INCIDENT ZERO

Forensics — Print & Play Bundle · v2.2 Playtest Edition

A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0

Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.

Contents:
  1. docs/HOW_TO_PLAY.md
  2. docs/TO_GUIDE.md
  3. docs/rules/core-rules.md
  4. docs/rules/module-forensics.md
  5. docs/standalone-games/forensics.md
  6. cards/forensics/core-deck/investigation-cards.md
  7. cards/forensics/core-deck/evidence-cards.md
  8. cards/print-templates/tracker-sheets.md

docs/HOW_TO_PLAY.md

How to Play Incident Zero

Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.

This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.


1. What Is This Game?

Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.

The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.

There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.

2. What You Need

3. The Core Loop (all modules)

Every module runs on the same engine:

  1. Turns. A fixed number of turns (announced at setup). Each turn: start-of-turn penalties → 2-3 minutes of team discussion → ONE team action → end of turn.
  2. Budget. One shared pool representing money, staff, and time. Every action costs Budget. Run dry and you can't act.
  3. The d20 roll. Uncertain actions need roll + modifiers ≥ 11.
  4. Justification modifiers. +2 for strong technical reasoning (methodology — why this approach works), +1 for naming real tools or techniques (Wireshark, EDR, Mimikatz, a MITRE technique). The TO judges honestly; vague = +0.
  5. Debrief. Every session ends with 5-10 minutes of "what happened, why, what would you do differently." This is where the learning locks in — don't skip it.

4. Your First Game: Incident Response (Beginner)

The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:

Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)

The three actions (Blue Team picks ONE per turn):

Action Cost On success (roll+mods ≥ 11)
Investigate 5 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed!
Deploy Defense 10/15/25 by tier If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector
Emergency Response 15 No roll. Contain one already-revealed threat (removes its ongoing penalty)

The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)

When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).

Scripted opening — read this at the table

TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)

TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.

TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)

How it ends

Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?

5. The Other Five Modules (one paragraph each)

Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.

6. Where to Go Next

You want... Read
You're the Threat Orchestrator The TO Guide — the role, judging justifications, per-module screens
Exact rules for a module docs/rules/ — core + one file per module
Solo/standalone setup for any module docs/standalone-games/
Every card, indexed cards/CARD_REFERENCE.md
To run a playtest and report back docs/playtesting/
Variable game length & difficulty tiers core-rules §3a

7. Quick Reference (photocopy this)

Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150

docs/TO_GUIDE.md

The Threat Orchestrator's Guide

Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.


1. The Role

The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:

If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.

A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.

2. Golden Rules

  1. Be fair, not nice. Never fudge dice — in either direction. The rules already give you legitimate difficulty dials (§5); use those, not your thumb on the d20.
  2. Never block on ignorance. If players are stuck, sell them a hint through the fiction ("your SOC junior suggests looking at outbound traffic...") rather than letting three turns die in silence.
  3. Announce costs before actions. "That's 15 Budget — confirm?" prevents every argument you'd otherwise have.
  4. Explain outcomes. Success or failure, say why in security terms. The explanation is the lesson; the roll is just pacing.
  5. Keep the clock. 2-3 minutes of planning per turn, firmly. Deliberation past that point is quarterbacking, not strategy.
  6. Let them be wrong. A confidently wrong plan that fails teaches more than a corrected plan that succeeds. Save the correction for the debrief.

3. Session Prep (15 minutes)

4. Judging Justifications (the heart of the job)

The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.

+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)

+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)

Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").

5. Difficulty Dials (live, legitimate)

Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.

Easier (pick 1-2) Harder (pick 1-2)
Richer clues (more specific detail per success) Vaguer clues (accurate but terse)
Suggest an angle through the fiction Expert-mode justification bar
Shorter chain / lower tier next game Longer chain, expansion cards
Beginner budgets (module max) Minimum budgets

Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.

6. Failure Modes (yours, not theirs)

Failure Symptom Fix
The Encyclopedia You lecture after every roll One sentence of "why," save the rest for debrief
The Softie Everyone always gets +2 Re-read §4; require the mechanism
The Sphinx Clues so cryptic nobody moves Clues must be actionable: each should suggest at least one sensible next investigation
The Railroader You steer them to your solution Multiple paths are valid; score the outcome, not the route
The Accountant You narrate numbers, not events Lead with fiction, then state the numbers
The Rusher Debrief skipped because time ran out Protect the last 10 minutes like it's the win condition — it is

7. Module Panels (your screen, one per module)

🔎 Incident Response — you are the hidden attacker

🛡️ Hardening — you become the pentester mid-game

🏗️ Network Building — you are the demanding business

🚨 Disaster Recovery — you are the crisis itself

🔬 Forensics — you are the evidence

📋 Audit & Compliance — you are the organization under review

8. Running the Debrief (10 minutes, non-negotiable)

Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.

9. First Session? Do This

  1. Run beginner Incident Response with the scripted opening in How to Play §4 — your first two turns are literally written out
  2. Keep the tracker sheet visible to everyone; public state builds trust in your fairness
  3. Log frictions on the session notes form — your confusion is playtest data too
  4. Forgive yourself one rules mistake per session; announce it, fix it forward, don't replay

docs/rules/core-rules.md

Incident Zero: Core Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025


Core Concept 🎯

Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).

How It Works

Players choose which module(s) to play based on learning objectives:

  1. Network Building Module - Design and secure infrastructure (30-45 min)
  2. Hardening Module - Build defense-in-depth (30-45 min)
  3. Incident Response Module - Detect and investigate hidden attack chains (30-45 min)
  4. Disaster Recovery Module - Manage breach crisis (30-45 min)
  5. Forensics Module - Investigate and attribute attacks (30-45 min) NEW in v2.1
  6. Audit & Compliance Module - Conduct security assessments (30-45 min)

Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.


Game Components (Universal)

Card Types

Threat Cards

Represent attacker actions. Each card includes: - Title: e.g., "Phishing Campaign" - Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL - Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL - Clue: Descriptive text for the Threat Orchestrator - Why This Works: Educational explanation (revealed after discovery)

Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)


Defense Cards

Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies

Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)

Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)


Pentester Tactic Cards

Represent sophisticated attack techniques used in Hardening module (and potentially others).

8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator

See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.


Asset Cards

Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation


Game Materials Required

Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)

Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)


Universal Game Mechanics

1. The d20 Roll System

When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.

How It Works: 1. Player announces action and parameters 2. Player rolls 1d20 (one 20-sided die) 3. Compare result to target number (usually 11+) plus modifiers 4. Success if: roll + modifiers ≥ target number

Example:

Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)

2. Budget System (Universal)

What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.

Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)

Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0

Budget = 0: Team loses (cannot take further actions)

Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.


3. Turn System (Universal)

Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)

Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events


3a. Variable Game Length System (v2.1 - New!)

Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.

For Beginners & Quick Play: Default Formula

Default Formula: (Attack Chain Cards × 2) + 1

This gives attackers enough time to progress realistically while keeping games manageable:

Attack Chain Formula Turn Count Session Duration
3 cards (3 × 2) + 1 7 turns 30-40 min play
4 cards (4 × 2) + 1 9 turns 35-45 min play
5 cards (5 × 2) + 1 11 turns 40-50 min play
6 cards (6 × 2) + 1 13 turns 45-55 min play

How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit

Example Setup:

"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"


For Advanced Players: Complexity Tiers (v2.1)

Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:

Step 1: Select Attack Complexity Tier

Tier Turn Base Attack Profile Example
TIER 1 5-7 Simple & obvious Script kiddie using public tools
TIER 2 8-10 Standard sophistication Organized cybercriminal group
TIER 3 11-13 Highly sophisticated APT with operational security
TIER 4 14-16 Expert/Nation-state State-sponsored group

Step 2: Add Randomness (Optional)

Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)

Final Turn Count = Tier Base + d4 Result

Example Advanced Setup:

"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."


Critical Game Integrity Rules (v2.1)

These rules protect game balance and prevent metagaming:

Rule 1: Accept Any Roll (Even If It Feels Wrong)

The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.

Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.

Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)

When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"

Implementation: Lean into the randomness as realistic incident variability.


Rule 2: Players Cannot Question Tier Based on Turn Count

The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.

Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).

What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)

What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)

Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.


Rule 3: TO Modifier Authority (Rare & Optional)

The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.

When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints

When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)

Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios

Example Valid Use:

"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."

Example Invalid Use:

"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)


Implementation Checklist

For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play

For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier


Quick Reference Card

Default Formula: Turn Count = (Attack Cards × 2) + 1

Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1

Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)


4. Roll Modifiers (Universal)

All modules use the same modifier system for consistency:

+2 Bonus: Strong Technical Justification

Awarded when a player provides clear, specific reasoning for their action using real security concepts.

Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"

Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed


+1 Bonus: Real Tools or Techniques Referenced

Awarded when player references actual security tools or real attack/defense techniques.

Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"

Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work


5. Uncontained Threats Penalty (Incident Response Module)

When Applied: Incident Response module only, applied at START of each turn

How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)

Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.

Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.

Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):

Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0

Common Roles & Responsibilities

Threat Orchestrator (Facilitator)

Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative

During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging

During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions

Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback


Blue Team (Defenders)

Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure


Modifier Stacking Rules

Key Rule: Modifiers are additive and can stack.

Example (Hardening Module, canonical formula — v2.2):

Pentester Tactic: PT-02 Living-off-the-Land (DC 13)

Defense roll = d20
  + printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
  + hardening upgrades on that defense (+2 each; one upgrade: +2)
  + relevant playbook (+3)

Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS

Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.


Difficulty & Scaling

By Attack Chain Length

Length Difficulty Best For
3 cards Beginner Learning mechanics, 30 min sessions
4 cards Intermediate Standard play, 40 min sessions
5 cards Advanced Challenge play, full kill chain

By Starting Budget

Budget Difficulty Best For
60 Hard Resource scarcity, tough choices
100 Standard Balanced play, most scenarios
150+ Easy Strategic depth, multiple options

By Turn Limit

Turns Difficulty Best For
8 Hard Time pressure, fast play
10 Standard Balanced, most scenarios
12 Easy Exploration, learning

Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.


Educational Objectives

By Module

Module Primary Learning Secondary Learning
Incident Response Cyber kill chain, attack detection, investigation Resource prioritization, incident response
Hardening Defense-in-depth, layering, proactive security Cost-benefit analysis, security architecture
Disaster Recovery Crisis management, stakeholder communication Risk assessment, incident cost
Network Building Network design, asset security, architecture Infrastructure hardening, threat modeling
Forensics Digital forensics, chain of custody, attribution Evidence handling, MITRE ATT&CK mapping
Audit & Compliance Security assessment, governance, compliance Risk identification, remediation prioritization

By Game Mechanic

Mechanic What It Teaches
d20 roll system Uncertainty, risk, informed decision-making
Budget constraints Resource allocation, prioritization
Justification bonuses Technical reasoning, tools/techniques knowledge
Uncontained Threats penalty Urgency, cost of dwell time
Pentester Tactics Attacker sophistication, defense limitations
Playbook system Preparation, incident response planning
Scoring systems Outcome measurement, quality assessment

Cooperative vs. Competitive Play

Cooperative Mode

Competitive Mode

Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)


Debrief & Reflection (Universal)

Every module should include a 5-15 minute debrief with three sections:

Part 1: What Happened?

Part 2: Why Did That Happen?

Part 3: What Would You Do Differently?


Tips for Threat Orchestrators (Universal)

Before the Game

  1. Read the module rules completely - Know what's coming
  2. Prepare your scenario - Pre-build attack chain or threat context
  3. Organize materials - Sort cards, prepare trackers
  4. Know your balancing points - Be ready to adjust difficulty if needed
  5. Practice reading clues - Deliver them dramatically!

During Gameplay

  1. Be clear about costs - Announce Budget before action
  2. Resolve rolls immediately - Announce target, let player roll, resolve
  3. Ask clarifying questions - "Why are you investigating email headers?"
  4. Be fair but challenging - Give honest difficulty, don't fudge rolls
  5. Narrate outcomes - Describe what happens, not just success/failure
  6. Manage pacing - Keep turns moving (2-3 min discussion max)
  7. Track penalties accurately - Keep budget, turn, and threat trackers visible

Balancing Difficulty

Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored

Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening

Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios


Card Reference

For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md


Module-Specific Rules

For complete rules on each module:


Quick Reference: Universal Mechanics

d20 Roll System

Budget System

Turn System

Penalties & Bonuses


Continuing to Next Steps

For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!

For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired


Need Help?


Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules

docs/rules/module-forensics.md

Forensics Module: Rules & Mechanics

Version: 2.2 - Playtest Edition (rule changes marked "(v2.2)"; see v2.2 Playtest Edition Changes) Last Updated: July 2026


Module Overview

The Forensics Module teaches incident investigation, digital forensics, and attack attribution. This module is typically entered after Incident Response or Disaster Recovery (representing the investigation phase of response) but can also be played standalone to teach forensic analysis concepts.

Rather than detecting the attack or managing the crisis, Forensics focuses on the crucial post-breach investigation phase: - Evidence collection and preservation - Timeline reconstruction of attacker actions - Attack chain analysis linking findings to MITRE ATT&CK techniques - Attribution and threat intelligence (who did this and how?) - Attack surface analysis (how did they get in?) - Lessons learned for future hardening and network building

Educational Purpose

Incident Response: Teaches proactive threat detection Hardening (typically after an IR win): Teaches proactive defense Disaster Recovery (typically after an IR loss): Teaches crisis management Forensics (after IR or DR): Teaches investigation and learning

Forensics can also be played standalone to teach forensic methodology without the preceding modules.


