires legal authority) +- Difficulty: Hard (requires warrant/subpoena) + +**TEMPLATE_003 (Access Logs):** +- Location: IT audit reports, SIEM alerts +- Timing: Mid investigation (requires IT forensics) +- Difficulty: Medium (technical analysis needed) + +**TEMPLATE_004 (Surveillance Photos):** +- Location: Surveillance team reports +- Timing: Late investigation (requires active surveillance op) +- Difficulty: Very Hard (expensive, time-consuming) + +**TEMPLATE_005 (Handwritten Notes):** +- Location: Desk drawer, personal effects, home search +- Timing: Variable (lucky find or late-game search warrant) +- Difficulty: Medium-Hard (requires physical access) + +--- + +## Educational Value (CyBOK Alignment) + +### Security Concepts Demonstrated + +**Digital Forensics:** +- Email header analysis (TEMPLATE_001) +- Financial transaction tracing (TEMPLATE_002) +- System log correlation (TEMPLATE_003) +- Chain of custody (all templates) + +**Insider Threat Detection:** +- Behavioral indicators (after-hours access) +- Financial pressure recognition +- Access pattern anomalies +- Communication analysis + +**Investigation Methodology:** +- Evidence corroboration (multiple sources) +- Confidence level progression +- Legal admissibility considerations +- Forensic analysis procedures + +**Human Factors:** +- Recruitment vulnerability factors +- Psychological pressure and coercion +- Empathetic interrogation techniques +- Ethical evidence usage + +### Learning Outcomes + +Players using these templates will learn: + +1. **Evidence Collection**: How multiple evidence types build a case +2. **Pattern Recognition**: Identifying suspicious behavior across domains +3. **Legal Process**: Warrants, subpoenas, chain of custody +4. **Psychology**: Understanding why people become insider threats +5. **Ethics**: Balancing effective investigation with humane treatment + +--- + +## Expansion Opportunities + +### Additional Template Ideas + +**TEMPLATE_006: Phone Records** +- Call logs to burner phones +- Timing correlation with operations +- Location data (cell tower triangulation) + +**TEMPLATE_007: Social Media OSINT** +- Lifestyle changes visible on social media +- Travel patterns (meetings with handler) +- Unusual purchases or activities + +**TEMPLATE_008: Witness Testimony** +- Coworker observations +- "They've been acting strange lately" +- Suspicious conversations overheard + +**TEMPLATE_009: Digital Forensics** +- Deleted file recovery +- Browser history analysis +- VPN usage and encrypted tools + +**TEMPLATE_010: Physical Surveillance (Extended)** +- Safe house identification +- Handler's vehicle tracking +- Dead drop location mapping + +--- + +## Version History + +**v1.0** - Initial template system creation +- 5 core evidence templates +- Complete substitution system +- Gameplay integration framework +- Cross-reference structure + +--- + +**CLASSIFICATION:** TEMPLATE SYSTEM - EVIDENCE GENERATION +**PRIORITY:** HIGH (Core gameplay mechanic) +**REUSABILITY:** Extremely High (designed for infinite NPC generation) +**DISTRIBUTION:** Game developers, scenario designers, mission creators +**MAINTENANCE:** Templates should remain stable; customize through substitution + +--- + +## Quick Reference Card + +``` +╔═══════════════════════════════════════════════════════════╗ +║ EVIDENCE TEMPLATE QUICK REFERENCE ║ +╚═══════════════════════════════════════════════════════════╝ + +TEMPLATE_001: Encrypted Comms +→ Alone: 40% | Best With: Financial Records +→ Use For: Initial suspicion, policy violations + +TEMPLATE_002: Financial Records +→ Alone: 60% | Best With: Access Logs +→ Use For: Payment proof, motive establishment + +TEMPLATE_003: Access Logs +→ Alone: 70% | Best With: Financial Records +→ Use For: Activity proof, technical evidence + +TEMPLATE_004: Surveillance Photos +→ Alone: 50% | Best With: Financial + Access +→ Use For: Handler ID, visual confirmation + +TEMPLATE_005: Handwritten Notes +→ Alone: 80% | Best With: Everything +→ Use For: Confession, empathetic approach + +OPTIMAL COMBINATION: All 5 templates = 99.9% confidence + +MINIMUM FOR ACTION: 3 templates = 85% confidence + +COOPERATION PROBABILITY: +- Compassionate + Notes: 98% +- Overwhelming + All Evidence: 95% +- Standard + Some Evidence: 70% +``` + +--- + +**End of Template Catalog** + +**For implementation questions, refer to:** +- Individual template files for detailed content +- GAMEPLAY_CATALOG.md for mission integration +- ../README.md for overall LORE system philosophy