Module Purpose & Integration

When Forensics Occurs

In Campaign Play: 1. After Incident Response failure (undetected breach) → Forensics Phase 2. After Disaster Recovery (crisis management) → Forensics Phase 3. After Hardening success (discovered attack) → Optional Forensics for deeper learning

In Standalone Play: - Forensics module can be played independently as a 45-90 minute investigation scenario

Forensics Feeds Into Other Modules

Outputs from Forensics: - Attack Chain Reconstruction: Detailed understanding of how attacker progressed - Vulnerability Discovery: Systems and methods exploited - Threat Intelligence: IOCs (Indicators of Compromise), malware samples, attacker infrastructure - Timeline Evidence: When each compromise occurred

Used In: - Hardening Module: "Build defenses against the techniques discovered in forensics" - Network Building Module: "Redesign network architecture knowing how attacker pivoted" - Audit & Compliance Module: "Assess coverage of controls that should have detected forensic findings"


Forensics Module Setup

Prerequisites for Forensics Phase

Trigger Options:

  1. Sequential (After IR/DR): Team completed Incident Response or Disaster Recovery
  2. Card descriptions reveal attack chain that was discovered or undetected
  3. Blue Team now investigates for attribution and deeper understanding

  4. Standalone Setup: Team starts fresh investigation (no prior IR/DR)

  5. Threat Orchestrator secretly selects 1-2 complete attack chains
  6. Blue Team investigates to discover and reconstruct the attack

Discovery & Revelation (Sequential Play)

When entering Forensics after IR or DR, the Threat Orchestrator reveals the attack context:

Example (After IR Success): "Your security team detected and contained an attack chain: 1. Phishing email (SOCIAL ENGINEERING) 2. Credential harvesting malware (MALWARE) 3. Lateral movement to admin account (CREDENTIAL ABUSE)

Now you investigate to understand: How deep did they get? Are there other persistence mechanisms? Can we attribute this to a known threat group?"

Example (After DR/IR Failure): "Forensic examination of compromised systems reveals: 1. Initial access via credential stuffing (CREDENTIAL ABUSE) 2. Privilege escalation via unpatched service (WEB EXPLOIT) 3. Persistence through scheduled task modification (MALWARE) 4. Data exfiltration via DNS tunneling (DATA EXFIL)

Now you reconstruct the complete timeline and attribute the attack."


Forensics Module Components

Card Types Specific to Forensics

Investigation Action Cards (12 cards)

These represent forensic investigation techniques and evidence collection methods.

Standard Investigation Actions:

Card Technique DC Cost Time Result
DISK-01 Disk Image & Analysis 12 10 2 turns Recover deleted files, malware samples
DISK-02 File System Carving 14 15 3 turns Deep file recovery, hidden artifacts
MEM-01 Memory Dump & Analysis 13 15 2 turns Volatile process info, injected code
MEM-02 Memory Forensics Deep Dive 15 20 3 turns Malware behavior, command-and-control
LOG-01 Event Log Analysis 11 5 1 turn Timeline of user actions, logins
LOG-02 Deep Log Correlation 13 10 2 turns Cross-system timeline, attack sequence
NET-01 Network Traffic Analysis 12 10 2 turns Exfiltration evidence, C2 communications
NET-02 Packet Capture Deep Analysis 14 15 3 turns Protocol-level forensics, attacker tools
MALW-01 Malware Analysis (Dynamic) 12 15 2 turns Behavior analysis, IOCs
MALW-02 Malware Analysis (Static) 14 10 2 turns Code reverse engineering, capabilities
TIMELINE-01 Timeline Reconstruction 13 5 1 turn Chronological attack sequence
THREAT-01 Threat Attribution Analysis 15 20 3 turns Link to known groups, TTPs

DISK-01 rush option (v2.2): pay +5 Budget (15 total) to run it at Duration 1.

Investigation Action Card Structure: - Title: e.g., "Disk Image & Analysis" - Technique: MITRE ATT&CK reference (e.g., "Forensic Analysis") - Difficulty Class (DC): Roll d20+modifiers vs. this number to succeed - Cost: Budget required to perform investigation - Duration: Number of turns this investigation takes - What It Reveals: Type of evidence discovered (see Evidence Cards below) - Success Condition: d20+forensics_skill vs. DC (11+ usually succeeds, but higher DC cards reward skilled investigators)

Investigation Duration (v2.2): Starting an investigation with Duration N occupies your action on the turn you start it (pay the Budget cost then). Count the turn you start it as turn 1: the results (evidence + meter advances) arrive — and the roll is made — at the START of turn N. So Duration 1 resolves immediately on the same turn; Duration 2 resolves at the start of the following turn; Duration 3 resolves two turns after starting. Only ONE multi-turn (Duration 2+) investigation may be in flight at a time, but you may take other actions (Analyze Evidence, Follow Lead, or a Duration 1 investigation) while waiting.


Evidence Cards (12 cards)

These represent specific findings from investigations. They document what was discovered and provide investigative leads.

Categories of Evidence (core deck counts):

A. Malware & Persistence (4 cards: EVD-01, EVD-03, EVD-08, EVD-10) - Trojan samples with capabilities (spyware, RAT, backdoor) - Persistence mechanisms (scheduled tasks, registry modifications, startup folders) - Encryption keys recovered from malware or memory - Malware behavior profiles from sandbox analysis

B. Credentials & Access (1 card: EVD-04) - Admin account compromise timeline - Suspicious logins from unusual times, locations, or sources

C. Lateral Movement (1 card: EVD-05) - Pass-the-hash evidence - Tools used for pivoting - Systems accessed with each credential

D. Exfiltration (1 card: EVD-06) - Volume of data exfiltrated - File types extracted - Destination IP addresses or domains - Timing of exfiltration windows

E. Attack Infrastructure (2 cards: EVD-02, EVD-07) - Command-and-control servers - Malware staging servers - Registrar information (domain registration) - ASN and geolocation data

F. Attack Activity (3 cards: EVD-09, EVD-11, EVD-12) - Attacker command history - File staging artifacts (what was collected before exfiltration) - Anti-forensics evidence (log deletion, timestamp manipulation)

Evidence Card Structure: - Title: Specific finding (e.g., "Credential Dumper Malware") - Type: Category (Malware, Persistence, Credentials, Movement, Exfiltration, Infrastructure, Timeline) - MITRE ATT&CK Technique: Referenced technique (e.g., T1003 - OS Credential Dumping) - Description: What was found and where - Investigation Source: Which Investigation Action card led to this - Investigative Lead: What the Blue Team can do with this information - Connection to Attack Chain: Links back to specific Threat cards from IR phase (if sequential)


Findings Cards (4 cards)

These represent the conclusions of the forensic investigation and feed into recommendations.

Finding Types:

Finding Description Feeds Into Module
FIND-01: Threat Attribution Report Identified attacker group, techniques, motivations Hardening, Audit & Compliance (threat model), Incident Response
FIND-02: Attack Surface Analysis Systems/methods exploited; entry points identified Network Building, Hardening, Audit
FIND-03: Persistence Mechanisms Discovered How attacker maintained access; backdoors identified Hardening (remove persistence), Disaster Recovery, Audit
FIND-04: Investigative Gaps & Recommendations Questions answered vs. remaining; next steps Audit & Compliance (post-incident review), Training

Game Materials Required (Forensics-Specific)

Physical Components: - Investigation Action cards (12 cards) - Evidence cards (12 cards) - Findings cards (4 cards) - Turn Tracker (8-15 turns typical) - Budget Tracker (Investigation budget: 0-100) - Progress Meters (see below): - Timeline Completeness (0-100%) - Attack Chain Reconstruction (0-100%) - Attribution Confidence (0-100%) - Evidence Chain of Custody (0-100%)

Optional: - Investigation Flow Chart (showing how actions lead to evidence discovery) - MITRE ATT&CK Technique reference sheet - Evidence correlation board (physical board or spreadsheet linking evidence)


Forensics Module Mechanics

Game Length & Difficulty

Turn Structure: - Easy (TIER 1): 6-8 turns | Simple attack, few pivot points, obvious artifacts - Medium (TIER 2): 8-10 turns | Standard breach with some obfuscation - Hard (TIER 3): 11-13 turns | Complex attack, sophisticated attacker, limited logging - Expert (TIER 4): 14-15 turns | APT-level sophistication, anti-forensics measures, encrypted communications

Turn Length Determination: Using the Variable Turn Length System (see Core Rules): 1. Threat Orchestrator selects attack complexity tier 2. Roll d4 for variation (-1, 0, 0, +1) 3. Announce final turn count to Blue Team

Investigation Budget: - Starting Budget: 75 (represents forensic lab time, tools, personnel) - Optional Bonus: +25 if company has cyber insurance or threat intelligence subscription - Budget Tracker Range (v2.2): 0-100 (75 base + 25 optional bonus is the maximum starting value)


Action System

Each turn, the Blue Team performs ONE of these actions:

Action A: Conduct Investigation 🔍

Description: The team describes a specific forensic investigation they want to perform.

Mechanics: 1. Choose Investigation Card: Select from available Investigation Action cards (Disk, Memory, Logs, Network, Malware, Timeline, or Attribution) 2. Pay Cost: Spend Budget equal to card cost (paid on the turn you start the investigation) 3. Resolve Duration (v2.2): If Duration is 2+, the roll and results wait until the START of the turn the investigation completes (see Investigation Duration rule above) 4. Roll: d20 + relevant skill modifier vs. Difficulty Class on card - Modifiers: - +2 if team has forensics background - +1 if prior Investigation Action revealed clues to this technique - +1 if team provides detailed narrative explanation of investigation approach - -2 if investigation is being done hastily (using extra turn pressure to rush) 5. Check Results: - Success (roll ≥ DC): Discover ONE Evidence card — unless the card says otherwise (v2.2: MEM-02 and NET-02 award TWO) — and apply that Evidence card's printed meter impacts (see No Double Counting, Rule 5) - Partial Success (roll DC-2 to DC-1): Discover PARTIAL Evidence (partial timeline, hints of compromise, etc.) and apply the investigation card's partial-success advance line - Failure (roll < DC-2): No Evidence discovered this turn; Budget still spent

Progress Meter Advancement: Each successful Investigation Action advances one or more Progress Meters. Typical advances are +5-35% per meter (major breakthroughs can exceed +20%): - Timeline Completeness (+5-35%): Evidence that establishes temporal sequence - Attack Chain Reconstruction (+5-35%): Evidence linking attacker actions together - Attribution Confidence (+5-35%): Evidence pointing to threat actor identity - Evidence Chain of Custody: advances via the Chain of Custody rule (v2.2, Rule 1) and the printed impacts on some Evidence cards

Example Investigation:

Blue Team: "We want to conduct a disk image and analysis of the compromised server." Cost: 10 Budget (paid now). DISK-01 has Duration 2, so the team's action this turn is starting the imaging; results arrive at the start of the next turn. DC: 12 Blue Team Roll (at the start of the next turn): d20 + 2 (forensics background) = 15 Result: Success! Discover evidence card EVD-01 "Credential Dumper Malware" and apply its printed impacts: Attack Chain +15%, Attribution +10%, Timeline +10%. The team states the binary was hashed (SHA-256) before analysis: Chain of Custody +5% (v2.2)


Action B: Analyze Existing Evidence 📊

Description: The team reviews evidence cards already discovered and makes connections.

Cost (v2.2): 5 Budget. Each Evidence card can be Analyzed only once (v2.2) — mark cards as Analyzed when they are included in this action.

Mechanics: 1. Pay Cost: Spend 5 Budget (v2.2) 2. Review Evidence: Team looks at 2-4 not-yet-Analyzed Evidence cards already discovered 3. Make Connection: Team describes how findings are related (temporal, technical, or attribution-based) 4. Roll: d20 + relevant skill vs. DC 10 - Modifiers: - +2 if team connects 3+ evidence cards in coherent narrative - +1 if connection references specific MITRE ATT&CK technique 5. Check Results: - Success (roll ≥ 10): Gain insight; advance two Progress Meters by 5-10% each - Failure (roll < 10): No progress; action still costs a turn (represents time spent on dead-end analysis)

Example Analysis:

Blue Team: "The malware sample found in memory matches the persistence mechanism in the scheduled task, suggesting the attacker uploaded the same tool twice. This indicates they knew what they were doing and weren't just randomly exploring." Roll: d20 + 2 (good narrative) = 16 Result: Success! +10% Attribution Confidence (skilled attacker), +10% Attack Chain Reconstruction (coordinated multi-stage attack)


Action C: Follow Investigative Lead 🔗

Description: Based on existing evidence, the team pursues a specific investigative thread.

Cost (v2.2): 5 Budget (printed cost for every Follow Investigative Lead action).

Mechanics: 1. Pay Cost: Spend 5 Budget (v2.2) 2. Choose Evidence Card: Pick an Evidence card with an "Investigative Lead" 3. Describe Approach: How will the team pursue this lead? (e.g., "Track the C2 domain to registrar records to find other registered domains") 4. Roll: d20 + relevant skill vs. DC (varies 11-14 depending on lead) 5. Check Results: - Success: Discover a new Evidence card directly related to the lead and apply its printed meter impacts (v2.2: if no suitable undiscovered Evidence card exists, advance Attribution Confidence +20% instead — never both) - Partial Success: Discover related evidence but get a false lead (discover 1 Evidence + 1 Red Herring card) - Failure: Dead-end lead; use turn without discovering evidence

Example Lead:

Evidence Card: "Command-and-Control Communications (IP: 203.0.113.45)" Investigative Lead: "Perform ASN and WHOIS lookup to find other infrastructure operated by this attacker" Blue Team: "Let's trace the IP's ASN and registrar records to find other malicious domains." Cost: 5 Budget (v2.2) Roll: d20 + 1 (good idea) = 14 vs. DC 12 Result: Success! Discover EVD-07 "Attacker Infrastructure Map" and apply its printed impacts: Attribution +30%, Attack Chain +15%, Timeline +10%. Team documents WHOIS/passive-DNS exports: Chain of Custody +5% (v2.2)


Victory & Failure Conditions

Investigation Complete (Victory)

The Blue Team achieves ONE of these:

Victory Condition 1: "Full Attribution" - Attribution Confidence ≥ 90% AND Timeline Completeness ≥ 80% - Outcome: "Your investigation successfully attributes this attack to [Known Threat Group]. Security intelligence briefing prepared."

Victory Condition 2: "Solid Case" - Timeline Completeness ≥ 80% AND Attack Chain Reconstruction ≥ 80% AND Evidence Chain of Custody ≥ 70% - Outcome: "Your forensic report is publishable quality and defensible in court. Law enforcement briefed."

Victory Condition 3: "Partial Findings" - Any two Progress Meters ≥ 70% at game end - Outcome: "Investigation concluded. Findings are actionable for hardening and threat intelligence."

Investigation Inconclusive (Failure)

Precedence (v2.2): - Victory conditions are always checked FIRST. The old "any meter < 40% = failure" clause is DELETED (it conflicted with Victory Condition 3): a low meter never overrides a met victory condition. - Budget exhaustion is NOT a loss. The game continues to the turn limit: you may always take the cheap 5-Budget actions (Analyze Existing Evidence, Follow Investigative Lead, LOG-01, TIMELINE-01) while Budget lasts, and even at 0 Budget the team keeps playing (narrating connections, re-checking victory at game end). Victory conditions are still checked normally.

Penalty for Inconclusive Investigation: - Cannot feed findings into Hardening or Network Building modules - Audit & Compliance module must assess with incomplete information - Reduced confidence in future threat intelligence


Special Forensics Rules

Rule 1: Chain of Custody Tracking

Every Evidence card must be documented to maintain admissibility in legal proceedings.

Earning Chain of Custody (v2.2): +5% Chain of Custody every time an Evidence card is discovered AND the team states how it was preserved (hash, imaging, log export); the TO may award +10% for exemplary handling. This is in addition to any Chain of Custody impact printed on the Evidence card itself.

How It Works: - When an Evidence card is discovered, mark how it was obtained (which Investigation Action) and state how it was preserved - If chain of custody is broken (evidence obtained illegally or improperly), it becomes inadmissible - Inadmissible evidence cannot be used for Attribution or Timeline building - Cost to fix broken chain: 5 Budget + 1 turn to re-document evidence

Example:

Evidence "Admin Credentials Exfiltrated" discovered via "Memory Dump Analysis" (legal). Chain of custody: intact. Can be used in court. But if same evidence discovered via "Unauthorized System Access" by Blue Team (illegal), chain is broken and evidence is inadmissible.


Rule 2: Anti-Forensics Techniques

More sophisticated attacks may include anti-forensics measures that complicate investigation.

Anti-Forensics Examples: - Log deletion or manipulation - Encrypted communication channels - Malware that overwrites disk sectors - Timeline obfuscation (backdated files, timezone manipulation)

How It Works: - Threat Orchestrator can note that certain Investigation Actions are harder due to anti-forensics - Affected Investigation Cards gain +2 DC penalty if anti-forensics present - Example: "Evidence logs were deleted. Log Analysis (DC 11) now has DC 13."

Overcoming Anti-Forensics: - Investigators can use advanced techniques (Memory Forensics, Network Traffic Analysis) that bypass deleted logs - Alternatively, combine multiple Investigation Actions to corroborate timeline from different sources - Example: "Timeline can't be built from deleted logs, but network traffic shows exfiltration at 2:15 AM, and memory analysis shows C2 connection at 2:10 AM. We can reconstruct it."


Rule 3: Attacker Dwell Time

Represents how long the attacker remained in the network before detection or expulsion.

Mechanics (v2.2): - If the scenario states the attacker dwelled undetected 3+ turns (or the preceding Incident Response module ran 10+ turns), apply +1 DC to DISK and LOG investigations (evidence degraded). - Longer dwell time = more data exfiltrated, more persistence mechanisms installed, harder to attribute - But longer dwell also = more evidence: the TO may make 1-2 additional Evidence cards discoverable (more actions, more forensic artifacts)

Example:

Scenario states the attacker dwelled undetected for 4 turns before the investigation began. DISK-01, DISK-02, LOG-01, and LOG-02 all have +1 DC (evidence degraded over time). But the Blue Team can discover more Evidence cards (+2 cards total) due to the attacker's extended activity.


Rule 4: Incomplete Evidence

Some investigations may yield partial or fragmentary evidence that requires interpretation.

How It Works: - Partial success on Investigation roll = discover Evidence card marked "INCOMPLETE" - INCOMPLETE Evidence provides +1 Progress Meter advance but is NOT admissible alone for conclusions - Team can retry investigation next turn to complete the evidence (costs full Budget again) - Or team can interpret incomplete evidence by rolling d20+investigator skill vs. DC 12 - Success: Use incomplete evidence as-is (risky but saves Budget) - Failure: Incomplete evidence leads to false conclusion (Red Herring card added)


Rule 5: No Double Counting (v2.2)

Investigation cards list meter advances AND discovered Evidence cards list their own meter impacts. Never apply both.

How It Works: - When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed meter impacts. - The investigation card's own "Advance" line applies only when no Evidence card is produced — e.g., a partial success that yields fragments, or a success when no suitable undiscovered Evidence card remains. - The +5% Chain of Custody handling bonus (Rule 1, v2.2) still applies on top of the Evidence card's printed impacts — it rewards documentation, not discovery.


Forensics Skill Modifiers

Base Skill Modifiers (apply to all Investigation rolls):

Background Modifier Example
Forensic Analyst or Incident Responder +2 Person with formal training
IT Security or System Administrator +1 Technical background but not formal IR training
General IT +0 Basic tech knowledge
Non-Technical -2 No technical background
Forensics Researcher (GIAC GCFE, etc.) +3 Expert-level investigator

Situational Modifiers: - +1: Detailed narrative explanation of investigation methodology - +2: Team describes investigation approach that references MITRE ATT&CK framework - +1: Prior Investigation Action discovered clues to current investigation - -2 (v2.2): Using hastily (team taking Forensics as last-ditch effort in final turn) - -2: Investigation approach is technically unsound or unrealistic


Forensics Module Standalone Setup

When playing Forensics as a standalone game (without prior IR/DR):

Setup Steps

  1. Threat Orchestrator Preparation (Secret):
  2. Select attack scenario complexity (TIER 1-4)
  3. Roll d4 for turn variation (-1, 0, 0, +1)
  4. Secretly choose 3-5 Threat cards from core deck or expansions
  5. Arrange threat cards in logical attack progression
  6. Note which investigation techniques would discover each threat

  7. Blue Team Briefing:

    "You've been called to investigate a data breach discovered during routine system maintenance. Initial assessment: - Critical database server accessed 2 weeks ago - 5 million customer records potentially compromised - Attacker origin and motivations unknown - You have [TURN COUNT] turns to reconstruct the attack and find attribution clues. - Starting Budget: 75 (or 100 for well-funded incident response team)"

  8. Available Actions:

  9. Conduct Investigation (as normal)
  10. Analyze Existing Evidence
  11. Follow Investigative Leads

  12. Victory Conditions (v2.2):

  13. Identical to campaign play — use the three canonical conditions in Victory & Failure Conditions:
    • V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80%
    • V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70%
    • V3 "Partial Findings": any two meters ≥70% at game end

Module Combinations with Forensics

Recommended Sequences

Sequence 1: Detect & Investigate (90 minutes) - Incident Response (45 min) - Detect attack chain - Forensics (45 min) - Investigate and attribute

Sequence 2: Failure & Investigation (120 minutes) - Incident Response (45 min) - Fail to detect all threats - Disaster Recovery (45 min) - Manage breach crisis - Forensics (30 min) - Investigate for lessons learned

Sequence 3: Complete Lifecycle (180+ minutes) - Network Building (45 min) - Design initial network - Hardening (45 min) - Build defenses - Incident Response (45 min) - Test defenses - Disaster Recovery (45 min) - Handle failure - Forensics (30 min) - Investigate findings - Audit & Compliance (30 min) - Assess overall security posture


Debrief & Learning Outcomes

Post-Game Discussion Questions

After Forensics concludes, facilitate discussion around these questions:

Investigation Process: 1. What investigation techniques were most revealing? Why? 2. What evidence was most critical to understanding the attack? 3. What was the attacker's most sophisticated technique? What made it hard to detect forensically? 4. How would the investigation have been different with better logging? Better endpoint tools?

Attribution & Intelligence: 1. What threat actor profile emerged? What's their likely motivation? 2. What geographic or geopolitical clues do you see in the evidence? 3. How would you share this intelligence with law enforcement or information sharing communities?

Hardening & Prevention: 1. Based on forensic findings, what specific defenses would prevent this attack? 2. How would you network design need to change to limit lateral movement? 3. What logging and monitoring would have caught this earlier?

Real-World Connection: 1. How does this scenario compare to actual breaches you've studied? (VERIZON DBIR, Microsoft Security Incidents, etc.) 2. What's the typical cost of forensic investigation in real incidents? 3. How does attribution accuracy impact threat intelligence and policy response?


Technical Details & Implementation Notes

MITRE ATT&CK Integration

Each Investigation Action card and Evidence card should reference specific MITRE ATT&CK techniques/procedures:

Investigation Actions → Techniques Discovered: - Disk Forensics → T1005 (Data from Local System), T1025 (Data from Removable Media) - Memory Forensics → T1112 (Modify Registry), T1055 (Process Injection) - Log Analysis → T1071 (Application Layer Protocol), T1090 (Proxy) - Network Analysis → T1041 (Exfiltration Over C2 Channel), T1048 (Exfiltration Over Alternative Protocol) - Malware Analysis → T1104 (Multi-Stage Channels), T1059 (Command and Scripting Interpreter) - Timeline Reconstruction → T1074 (Data Staged), T1003 (OS Credential Dumping) - Attribution → G#### group / S#### software identification (threat attribution)

Forensics Difficulty Scaling

TIER 1 (6-8 turns): Unsophisticated attacker, plenty of artifacts, obvious malware - Low DC (10-12) Investigation Actions - Evidence cards plentiful and obvious - Chain of custody intact - No anti-forensics measures - Example: Script kiddie using public exploits, little cleanup

TIER 2 (8-10 turns): Standard attacker, some cleanup, moderate sophistication - Medium DC (12-14) Investigation Actions - Evidence cards present but require analysis - Some chain of custody concerns - Basic anti-forensics (log deletion) - Example: Credential theft ring, lateral movement, data exfil

TIER 3 (11-13 turns): Sophisticated attacker, significant obfuscation - High DC (13-15) Investigation Actions - Evidence requires correlation across multiple sources - Chain of custody significant challenge - Advanced anti-forensics (encryption, timeline spoofing) - Example: APT group with operational security discipline

TIER 4 (14-15 turns): Nation-state or elite attackers, expert anti-forensics - Very high DC (14-16+) Investigation Actions - Evidence heavily fragmented and incomplete - Chain of custody nearly impossible to prove - Sophisticated anti-forensics and counter-attribution - Example: State-sponsored APT with deep technical expertise


Printable Card Templates

See cards/forensics/core-deck/investigation-cards.md for printable Investigation Action cards.

See cards/forensics/core-deck/evidence-cards.md for printable Evidence and Findings cards.


Version History


Quick Reference

Setup: Select complexity tier, roll d4, announce turn count Actions: Conduct Investigation (card cost, Duration 1-3 turns), Analyze Evidence (5 Budget, each Evidence card only once), Follow Leads (5 Budget) Rolls: d20 vs. DC, with skill modifiers; partial success on DC-2 to DC-1 Durations (v2.2): Duration N resolves at the start of turn N, counting the starting turn as turn 1 (Duration 1 = immediate); only one multi-turn investigation in flight at a time Resources: Budget (75 base, tracker 0-100), Turns (6-15), Progress Meters (4 tracked) Victory (v2.2): - V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80% - V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70% - V3 "Partial Findings": any two meters ≥70% at game end Failure (v2.2): At the turn limit, no victory condition met. Victory conditions are checked first; there is no meter-minimum failure clause and budget exhaustion is not a loss.


v2.2 Playtest Edition Changes

  1. Canonical victory conditions. Four conflicting versions of the "complete case" condition (plus a fifth standalone-only condition) are replaced by one canonical set, stated identically here, in the Quick Reference, and in the standalone guide:
  2. V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80%
  3. V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70%
  4. V3 "Partial Findings": any two meters ≥70% at game end
  5. Failure: at the turn limit, no victory condition met
  6. Precedence: victory conditions are checked first. The "any meter <40% = failure" clause is deleted (it conflicted with V3). Budget exhaustion is not a loss. Meter "averages" are never used anywhere.
  7. Investigation Duration is now a real rule. Starting a Duration-N investigation occupies your action and Budget on the starting turn; results arrive at the start of turn N (counting the starting turn as turn 1) — Duration 1 resolves immediately. Only one multi-turn investigation in flight at a time. DISK-01's rush option is priced: pay +5 Budget to run it at Duration 1.
  8. Chain of Custody is earnable: +5% every time an Evidence card is discovered AND the team states how it was preserved (hash, imaging, log export); TO may award +10% for exemplary handling.
  9. Reachability math: printed CoC impacts on Evidence cards total +50% (EVD-08 +15, EVD-09 +10, EVD-10 +10, EVD-11 +10, EVD-12 +5). In a typical 8-10 turn game the team discovers 6-8 Evidence cards: 7 discoveries with stated preservation = +35% handling; if those include EVD-08, EVD-09, and EVD-11 that adds +35% printed, for 70% — the V2 threshold — without any exemplary awards. Exemplary handling (+10 instead of +5) or additional CoC-bearing cards push it higher. Under v2.1's printed-only gains, the ceiling was ~60% and V2 was mathematically unreachable.
  10. Analyze Existing Evidence costs 5 Budget, and each Evidence card can be Analyzed only once (it was a free, infinitely repeatable dominant action).
  11. Follow Investigative Lead has a printed cost: 5 Budget (examples previously charged 10 or 0).
  12. No Double Counting (Rule 5): when an investigation discovers an Evidence card, apply ONLY the Evidence card's printed meter impacts; the investigation card's advance line applies only when no Evidence card is produced (e.g., partial success).
  13. Partial-success band is DC-2 to DC-1 (matches all printed cards; the module previously said DC-3 to DC-1).
  14. Meter advance range widened to +5-35% — major breakthroughs can exceed +20% (cards already went to +35).
  15. One-Evidence rule now reads "unless the card says otherwise" (MEM-02 and NET-02 award two Evidence cards).
  16. Haste modifier is -2 everywhere (was -1 in one list). Anti-forensics example corrected to DC 13 (11 + 2). Dwell time redefined in turns: attacker dwelled undetected 3+ turns (or IR module ran 10+ turns) → +1 DC to DISK and LOG investigations.
  17. MITRE ATT&CK corrections across the module and card files (~12 wrong ID/name pairs fixed: T1005, T1074, T1112, T1040, T1055, T1059.001, T1556, T1027, and removal of irrelevant T1120/T1113/T1004 mappings).
  18. Credential and path errata: DISK-01 GCIH/GCFE (was CCNA-Security), MALW-01 GREM (was fictional "CRT"), EVD-10 registry path now includes \CurrentVersion.
  19. Budget tracker range is 0-100 (was "maximum useful 150"). Starting budget stays 75 (+25 optional).
  20. Deck summaries recounted from the actual cards: 12 Investigation, 12 Evidence, 4 Findings; evidence-type counts and the investigation→evidence flow map regenerated from the cards' Discovery Sources.

docs/standalone-games/forensics.md

Forensics Module: Standalone Game Guide

Version: 2.2 - Playtest Edition (rule changes marked "(v2.2)" — see the module rules doc for the full change list) Duration: 45-90 minutes Player Count: 1 Threat Orchestrator + 1-4 Investigators Complexity: Intermediate to Advanced


Overview

This guide explains how to play the Forensics Module as a standalone game, without needing to have played Incident Response, Hardening, or Disaster Recovery first.

In standalone Forensics, you are a team of incident investigators called in to analyze a data breach. Your goal is to reconstruct the attack, discover the attacker's techniques, and if possible, attribute the breach to a known threat actor. This is a "detective" game focused on piecing together evidence rather than detecting or preventing attacks.


What You'll Learn


Game Components

Required Components

Optional Enhancements


Setup Instructions

Step 1: Choose Difficulty Tier

The Threat Orchestrator (game facilitator) selects an attack complexity tier. Do NOT tell the Blue Team the tier—it's secret.

Tier Turn Count Attack Type Example
TIER 1 (Beginner) 6-8 Script kiddie, basic malware Casual cybercriminal, obvious techniques
TIER 2 (Intermediate) 8-10 Organized attacker, some sophistication Credential theft ring, lateral movement
TIER 3 (Advanced) 11-13 Skilled APT, heavy obfuscation Sophisticated threat group with operational security
TIER 4 (Expert) 14-15 Nation-state, elite techniques State-sponsored APT with counter-forensics

Turn Count Randomization: - Select your chosen tier's baseline (6-8, 8-10, 11-13, or 14-15) - Roll d4: -1, 0, 0, or +1 - Add result to baseline to get final turn count - Example: TIER 2 (8-10) + d4 result of +1 = final turn count of 9-11 turns

Step 2: Prepare Threat Scenario

Secret TO Preparation:

  1. Select Attack Chain: Choose 3-5 Threat cards from Incident Response core deck or expansion deck
  2. Arrange in logical progression (initial access → lateral movement → exfiltration)
  3. Consider realistic attack flow: not every attack needs all phases

  4. Map Investigations: For each threat card, note which Investigation Actions would discover it

  5. Example: Malware persistence → Disk Forensics, Malware Analysis
  6. Example: C2 communications → Network Traffic Analysis
  7. Example: Credential abuse → Event Log Analysis

  8. Plan Evidence Discovery: Prepare which Evidence cards will be revealed as each Investigation Action succeeds

  9. Not all investigations succeed (some are dead-ends)
  10. Some evidence cards might be discovered by multiple investigation paths

  11. Set Attacker Profile: In your notes, decide:

  12. Attacker motivation (cybercrime, espionage, hacktivism, nation-state)
  13. Sophistication level (matches the tier)
  14. Likely techniques (reference MITRE ATT&CK framework)
  15. Tools used (commercial, custom, open-source)

Example Secret Setup (TIER 2):

Threat Cards Selected: Phishing → Credential Harvesting → Lateral Movement → Persistence → Exfiltration Turn Count: 8-10 (TIER 2, no roll modifier used) Attacker Profile: Eastern European cybercriminal group focused on financial data theft Key Evidence: Phishing email headers, malware samples, persistence mechanisms, C2 communications Attribution Clues: Russian language in malware, specific tool signature, Bitcoin payment addresses Investigation Challenge: Attacker deleted logs; Blue Team must reconstruct from network traffic and memory forensics

Step 3: Brief the Blue Team

Read the Incident Briefing to all investigators:

INCIDENT BRIEFING

"You've been called by [Company Name] to investigate a data breach discovered during routine system maintenance. Here's what we know so far:

Timeline of Discovery: - System administrator noticed unusual network traffic on [Date] - Forensic examination discovered evidence of system compromise dating back approximately [2-3 weeks / 1 month] - Data breach notification team estimates millions of records may have been accessed

What Was Affected: - Database servers containing customer information - Admin accounts showing unauthorized access - Backup systems with potential exfiltration evidence

Your Mission: - Reconstruct the complete attack chain (how did they get in? what did they do? how did they get out?) - Identify what data was compromised (scope and sensitivity) - Attribute the attack to a known threat group or attacker profile if possible - Produce findings for the company's security hardening and incident prevention

Resources Available: - Forensic laboratory time: 75 Budget units - [Optional: +25 if company has cyber insurance or threat intelligence subscription] - Investigation period: [TURN COUNT] turns (represents [1-3 weeks] of forensic work)

Regulatory Context: - Time-sensitive: Investigation results feed into breach notification requirements - Chain of custody critical: Findings must be admissible if this goes to law enforcement

You have [TURN COUNT] turns. Begin your investigation."

Step 4: Initialize Tracking

On a shared board or spreadsheet, create:

  1. Turn Tracker: Current turn = 1, Max turns = [TURN COUNT]
  2. Budget Tracker: Current budget = 75 (or 100), tracker range 0-100
  3. Progress Meters:
  4. Timeline Completeness: 0%
  5. Attack Chain Reconstruction: 0%
  6. Attribution Confidence: 0%
  7. Evidence Chain of Custody: 0%
  8. Evidence Log: Space to list discovered Evidence cards and their sources
  9. Investigation Record: Track which Investigation Actions have been attempted (successful and failed)

Turn Sequence

Each Turn Has 3 Steps

Step 1: Blue Team Describes Action (5 minutes)

One investigator (or the whole team collectively) describes what forensic investigation they want to perform.

Options:

Option A: Conduct Investigation - Choose an Investigation Action card (Disk Forensics, Memory Analysis, Log Analysis, Network Traffic, Malware Analysis, Timeline Reconstruction, or Threat Attribution) - Describe HOW they'll conduct the investigation (methodology, tools, expected findings) - Declare the Budget cost (shown on card) — paid on the turn you start - Note the card's Duration (v2.2): starting the investigation is your action this turn; counting this turn as turn 1, the roll and results arrive at the START of turn N (Duration 1 = same turn, Duration 2 = start of next turn, Duration 3 = two turns later). Only ONE multi-turn investigation may be in flight at a time; you may take other actions while waiting. - Example: "We'll do a full disk image of the compromised database server and look for persistence mechanisms, rootkits, and artifact evidence. Cost 10 Budget, Duration 2 — results at the start of next turn."

Option B: Analyze Existing Evidence — Cost: 5 Budget (v2.2) - Review 2-4 Evidence cards already discovered — each Evidence card can be Analyzed only once (v2.2); mark cards as Analyzed - Describe connections between findings (temporal sequence, technical relationships, or attribution links) - Example: "The malware sample matches the persistence mechanism we found in scheduled tasks, suggesting the attacker knew exactly what they were doing. Plus, the C2 domain was registered by the same person who registered two other domains we found in old breach reports."

Option C: Follow Investigative Lead — Cost: 5 Budget (v2.2) - Pick an Evidence card with an "Investigative Lead" noted - Describe how you'll pursue this lead - Example: "This C2 domain resolves to a Russian ASN. Let's do a WHOIS lookup and see what other domains are hosted on this infrastructure."


Step 2: TO Rolls & Resolves (2-3 minutes)

For Conduct Investigation or Follow Investigative Lead:

  1. Verify Cost: Check if Blue Team has sufficient Budget (Follow Lead costs 5 — v2.2)
  2. If insufficient Budget, investigation cannot proceed (suggest alternative action)

  3. Apply Duration (v2.2): For a Duration 2-3 investigation, the cost and action are spent now, but steps 3-5 happen at the START of the turn the investigation completes (Duration 1 resolves immediately)

  4. Set Difficulty Class (DC): TO checks Investigation Action card for DC

  5. Example: Disk Forensics has DC 12
  6. Modify DC if anti-forensics present: +2 DC
  7. Modify DC if attacker was sophisticated: +1-2 DC

  8. Determine Modifiers: Apply skill modifiers to the roll

  9. +2 if investigator has forensics certification
  10. +1 if basic IT security background
  11. +2 if team provides detailed technical narrative
  12. +1 if previous investigation discovered clues to this action
  13. -2 if attempting hastily (rushed, final turn desperation) (v2.2)

  14. Roll: Investigator (or TO on their behalf) rolls d20

  15. Compare Results:

  16. Success (roll ≥ DC): Discover ONE Evidence card (unless the card says otherwise — MEM-02 and NET-02 award TWO) and apply ONLY that Evidence card's printed meter impacts (typically +5-35% per meter; major breakthroughs can exceed +20%). The investigation card's own advance line applies only if no Evidence card is produced (v2.2: No Double Counting)
  17. Partial Success (roll DC-2 to DC-1): Discover partial or incomplete evidence + apply the investigation card's partial advance line (typically +5-15%)
  18. Failure (roll < DC-2): No evidence discovered; Budget still spent; take a turn

For Analyze Existing Evidence:

  1. Pay Cost: 5 Budget (v2.2); the 2-4 Evidence cards reviewed must not have been Analyzed before
  2. Describe Connection: Blue Team explains how findings are related
  3. Roll: d20 + investigator skill modifier vs. DC 10
  4. Results:
  5. Success (≥10): Gain insight; advance two Progress Meters by 5-10% each
  6. Failure (<10): No progress; use a turn (Budget still spent)

Step 3: Record & Update Tracking (1-2 minutes)

  1. Deduct Budget: Subtract action cost from Budget Tracker
  2. Advance Turn: Increment Turn counter by 1
  3. Update Progress Meters: Record any progress from resolved investigations
  4. Note Evidence: If Evidence card discovered, add to Evidence Log with source and chain of custody status
  5. Chain of Custody (v2.2): +5% Chain of Custody for each Evidence card discovered this turn IF the team stated how it was preserved (hash, imaging, log export); TO may award +10% for exemplary handling
  6. Check Victory Condition: Did Blue Team achieve any victory condition? (see Victory Conditions section)

Investigation Actions & Evidence

Investigation Action Cards (Quick Reference)

Card DC Cost Duration What It Reveals
DISK-01: Disk Image & Analysis 12 10 2 turns Deleted files, malware samples, persistence mechanisms
DISK-02: File System Carving 14 15 3 turns Deep file recovery, hidden artifacts, encrypted data
MEM-01: Memory Dump & Analysis 13 15 2 turns Volatile processes, injected code, C2 connections
MEM-02: Memory Forensics Deep Dive 15 20 3 turns Malware behavior analysis, encryption keys, exploits
LOG-01: Event Log Analysis 11 5 1 turn User login timeline, privilege escalation, admin actions
LOG-02: Deep Log Correlation 13 10 2 turns Cross-system timeline, attack sequence, lateral movement
NET-01: Network Traffic Analysis 12 10 2 turns Exfiltration evidence, C2 communications, data flows
NET-02: Packet Capture Deep Analysis 14 15 3 turns Protocol forensics, attacker tools, communication patterns
MALW-01: Malware Analysis (Dynamic) 12 15 2 turns Behavior analysis, IOCs, capabilities
MALW-02: Malware Analysis (Static) 14 10 2 turns Code reverse engineering, attacker signatures, techniques
TIMELINE-01: Timeline Reconstruction 13 5 1 turn Chronological attack sequence, entry and exit points
THREAT-01: Threat Attribution Analysis 15 20 3 turns Link to known threat groups, TTPs, motivation

DISK-01 rush option (v2.2): pay +5 Budget (15 total) to run it at Duration 1. Duration rule: results arrive at the start of the turn the Duration completes — see Turn Sequence.


Victory & Failure Conditions

Investigation Complete (VICTORY)

Blue Team wins if they achieve ONE of these (canonical v2.2 conditions — identical to the module rules):

Victory Condition 1: "Full Attribution" - Attribution Confidence ≥ 90% AND Timeline Completeness ≥ 80% - Result: "You have successfully attributed this attack to [Threat Group]. Intelligence briefing prepared for leadership."

Victory Condition 2: "Solid Case" - Timeline Completeness ≥ 80% AND Attack Chain Reconstruction ≥ 80% AND Evidence Chain of Custody ≥ 70% - Result: "Your forensic investigation is publishable quality and legally defensible. Law enforcement briefed."

Victory Condition 3: "Partial Findings" - Any two Progress Meters ≥ 70% at game end - Result: "Investigation concluded with sufficient findings for remediation. Hardening team can now implement controls."


Investigation Inconclusive (FAILURE)

Blue Team fails if, at the turn limit, no victory condition is met.

Precedence (v2.2): Victory conditions are always checked FIRST. There is no "any meter < 40% = failure" clause (deleted — it conflicted with Victory Condition 3), and budget exhaustion is not a loss: you may always fall back on the cheap 5-Budget actions while Budget lasts, and the game simply plays out to the turn limit.

Result of failure: "Investigation stalled. Too many unanswered questions. Threat actor remains unidentified. Forensic team recommends additional investigation by external firm."

Consequence of Failure: - Investigation results are incomplete and cannot feed into Hardening or Network Building modules - Audit & Compliance module must assess security posture with incomplete information - Organization loses confidence in threat intelligence


Example Investigation (Complete Turn)

Scenario Setup (TO Secret)

TIER 2 attack: Credential-based lateral movement with persistence Turn limit: 8 turns (TIER 2 baseline 9, d4 roll of -1) Attacker profile: Eastern European cybercriminal group Key technique: Password spray → Privilege escalation → Scheduled task persistence → Data exfiltration Bonus: The sysadmin's initial triage captured a suspicious binary, so a malware sample is available from turn 1

Turn 1

Blue Team: "We'll start with event log analysis of the compromised database server. We want to see the login history and identify unusual access patterns. We'll export the logs with their digital signatures and hash the export."

Investigator Skill: IT Security background (+1)

TO Facilitator: 1. Check Cost: LOG-01 costs 5 Budget. Current budget 75. ✓ OK 2. Check Duration: LOG-01 is Duration 1 — resolves this turn 3. Set DC: LOG-01 has DC 11. No anti-forensics. DC = 11 4. Apply Modifiers: +1 (IT security background) + 0 (no prior clues) = +1 total 5. Roll: Investigator rolls d20+1. d20 = 13, total 14 6. Success! (14 ≥ 11) → Discover Evidence card EVD-04 "Suspicious Admin Login (Timeline)" — apply ONLY its printed impacts (v2.2 No Double Counting)

Update Tracking: - Budget: 75 - 5 = 70 remaining - Turn: 1 → 2 - EVD-04 printed impacts: Timeline 0% → 25%, Attack Chain 0% → 20%, Attribution 0% → 10% - Chain of Custody: 0% → 5% (v2.2: preservation stated — signed log export, hashed) - Evidence Log: "EVD-04 - discovered via LOG-01 - preserved via signed/hashed export - Chain of Custody: intact"

Blue Team Deduction: "Looks like an admin account was accessed from unusual locations. Might be credential theft."


Turn 2

Blue Team: "Let's analyze that malware sample from triage. We want to understand what it does and where it connects to."

Investigator Skill: Forensic certification background (+2)

TO Facilitator: 1. Check Cost: MALW-01 costs 15 Budget. Current budget 70. ✓ OK 2. Check Duration (v2.2): MALW-01 is Duration 2. Starting the sandbox run is this turn's action; the roll and results arrive at the START of turn 3. MALW-01 is now the one multi-turn investigation in flight.

Update Tracking: - Budget: 70 - 15 = 55 remaining - Turn: 2 → 3 - Meters: unchanged (results pending) — Timeline 25%, Attack Chain 20%, Attribution 10%, Chain of Custody 5%


Turn 3

Start of turn — MALW-01 resolves (v2.2 Duration): 1. Set DC: MALW-01 has DC 12. Attacker was moderately sophisticated: +1. DC = 13 2. Apply Modifiers: +2 (forensic cert) 3. Roll: d20 = 14, total 16 4. Success! (16 ≥ 13) → Discover EVD-02 "Command-and-Control Callback Domain" - EVD-02 printed impacts: Attack Chain 20% → 35%, Attribution 10% → 35%, Timeline 25% → 30% - Chain of Custody: 5% → 10% (v2.2: sample hashed, sandbox logs archived)

Turn 3 action — Blue Team: "Now let's look at network flow records for that C2 domain. Start NET-01."

TO Facilitator: NET-01 costs 10 (budget 55 → 45 ✓), Duration 2 — resolves at the start of turn 4. (Allowed: MALW-01 finished this turn, so only one investigation is in flight.)

Update Tracking: - Budget: 45 remaining - Turn: 3 → 4 - Meters: Timeline 30%, Attack Chain 35%, Attribution 35%, Chain of Custody 10%

Blue Team Deduction: "The malware communicates with an external server. That's how the attacker stays in control."


Turn 4

Start of turn — NET-01 resolves (v2.2 Duration): 1. Set DC: NET-01 has DC 12 2. Apply Modifiers: +1 (IT security background) 3. Roll: d20 = 9, total 10 4. Partial Success (10 is in the DC-2 to DC-1 band, 10-11) → Suspicious outbound traffic found, but the destination is unclear. No Evidence card produced, so apply NET-01's partial advance line: Attack Chain 35% → 45%, Attribution 35% → 40%. No Chain of Custody handling bonus (no Evidence card discovered).

Turn 4 action — Blue Team: "Let's try to reconstruct the timeline from what we have. TIMELINE-01."

TO Facilitator: TIMELINE-01 costs 5 (budget 45 → 40 ✓), Duration 1 — resolves now. DC 13, +2 (DFIR training). Roll: d20 = 8, total 10. Failure (10 < 11, below the DC-2 partial band). Too many timestamp gaps. Budget still spent.

Update Tracking: - Budget: 40 remaining - Turn: 4 → 5 - Meters: Timeline 30%, Attack Chain 45%, Attribution 40%, Chain of Custody 10%


Turn 5 (Critical Decision)

Blue Team: "This is expensive, but let's start the Memory Forensics Deep Dive on the admin workstation. If the attacker has malware in memory, we might find encryption keys or recent commands that show their intent."

TO Facilitator: 1. Check Cost: MEM-02 costs 20 Budget. Current budget 40. ✓ OK 2. Check Duration (v2.2): MEM-02 is Duration 3 — started this turn (turn 1 of 3), it resolves at the START of turn 7. It is now the one multi-turn investigation in flight.

Update Tracking: - Budget: 40 - 20 = 20 remaining - Turn: 5 → 6 - Meters: unchanged (results pending)


Turn 6 (Working While Waiting)

Blue Team: "While the memory analysis runs, let's Analyze our existing evidence. The suspicious admin login (EVD-04, T1078 Valid Accounts) lines up with the C2 callbacks (EVD-02, T1071 Application Layer Protocol): the login happened 20 minutes before the first beacon. This was credential theft followed by remote control."

TO Facilitator: 1. Check Cost: Analyze Existing Evidence costs 5 (v2.2). Budget 20 → 15 ✓. (Allowed while MEM-02 is in flight — Analyze is not an investigation.) 2. Check cards: EVD-04 and EVD-02 have not been Analyzed before ✓ — mark both as Analyzed (v2.2: each Evidence card only once) 3. Modifiers: +1 (references specific MITRE ATT&CK techniques) + 1 (IT security background) = +2 4. Roll: d20 = 12, total 14 vs. DC 10. Success! → Advance two meters by 10% each: Timeline 30% → 40%, Attribution 40% → 50%

Update Tracking: - Budget: 15 remaining - Turn: 6 → 7 - Meters: Timeline 40%, Attack Chain 45%, Attribution 50%, Chain of Custody 10%

Blue Team Deduction: "Credential theft, then hands-on-keyboard control. Now we need the memory results."


Turn 7 (Breakthrough)

Start of turn — MEM-02 resolves (v2.2 Duration, started turn 5): 1. Set DC: MEM-02 has DC 15 2. Apply Modifiers: +2 (forensic analyst) + 1 (MALW-01 already completed) = +3 3. Roll: d20 = 11, total 14 4. Partial Success (14 is in the DC-2 to DC-1 band, 13-14) → Discover ONE complete Evidence card, EVD-09 "Attacker Command History", plus an INCOMPLETE second finding (fragments of an RC4 key — marked INCOMPLETE, no meter impact until completed or interpreted) - EVD-09 printed impacts: Timeline 40% → 65%, Attack Chain 45% → 70%, Attribution 50% → 65%, Chain of Custody 10% → 20% - Chain of Custody: 20% → 25% (v2.2: memory image hashed, extraction methodology documented)

Turn 7 action — Blue Team: "Follow the investigative lead on EVD-02: WHOIS and ASN lookup on the C2 domain to map related attacker infrastructure."

TO Facilitator: 1. Check Cost: Follow Investigative Lead costs 5 (v2.2). Budget 15 → 10 ✓ 2. Set DC: 12 3. Apply Modifiers: +2 (detailed approach referencing prior evidence) 4. Roll: d20 = 14, total 16. Success! → Discover EVD-07 "Attacker Infrastructure Map" — apply its printed impacts (v2.2: no separate +20% Attribution bonus — No Double Counting) - EVD-07 printed impacts: Attribution 65% → 95%, Attack Chain 70% → 85%, Timeline 65% → 75% - Chain of Custody: 25% → 30% (v2.2: WHOIS records and passive-DNS exports archived)

Update Tracking: - Budget: 10 remaining - Turn: 7 → 8 of 8 (final turn) - Meters: Timeline 75%, Attack Chain 85%, Attribution 95%, Chain of Custody 30%

Victory check: Condition 1 needs Attribution ≥ 90% ✓ (95%) AND Timeline ≥ 80% ✗ (75%). Not yet. Condition 2 needs Timeline ≥ 80% ✗. Play on.


Turn 8 (Final Turn)

Blue Team: "One more push on the timeline. We retry TIMELINE-01, now synthesizing the login timeline (EVD-04), the C2 beacons (EVD-02), and the attacker's command history (EVD-09)."

TO Facilitator: 1. Check Cost: TIMELINE-01 costs 5. Budget 10 → 5 ✓. Duration 1 — resolves now. 2. Set DC: 13 3. Apply Modifiers: +2 (DFIR training) + 1 (prior investigations provide clues) = +3 4. Roll: d20 = 15, total 18. Success! All timeline-type evidence has already been discovered, so no new Evidence card is produced — apply TIMELINE-01's own advance line instead (v2.2 No Double Counting): Timeline 75% → 100%, Attack Chain 85% → 100%

Update Tracking: - Budget: 5 remaining - Turn: 8 of 8 — game end - Final meters: Timeline 100%, Attack Chain 100%, Attribution 95%, Chain of Custody 30%


Victory Determination (Game End, After Turn 8)

Check Victory Conditions (v2.2 — victory is checked first, never overridden by a low meter):

Condition 1 "Full Attribution": Attribution ≥ 90% AND Timeline ≥ 80%? - Attribution: 95% ✓ - Timeline: 100% ✓ - YES! VICTORY CONDITION 1 MET!

(For completeness: Condition 2 "Solid Case" fails on Chain of Custody 30% < 70%; Condition 3 "Partial Findings" would also be met with three meters ≥ 70% at game end. Note the v2.2 precedence rule: Chain of Custody sitting at 30% does NOT cause a failure — the old "any meter < 40%" clause is deleted. Meter averages are never used.)

Game Ends with VICTORY

Investigation Result: "Your forensic investigation successfully identified the attacker as a member of the [Eastern European Cybercriminal Group]. Key findings: - Attack vector: Credential theft via password spray - Control: C2 beaconing from checkupdate-style domains, hands-on-keyboard commands recovered from memory - Timeline: fully reconstructed from signed logs, beacon timing, and command history - Attribution: 95% confidence linked to known group via infrastructure map - Caveat: evidence admissibility is weak (Chain of Custody 30%) — fine for hardening, not for court

Recommendations: 1. Implement multi-factor authentication on admin accounts 2. Deploy EDR solution to detect persistence mechanisms 3. Implement network segmentation to limit lateral movement 4. Increase logging and monitoring of admin activities

This investigation will inform the Hardening, Network Building, and Audit modules going forward."


Tips for Investigators

Investigation Strategy

Early Game (Turns 1-3): - Start with cheaper, lower DC investigations (Log Analysis, Timeline Reconstruction) - Build foundation of knowledge before attempting expensive techniques - Goal: 50%+ progress on any meter by turn 3

Mid Game (Turns 4-7): - Use findings from early investigations to guide more expensive deep dives - Follow Investigative Leads to get "bang for your budget" - Aim for 75%+ on at least two meters by turn 6

Late Game (Turns 8+): - If you have momentum, push for one complete meter (≥90%) - If budget is tight, focus on two meters reaching ≥70% (Condition 3) - Make bold investigations; you have less to lose

Narrative Details Matter

To Gain Bonuses: - Explain not just WHAT you'll investigate, but HOW and WHY - Reference specific evidence already discovered - Mention MITRE ATT&CK techniques you're looking for - Example (gains +2): "We found a persistence mechanism in the scheduled tasks. This matches T1053 (Scheduled Task/Job). Let's do Memory Forensics to find if the malware is still resident in RAM and tracking recent C2 communications."

Evidence Correlation

Create Connections: - Note which investigations led to which evidence cards - Look for patterns: "All malware samples have Russian-language strings" - Timeline building: "Login at 2:15, C2 connection at 2:10, exfiltration at 2:25" - These connections trigger Analyze Evidence action and drive attribution forward


Tips for the Threat Orchestrator

Maintaining Suspense

Pacing the Game

Challenge Scaling

For Beginner Investigators: - Use TIER 1 attacks (6-8 turns, low DC, no anti-forensics) - Provide hints during briefing ("We recovered a memory dump") - Allow retries on failed Investigation Actions

For Experienced Investigators: - Use TIER 3-4 attacks (11-15 turns, high DC, sophisticated anti-forensics) - Limit Budget more strictly - Add False Evidence cards (partial investigation leads to wrong conclusion)


Debrief & Learning Outcomes

Post-Game Discussion (10-15 minutes)

After game concludes, facilitate discussion:

On Investigation Process: 1. Which investigation technique was most valuable? Why? 2. What would you do differently with more budget? 3. What evidence was hardest to interpret? 4. How did you decide which investigation to do next?

On Attack Reconstruction: 1. Walk through the attack chain step-by-step. What happened first? Last? 2. How did the attacker maintain access without being detected immediately? 3. What's one technique that could have prevented this entire attack?

On Attribution: 1. What evidence pointed to the attacker's identity? 2. How confident are you in the attribution? (At 75%? 90%?) 3. What additional evidence would make you 95%+ confident?

On Real-World Forensics: 1. How does this compare to actual forensic investigations you've studied? 2. What tools mentioned in the game (memory forensics, malware analysis) are used in real incident response? 3. Why does attribution matter? (Law enforcement, threat intelligence sharing, policy response)

On Lessons Learned: 1. What control from Hardening module could have detected this attack early? 2. How would Network Building architecture limit lateral movement? 3. What Audit & Compliance questions need to be answered?


Standalone Forensics Variants

Variant 1: Time-Pressure Mode

Modified Rules: Reduce turn count by 3 (so 3-7 turns instead of 6-10)

Effect: Creates higher stakes; investigators must make faster decisions; less time for methodical analysis

When to Use: Advanced investigators who want more challenge; time-limited classroom sessions


Variant 2: False Evidence Mode

Modified Rules: TO secretly includes 1-2 "False Evidence" cards that appear legitimate but are actually red herrings

Effect: Attribution becomes harder; investigators must corroborate findings; critical thinking required

Example: Malware sample analysis reveals Russian-language strings → seems like Eastern European group. But it was actually planted by another threat group to frame competitors.

When to Use: Teaching about false positives and need for corroboration


Variant 3: Cold Case Mode

Modified Rules: Start with 40% progress already on one or two meters (from prior investigation by another team)

Effect: Investigators build on existing findings rather than starting from scratch

When to Use: Teaching how investigations are handed off; continuing previous work


Variant 4: Competitive Mode

Modified Rules: Two teams of investigators compete to achieve highest progress on most meters

Scoring: +3 points per meter ≥ 90%, +2 points per meter 70-89%, +1 per meter 40-69%

When to Use: Competitive classroom tournament; multiple teams investigating same breach simultaneously


Recommended Module Sequences with Forensics

30-minute Warm-up: Forensics solo (TIER 1, 6-turn simplified scenario)

90-minute Session: Incident Response (45 min) + Forensics (45 min) - Phase 1: IR team detects attack chain - Phase 2: Forensics team investigates findings

120-minute Session: Incident Response → Disaster Recovery mini → Forensics - Phase 1: IR failure (breach not contained) - Phase 2: DR (crisis management, brief) - Phase 3: Forensics (investigation & attribution)

180+ minute Session: Complete lifecycle with Forensics - Network Building (45 min) → Hardening (45 min) → Incident Response (45 min) → Forensics (30 min)


Quick Reference Card for Investigators

Setup: Choose TIER (1-4), Roll d4, Announce turn count and starting budget (75)

Each Turn: 1. Resolve arrivals (v2.2): Any Duration 2-3 investigation completing this turn rolls and resolves at the start of the turn 2. Choose action: Conduct Investigation (card cost, Duration 1-3), Analyze Evidence (5 Budget, each Evidence card only once), or Follow Lead (5 Budget) 3. Pay cost: Deduct Budget 4. Roll d20: Add skill modifier, compare to DC (partial success on DC-2 to DC-1); Duration 2-3 investigations roll when they complete 5. Resolve: Discover evidence (apply the Evidence card's printed impacts — never also the investigation card's advance line), or fail 6. Update: Budget, Turn counter, Progress Meters (+5% Chain of Custody per Evidence discovery with stated preservation)

Resources: - Budget: 75 (represents forensic lab time; tracker range 0-100) - Turns: 6-15 (depends on tier + d4 roll) - Progress Meters: Timeline, Attack Chain, Attribution, Chain of Custody (each 0-100%)

Victory (v2.2): - V1 "Full Attribution": Attribution ≥90% AND Timeline ≥80% - V2 "Solid Case": Timeline ≥80% AND Attack Chain ≥80% AND Chain of Custody ≥70% - V3 "Partial Findings": any two meters ≥70% at game end

Failure (v2.2): At the turn limit, no victory condition met. Victory is checked first — there is no meter-minimum failure clause, and budget exhaustion is not a loss. investigation


Forensics Card Deck Checklist

Before playing, ensure you have:


Frequently Asked Questions

Q: Can I play Forensics if I've never played Incident Response? A: Yes! Forensics standalone is completely self-contained. You don't need to have played IR, Hardening, or any other module first.

Q: How long does Forensics take? A: Typically 45-90 minutes depending on group experience level and decision speed. Experienced investigators finish faster.

Q: Can I play Forensics with a large group? A: Yes! 4-8 investigators is ideal. With more, split into two teams (each team has its own TO). You can even do competitive mode where both teams investigate the same breach.

Q: What if investigators want to know the tier? A: Don't tell them. Part of the game is discovering how sophisticated the attacker is through evidence analysis. Let them discover it.

Q: What if we run out of budget before solving the case? A: That's a realistic outcome, and it is NOT an automatic loss (v2.2). Keep playing to the turn limit — the cheap 5-Budget actions (Analyze Evidence, Follow Lead, LOG-01, TIMELINE-01) stretch a thin budget, and at game end you check victory normally. If any two meters are ≥70% at game end, you win via Condition 3 (like real-world investigations with incomplete findings). If no condition is met at the turn limit, the investigation is inconclusive.

Q: Can we retry a failed investigation? A: You can attempt the same investigation again next turn (costs full budget again), but you still don't know if you'll succeed. You're essentially re-investigating the same evidence looking for something you missed.


Printable Components

All printable cards are available in: - cards/forensics/core-deck/investigation-cards.md — 12 Investigation Action cards - cards/forensics/core-deck/evidence-cards.md — 12 Evidence cards + 4 Findings cards (Findings section)

Progress Meter Tracker: print templates coming in the print pack. Until then, draw a simple 4-meter tracker on paper: four rows labeled Timeline Completeness, Attack Chain Reconstruction, Attribution Confidence, and Evidence Chain of Custody, each marked 0-100% in 5% steps, plus a Turn row and a Budget row (0-100).


Ready to investigate? Print your cards, gather 1-4 forensic analysts, and begin your investigation. Good luck!

cards/forensics/core-deck/investigation-cards.md

Forensics Module: Investigation Action Cards (Core Deck)

Version: 2.2 - Playtest Edition Card Count: 12 Investigation Action Cards Printable: Yes (see printing instructions below)


Overview

Investigation Action cards represent specific forensic analysis techniques that investigators can deploy to discover evidence about the attack. Each card has a Difficulty Class (DC) that represents the skill required to successfully complete the investigation, a Cost in Budget, and a Duration showing how many turns the investigation takes.

Duration rule (v2.2): Starting an investigation with Duration N occupies your action (and its Budget cost) on the turn you start it. Counting that turn as turn 1, the roll is made and the results arrive at the START of turn N — so Duration 1 resolves immediately, Duration 2 at the start of the next turn, Duration 3 two turns after starting. Only ONE multi-turn investigation may be in flight at a time; you may take other actions while waiting.

No Double Counting (v2.2): When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed meter impacts (plus the +5% Chain of Custody handling bonus for stating how it was preserved). The "Advance" line in each card's SUCCESS block applies only when no Evidence card is produced (e.g., no suitable undiscovered Evidence remains); partial-success advance lines apply as printed.


Card Structure

Each Investigation Action Card includes: - Card ID: Unique identifier (DISK-01, MEM-01, LOG-01, etc.) - Title: Name of investigation technique - MITRE ATT&CK: Referenced technique(s) this investigation detects - Difficulty Class (DC): Roll d20+modifiers vs. this to succeed (typically 11-15) - Cost: Budget units required - Duration: Number of turns investigation takes - Description: What the investigation does and what evidence it reveals - Success Conditions: What happens on success, partial success, or failure - Chain of Custody Notes: Any admissibility or documentation concerns


Card Details

DISK-01: Disk Image & Analysis

╔════════════════════════════════════════════════════════════════╗
║              DISK-01: DISK IMAGE & ANALYSIS                    ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Forensic Disk Imaging & Analysis                    ║
║ MITRE ATT&CK: T1005 (Data from Local System), T1025 (Data from ║
║              Removable Media)                                  ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12                                           ║
║ Budget Cost: 10                                                ║
║ Duration: 2 turns (v2.2 rush: pay +5 Budget for Duration 1)    ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Create a bit-for-bit disk image of the compromised system,     ║
║ then examine file system artifacts, deleted files, and         ║
║ hidden data. This is a foundational forensic technique.        ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Malware files (executables, scripts, libraries)              ║
║ - Deleted files (file carving reveals overwritten data)        ║
║ - Persistence mechanisms (startup folders, registry runs)      ║
║ - Downloaded files (browser cache, temp directories)           ║
║ - Suspicious file timestamps (backdating, mismatches)          ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12):                                        ║
║ Discover ONE Evidence card from: Malware Sample, Persistence   ║
║ Mechanism, or Downloaded Malware evidence set.                 ║
║ Advance (only if no Evidence card produced):                   ║
║ Timeline Completeness +10%, Attack Chain +15%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll DC-2 to DC-1 = 10-11):                  ║
║ Discover INCOMPLETE Evidence card (partial findings).          ║
║ Advance: Timeline Completeness +5%, Attack Chain +5%           ║
║                                                                 ║
║ FAILURE (roll < 10):                                           ║
║ No evidence discovered. Budget still spent. Take a turn.       ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Disk image must be bit-for-bit copy. Chain of custody:         ║
║ Strong - Imaging is gold standard in forensics.                ║
║ ✓ All evidence from this source is admissible in court         ║
║                                                                 ║
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has formal GCIH/GCFE training               ║
║ +1 if investigator has IT administration background            ║
║ +1 if team provides detailed explanation of imaging process    ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Disk imaging is time-consuming (hence 2 turn cost)           ║
║ • Can be combined with DISK-02 for deeper analysis             ║
║ • Foundation for all disk-based forensic work                  ║
║ • Works best on traditional disk systems (less effective on    ║
║   SSDs with wear-leveling and TRIM commands)                   ║
╚════════════════════════════════════════════════════════════════╝

DISK-02: File System Carving

╔════════════════════════════════════════════════════════════════╗
║              DISK-02: FILE SYSTEM CARVING                      ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced File Recovery & Data Carving               ║
║ MITRE ATT&CK: T1074 (Data Staged), T1485 (Data Destruction)   ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14                                           ║
║ Budget Cost: 15                                                ║
║ Duration: 3 turns (specialized expertise required)             ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Advanced carving techniques recover data from unallocated      ║
║ disk space and file slack, even when files have been deleted   ║
║ and storage sectors overwritten. Uses specialized tools like   ║
║ EnCase, FTK, or open-source carving tools.                    ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Deleted malware (recovered from free space)                  ║
║ - Temporary files (attacker staging data before exfil)         ║
║ - Encryption keys or passphrases (memory remnants on disk)     ║
║ - Hidden partitions or file systems                            ║
║ - Slack space artifacts                                        ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14):                                        ║
║ Discover ONE Evidence card from: Deep Malware Samples,         ║
║ Encryption Keys Found, or Hidden Backdoor evidence.            ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Chain of Custody +10%                       ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 12-13):                                  ║
║ Discover partial data (e.g., fragments of deleted file).       ║
║ Advance: Attack Chain +10%, Chain of Custody +5%               ║
║                                                                 ║
║ FAILURE (roll < 12):                                           ║
║ Data too corrupted or already overwritten. No recovery.        ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Carving is technically sound but must be documented carefully. ║
║ Chain of Custody: Strong if done by certified analyst.         ║
║ ⚠ Partial carving may be challenged in court (incomplete       ║
║   file recovery). Recommend combining with other techniques.   ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has GCFE (Certified Forensic Examiner)      ║
║ +1 if investigator has disk forensics experience               ║
║ +1 if combined with DISK-01 investigation already done         ║
║ -1 if SSD drives present (wear-leveling complicates carving)   ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Expensive investigation (15 budget) for specialized work     ║
║ • Can take weeks in real incidents; represented as 3 turns     ║
║ • Most valuable for discovering deleted persistence and        ║
║   encryption keys                                              ║
║ • Less effective on modern systems with TRIM/wear-leveling     ║
╚════════════════════════════════════════════════════════════════╝

MEM-01: Memory Dump & Analysis

╔════════════════════════════════════════════════════════════════╗
║              MEM-01: MEMORY DUMP & ANALYSIS                    ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Volatile Memory Forensics (RAM analysis)            ║
║ MITRE ATT&CK: T1055 (Process Injection), T1057 (Process        ║
║              Discovery), T1518 (Software Discovery)            ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13                                           ║
║ Budget Cost: 15                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Capture RAM (volatile memory) from running system during       ║
║ incident response, then analyze for active processes, malware, ║
║ injected code, network connections, and encryption keys in     ║
║ memory. Uses tools like Volatility, Rekall, or proprietary     ║
║ memory analysis suites.                                        ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Malware processes running in memory                          ║
║ - Injected code (shellcode, DLLs in unexpected processes)      ║
║ - Network connections (established C2 connections)             ║
║ - Encryption keys and credentials in memory                    ║
║ - Command history from interactive shells                      ║
║ - Rootkit or kernel-level hooks                                ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13):                                        ║
║ Discover ONE Evidence card from: Active Malware Process,       ║
║ C2 Connection, or Injected Code evidence.                      ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Timeline Completeness +10%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 11-12):                                  ║
║ Discover evidence of suspicious process (incomplete details).  ║
║ Advance: Attack Chain +10%, Timeline Completeness +5%          ║
║                                                                 ║
║ FAILURE (roll < 11):                                           ║
║ Malware may use anti-forensics in memory; analysis inconclusive║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Memory capture is volatile and must be done immediately.       ║
║ Chain of Custody: Strong if documented with timestamps.        ║
║ ✓ Admissible, but include disclaimer about volatile nature    ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator trained in memory forensics (Volatility)    ║
║ +1 if malware analysis background                              ║
║ +1 if Analyze Evidence action previously discovered malware    ║
║ -2 if memory was overwritten before capture (time-sensitive)   ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Time-critical: Memory is lost if system is rebooted          ║
║ • Reveals active threats that may not exist on disk            ║
║ • Combines process discovery with malware analysis             ║
║ • Most valuable for finding active C2 connections              ║
╚════════════════════════════════════════════════════════════════╝

MEM-02: Memory Forensics Deep Dive

╔════════════════════════════════════════════════════════════════╗
║              MEM-02: MEMORY FORENSICS DEEP DIVE                ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced Volatile Memory Analysis                   ║
║ MITRE ATT&CK: T1112 (Modify Registry), T1055 (Process          ║
║              Injection), T1140 (Deobfuscate/Decode Files)      ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 15                                           ║
║ Budget Cost: 20                                                ║
║ Duration: 3 turns (expert-level analysis)                      ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Expert-level memory analysis including malware behavior        ║
║ simulation, deobfuscation of shellcode, reverse engineering    ║
║ of code injected into memory, and recovery of encryption keys. ║
║ Requires deep expertise in assembly language, malware tactics, ║
║ and memory layouts.                                            ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Obfuscated/encrypted malware payloads (deobfuscate them)     ║
║ - Code injection techniques (understand HOW malware hides)     ║
║ - Encryption keys and passphrases in memory (crypto recovery)  ║
║ - Malware command history (recent attacker commands)           ║
║ - Process hollowing or code caves (anti-analysis techniques)   ║
║ - Privilege escalation vulnerabilities in use                  ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 15):                                        ║
║ Discover TWO Evidence cards: One from malware behavior set     ║
║ (e.g., Encryption Keys, Command History) + one from attack     ║
║ technique set (e.g., Code Injection Method, Exploitation Used).║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +25%, Attribution +20%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 13-14):                                  ║
║ Discover ONE complete Evidence + incomplete second evidence.   ║
║ Advance: Attack Chain +15%, Attribution +10%                   ║
║                                                                 ║
║ FAILURE (roll < 13):                                           ║
║ Malware uses sophisticated anti-analysis; analysis fails.      ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Analysis documentation critical (how did you reach conclusions)║
║ Chain of Custody: Strong if reverse engineering is documented. ║
║ ⚠ Conclusions must be explained clearly for court admissibility║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +3 if investigator has GCFA (Certified Forensic Analyst)       ║
║ +2 if malware reverse engineering background                   ║
║ +1 if Malware Analysis card already completed                  ║
║ +1 if detailed explanation of deobfuscation approach           ║
║ -2 if malware is heavily obfuscated or virtualized             ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Most expensive memory analysis (20 budget)                   ║
║ • Requires reverse engineering expertise                       ║
║ • Discovers "why" the malware works, not just "what"          ║
║ • Essential for understanding sophisticated attacks            ║
║ • Can take weeks in real investigations; represented as 3 turns║
╚════════════════════════════════════════════════════════════════╝

LOG-01: Event Log Analysis

╔════════════════════════════════════════════════════════════════╗
║              LOG-01: EVENT LOG ANALYSIS                        ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Windows/Linux Log Examination                       ║
║ MITRE ATT&CK: T1552 (Unsecured Credentials), T1098 (Account    ║
║              Manipulation)                                     ║
║              T1021 (Remote Services), T1078 (Valid Accounts)   ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 11                                           ║
║ Budget Cost: 5                                                 ║
║ Duration: 1 turn                                               ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Analyze system event logs (Windows Event Log, syslog, etc.)    ║
║ to identify user logins, privilege escalations, file access,   ║
║ and process execution. This is foundational and relatively     ║
║ quick—useful for establishing a basic timeline.                ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Failed login attempts (brute force evidence)                 ║
║ - Successful logins from unusual locations/times               ║
║ - Privilege escalation attempts (RunAs, sudo)                  ║
║ - Process creation events                                      ║
║ - Service installation events                                  ║
║ - File access to sensitive files                               ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 11):                                        ║
║ Discover ONE Evidence card from: Suspicious Login Timeline,    ║
║ Privilege Escalation Attempt, or Service Installation evidence.║
║ Advance (only if no Evidence card produced):                   ║
║ Timeline Completeness +15%, Attack Chain +10%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 9-10):                                   ║
║ Discover partial timeline (logs are fragmented or unclear).    ║
║ Advance: Timeline Completeness +5%, Attack Chain +5%           ║
║                                                                 ║
║ FAILURE (roll < 9):                                            ║
║ Logs were deleted or corrupted; no useful evidence.            ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Logs must be exported with metadata (timestamps, user context).║
║ Chain of Custody: Strong if logs are digitally signed.         ║
║ ✓ Admissible in court (widely accepted evidence type)         ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +1 if investigator has Windows administration experience       ║
║ +1 if investigator has SIEM/log analysis background            ║
║ +1 if detailed explanation of log analysis approach            ║
║ +2 if prior Timeline Reconstruction investigation completed    ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Cheapest investigation (5 budget) - good starting point      ║
║ • Fastest (1 turn) - can be done early in investigation        ║
║ • Foundation for Timeline Reconstruction and Log Correlation   ║
║ • May be ineffective if attacker deleted logs (add anti-forensics penalty: +2 DC)  ║
╚════════════════════════════════════════════════════════════════╝

LOG-02: Deep Log Correlation

╔════════════════════════════════════════════════════════════════╗
║              LOG-02: DEEP LOG CORRELATION                      ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Cross-System Log Analysis & Correlation             ║
║ MITRE ATT&CK: T1087 (Account Discovery), T1021 (Remote Services)║
║              T1083 (File and Directory Discovery)              ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13                                           ║
║ Budget Cost: 10                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Correlate logs from multiple systems (servers, firewalls, IDS, ║
║ proxies, domain controllers) to build a complete timeline of   ║
║ attacker lateral movement and actions across the environment.  ║
║ Requires SIEM expertise or manual correlation tools.           ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Lateral movement pattern (login on A → login on B → etc)     ║
║ - Privilege escalation sequence (user to admin to system)      ║
║ - Command execution across systems                             ║
║ - Network connections (firewall → host activity)               ║
║ - Timeline of data access and exfiltration                     ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13):                                        ║
║ Discover ONE Evidence card from: Lateral Movement Pattern,     ║
║ Complete Attack Timeline, or Attacker Command Sequence.        ║
║ Advance (only if no Evidence card produced):                   ║
║ Timeline Completeness +20%, Attack Chain +25%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 11-12):                                  ║
║ Discover partial timeline (some systems missing logs).         ║
║ Advance: Timeline Completeness +15%, Attack Chain +10%         ║
║                                                                 ║
║ FAILURE (roll < 11):                                           ║
║ Too many log gaps; timeline cannot be reliably correlated.     ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Correlation requires clear documentation of methodology.       ║
║ Chain of Custody: Strong if SIEM tool provided audit trail.    ║
║ ✓ Admissible if correlation process is documented clearly     ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has SIEM administration (Splunk, ArcSight) ║
║ +1 if LOG-01 already completed (building on prior analysis)    ║
║ +1 if detailed explanation of correlation methodology         ║
║ +2 if team provides narrative of suspected attacker movements  ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Most valuable for understanding "how" attacker moved         ║
║ • Reveals attack pace and duration (dwell time)                ║
║ • Can expose failed lateral movement attempts                  ║
║ • Requires multiple systems to have logging enabled            ║
╚════════════════════════════════════════════════════════════════╝

NET-01: Network Traffic Analysis

╔════════════════════════════════════════════════════════════════╗
║              NET-01: NETWORK TRAFFIC ANALYSIS                  ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Packet Capture & Flow Analysis                      ║
║ MITRE ATT&CK: T1041 (Exfiltration Over C2), T1048 (Alternative ║
║              Protocol), T1071 (Application Layer Protocol)     ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12                                           ║
║ Budget Cost: 10                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Analyze network traffic captures (PCAP) or network flow records║
║ (NetFlow) to identify communication patterns, exfiltration     ║
║ evidence, and command-and-control connections. Uses tools like ║
║ Wireshark, Zeek, or commercial traffic analysis platforms.    ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Unusual outbound connections (C2 domains, IPs)               ║
║ - Large data transfers (exfiltration evidence)                 ║
║ - Encrypted tunnels (VPN, proxy connections)                   ║
║ - DNS queries for suspicious domains                           ║
║ - HTTP user agents inconsistent with legitimate software       ║
║ - Beacon-like patterns (regular connection attempts)           ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12):                                        ║
║ Discover ONE Evidence card from: C2 Server Evidence,           ║
║ Exfiltration Traffic Pattern, or Suspicious Domain Lookup.     ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Attribution +15%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 10-11):                                  ║
║ Discover suspicious traffic but destination unclear.           ║
║ Advance: Attack Chain +10%, Attribution +5%                    ║
║                                                                 ║
║ FAILURE (roll < 10):                                           ║
║ Traffic too encrypted or obfuscated; cannot analyze.           ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ PCAP files must include timestamp and collection metadata.     ║
║ Chain of Custody: Strong if collected from router/IDS.         ║
║ ✓ Admissible (widely accepted for network evidence)           ║
║ ⚠ Encrypted traffic reveals patterns but not content           ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has Wireshark/packet analysis certification ║
║ +1 if network engineering background                           ║
║ +1 if Threat Attribution evidence already discovered           ║
║ -1 if traffic is heavily encrypted or anonymized              ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Reveals attacker communication patterns                      ║
║ • Can identify C2 infrastructure                               ║
║ • Exfiltration volume is critical evidence                     ║
║ • Encrypted traffic is harder to analyze but patterns visible  ║
╚════════════════════════════════════════════════════════════════╝

NET-02: Packet Capture Deep Analysis

╔════════════════════════════════════════════════════════════════╗
║              NET-02: PACKET CAPTURE DEEP ANALYSIS              ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Advanced Protocol Forensics & Reconstruction        ║
║ MITRE ATT&CK: T1557 (Adversary-in-the-Middle), T1040 (Network ║
║              Sniffing), T1071 (Application Layer Protocol)     ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14                                           ║
║ Budget Cost: 15                                                ║
║ Duration: 3 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Deep packet inspection including protocol reconstruction       ║
║ (rebuilding HTTP streams, email messages, file transfers from  ║
║ packet payloads), malware traffic analysis, and detection of   ║
║ exploitation attempts in traffic. Requires advanced networking  ║
║ and protocol knowledge.                                        ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Reconstructed HTTP/S traffic (actual data transferred)       ║
║ - Exploitation payloads in network traffic (shellcode, etc)    ║
║ - Malware command protocols (custom C2 protocols)              ║
║ - Authentication attempts (credentials in transit)             ║
║ - Man-in-the-middle evidence (SSL/TLS downgrade, cert mismatches)║
║ - Attacker reconnaissance traffic patterns                     ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14):                                        ║
║ Discover TWO Evidence cards from: Exploitation Traffic,        ║
║ C2 Protocol Details, or Attacker Reconnaissance Pattern.       ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +25%, Attribution +25%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 12-13):                                  ║
║ Discover ONE complete evidence + incomplete second.            ║
║ Advance: Attack Chain +15%, Attribution +10%                   ║
║                                                                 ║
║ FAILURE (roll < 12):                                           ║
║ Encryption or obfuscation prevents useful reconstruction.      ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ PCAP reconstruction must document decoding methodology.        ║
║ Chain of Custody: Moderate (depends on decoding assumptions).  ║
║ ⚠ If encrypted traffic decoded, must explain decryption method║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has network forensics certification         ║
║ +2 if protocol reverse engineering experience                  ║
║ +1 if NET-01 already completed (building on analysis)          ║
║ -2 if traffic is encrypted and keys not recovered              ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Most detailed network analysis (3 turns)                     ║
║ • Requires protocol expertise (HTTP, DNS, custom protocols)    ║
║ • Reveals actual attacker commands and data stolen             ║
║ • Challenging when traffic is encrypted                        ║
╚════════════════════════════════════════════════════════════════╝

MALW-01: Malware Analysis (Dynamic)

╔════════════════════════════════════════════════════════════════╗
║              MALW-01: MALWARE ANALYSIS (DYNAMIC)               ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Behavioral Malware Analysis                         ║
║ MITRE ATT&CK: T1518 (Software Discovery), T1082 (System Info), ║
║              T1012 (Query Registry), T1033 (System Owner/User)  ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 12                                           ║
║ Budget Cost: 15                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Execute malware samples in an isolated sandbox environment     ║
║ and record their behavior. Monitor file system changes, registry║
║ modifications, network connections, and process creation to    ║
║ understand what the malware does without reverse engineering.  ║
║ Uses tools like Cuckoo, Any.run, or commercial sandboxes.     ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - File system changes (what files created/modified)            ║
║ - Registry modifications (persistence mechanisms)              ║
║ - Network communications (DNS, HTTP, etc connections)          ║
║ - Process creation (child processes, injections)               ║
║ - System enumeration (reconnaissance activity)                 ║
║ - Anti-analysis techniques (checks for sandbox)                ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 12):                                        ║
║ Discover ONE Evidence card from: Malware Behavior Profile,     ║
║ Persistence Mechanism Created, or C2 Callback Observed.        ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Attribution +10%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 10-11):                                  ║
║ Malware behavior observed but some details unclear.            ║
║ Advance: Attack Chain +10%, Attribution +5%                    ║
║                                                                 ║
║ FAILURE (roll < 10):                                           ║
║ Malware detects sandbox; exhibits anti-analysis behavior.      ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Sandbox execution creates video/log recordings of behavior.    ║
║ Chain of Custody: Strong if sandbox logs are preserved.        ║
║ ✓ Admissible (widely accepted malware analysis evidence)      ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has GREM (GIAC Reverse Engineering Malware) ║
║ +1 if incident responder with malware analysis training        ║
║ +1 if detailed explanation of behavioral analysis approach     ║
║ -1 if malware implements anti-sandbox techniques               ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Safer than static analysis (execution is isolated)           ║
║ • Reveals "what the malware does" not "how it works"          ║
║ • Complements Static Analysis (MALW-02) well                  ║
║ • Useful for identifying persistence and C2 behavior           ║
╚════════════════════════════════════════════════════════════════╝

MALW-02: Malware Analysis (Static)

╔════════════════════════════════════════════════════════════════╗
║              MALW-02: MALWARE ANALYSIS (STATIC)                ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Code Reverse Engineering & Analysis                 ║
║ MITRE ATT&CK: T1140 (Deobfuscate/Decode Files), T1027          ║
║              (Obfuscated Files or Information), T1071          ║
║              (Application Layer Protocol)                      ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 14                                           ║
║ Budget Cost: 10                                                ║
║ Duration: 2 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Disassemble and analyze malware code without execution using   ║
║ reverse engineering tools (IDA Pro, Ghidra, Binary Ninja, etc).║
║ Examine assembly code, strings, imports, and code structure to ║
║ understand attacker capabilities and techniques. Requires      ║
║ assembly language and debugging expertise.                     ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Hardcoded C2 servers, encryption keys                        ║
║ - Malware capabilities (spyware, RAT, backdoor, etc)           ║
║ - Obfuscation techniques (packing, encryption, polymorphism)   ║
║ - Code similarities to known malware families                  ║
║ - Exploit codes (zero-days, known CVEs)                        ║
║ - Attacker identity clues (developer name, code style)         ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 14):                                        ║
║ Discover ONE Evidence card from: Malware Source Code Analysis, ║
║ Hardcoded C2 Server, or Code Similarity to Known Family.       ║
║ Advance (only if no Evidence card produced):                   ║
║ Attack Chain +20%, Attribution +25%                            ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 12-13):                                  ║
║ Understand some code features but full analysis incomplete.    ║
║ Advance: Attack Chain +10%, Attribution +10%                   ║
║                                                                 ║
║ FAILURE (roll < 12):                                           ║
║ Malware is heavily obfuscated; code analysis inconclusive.     ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Reverse engineering analysis is documented with screenshots    ║
║ Chain of Custody: Moderate (interpretation-dependent).         ║
║ ⚠ Conclusions must be clearly explained for admissibility     ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +3 if investigator has GREM (GIAC Reverse Engineering Malware) ║
║ +2 if assembly language and debugging expertise                ║
║ +1 if MALW-01 already completed (building on behavioral findings)║
║ +1 if detailed explanation of reverse engineering approach     ║
║ -2 if malware is polymorphic/heavily obfuscated                ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Highest skill requirement (DC 14)                            ║
║ • Reveals "how the malware works"                              ║
║ • Can identify code reuse and attacker patterns                ║
║ • Complements Behavior Analysis (MALW-01) well                ║
║ • Time-consuming (2 turns represents weeks of analysis)        ║
╚════════════════════════════════════════════════════════════════╝

TIMELINE-01: Timeline Reconstruction

╔════════════════════════════════════════════════════════════════╗
║              TIMELINE-01: TIMELINE RECONSTRUCTION              ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Event Correlation & Chronological Analysis          ║
║ MITRE ATT&CK: T1074 (Data Staged), T1087 (Account Discovery), ║
║              T1046 (Network Service Discovery)                 ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 13                                           ║
║ Budget Cost: 5                                                 ║
║ Duration: 1 turn                                               ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Synthesize evidence from multiple sources (logs, timestamps,   ║
║ file metadata, malware analysis) into a unified chronological  ║
║ timeline of the attack. Identify sequence of events, dwell     ║
║ time, and decision points.                                     ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Entry point and initial compromise time                      ║
║ - Privilege escalation points and timing                       ║
║ - Lateral movement sequence                                    ║
║ - Data reconnaissance timeline                                 ║
║ - Exfiltration timing (when, how much, for how long)           ║
║ - Dwell time (how long attacker in network before detection)   ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 13):                                        ║
║ Discover ONE Evidence card: Complete Attack Timeline with      ║
║ key decision points and transitions between phases identified. ║
║ Advance (only if no Evidence card produced):                   ║
║ Timeline Completeness +25%, Attack Chain +15%                  ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 11-12):                                  ║
║ Partial timeline with some events missing or unclear.          ║
║ Advance: Timeline Completeness +15%, Attack Chain +10%         ║
║                                                                 ║
║ FAILURE (roll < 11):                                           ║
║ Too many timestamp discrepancies; timeline unreliable.         ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Timeline must reference source evidence for each event.        ║
║ Chain of Custody: Strong if well-documented and cross-referenced║
║ ✓ Admissible if timeline sources are cited                    ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator is DFIR (Digital Forensics & Incident Response)║
║ +1 if LOG-01 or LOG-02 already completed                       ║
║ +2 if detailed explanation synthesizes multiple evidence sources║
║ +1 if team notes discrepancies and explains them               ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Critical for understanding attack progression                ║
║ • Cheap (5 budget) but requires multiple prior investigations  ║
║ • Fast (1 turn) but depends on prior evidence collection       ║
║ • Foundation for narrative reconstruction of incident          ║
╚════════════════════════════════════════════════════════════════╝

THREAT-01: Threat Attribution Analysis

╔════════════════════════════════════════════════════════════════╗
║              THREAT-01: THREAT ATTRIBUTION ANALYSIS            ║
╠════════════════════════════════════════════════════════════════╣
║ Technique: Threat Intelligence & Attribution                   ║
║ MITRE ATT&CK: G#### group / S#### software identification      ║
║              Requires synthesis of all prior evidence           ║
╠════════════════════════════════════════════════════════════════╣
║ Difficulty Class: 15                                           ║
║ Budget Cost: 20                                                ║
║ Duration: 3 turns                                              ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Synthesize all collected evidence (malware, infrastructure,    ║
║ tactics, timeline, timeline) to attribute the attack to a      ║
║ known threat group, nation-state, or attacker profile. Includes║
║ cross-referencing with threat intelligence databases, academic ║
║ papers, and law enforcement data. This is the highest-level    ║
║ attribution analysis.                                          ║
║                                                                 ║
║ What You're Looking For:                                       ║
║ - Similar attacks in CTI databases (VirusTotal, OSINT, etc)   ║
║ - Malware signatures matching known threat groups              ║
║ - Tactics & Techniques (TTPs) matching known profiles          ║
║ - Infrastructure (domains, IPs) linked to known campaigns      ║
║ - Language/coding style hints about attacker origin            ║
║ - Geolocation clues from timestamps and infrastructure         ║
║ - Victim profile matching known group targeting patterns       ║
╠════════════════════════════════════════════════════════════════╣
║ SUCCESS (roll ≥ DC 15):                                        ║
║ Discover ONE Evidence card: Threat Attribution Report with     ║
║ confidence level (60-90%) linking to specific threat group.    ║
║ Advance (only if no Evidence card produced):                   ║
║ Attribution Confidence +35%, Attack Chain +10%                 ║
║                                                                 ║
║ PARTIAL SUCCESS (roll 13-14):                                  ║
║ Partial attribution (likely group/profile but not 100% certain)║
║ Advance: Attribution Confidence +25%, Attack Chain +5%         ║
║                                                                 ║
║ FAILURE (roll < 13):                                           ║
║ Insufficient evidence for reliable attribution.                ║
╠════════════════════════════════════════════════════════════════╣
║ CHAIN OF CUSTODY:                                              ║
║ Attribution must cite specific evidence for each finding.      ║
║ Chain of Custody: Moderate (depends on CTI source reliability) ║
║ ⚠ Confidence level must be documented (70% vs. 90% certainty) ║
╠════════════════════════════════════════════════════════════════╣
║ SKILL MODIFIERS:                                               ║
║ +2 if investigator has threat intelligence background          ║
║ +1 if access to premium CTI services (CrowdStrike, Mandiant)  ║
║ +1 per prior investigation showing strong evidence patterns    ║
║ +2 if detailed narrative synthesizes multiple evidence sources ║
║ -2 if evidence is sparse or conflicting                        ║
╠════════════════════════════════════════════════════════════════╣
║ NOTES:                                                         ║
║ • Highest difficulty (DC 15) requires extensive prior evidence ║
║ • Cannot be done until sufficient evidence collected           ║
║ • Most valuable action for reaching Victory Condition 1        ║
║ • Attribution confidence matters: 60% vs. 95% is significant   ║
║ • Final step in forensic investigation                         ║
╚════════════════════════════════════════════════════════════════╝

Printable Format

How to Print Cards

Materials Needed: - Cardstock (250 gsm minimum) - Card sleeves (optional but recommended) - Scissors or guillotine cutter - Ruler and cutting mat

Printing Instructions: 1. Print each card on heavy cardstock (250 gsm) 2. Cut along the border (approx. 3.5" x 5.5" for standard card size) 3. Optional: Laminate for durability 4. Optional: Sleeve cards for shuffling and handling

PDF Layout: [Card layout with 4-6 cards per page will be generated separately in printable PDF format]


Card Combination & Strategy

Investigation Pathways

Pathway 1: Quick Start (Turns 1-3) - LOG-01 (Event Log Analysis) → Timeline Reconstruction → Identify key events

Pathway 2: Deep Evidence (Turns 1-5) - DISK-01 (Disk Image) → MALW-01 (Dynamic Analysis) → MALW-02 (Static Analysis) → Understand full malware

Pathway 3: Network-Based (Turns 1-5) - LOG-01 (Initial timeline) → NET-01 (Network Traffic) → NET-02 (Deep Packet Analysis) → Reconstruct C2

Pathway 4: Attribution (Turns 1-6) - MALW-01/02 → NET-01 → THREAT-01 → Complete attribution with infrastructure evidence


FAQ

Q: Can I do these investigations in any order? A: Yes, but some combinations are more efficient. Multiple investigations often support each other.

Q: What's the DC difficulty based on? A: Skill required. Easier investigations (LOG-01, TIMELINE-01) have DC 11-13. Complex investigations (MEM-02, THREAT-01) have DC 14-15.

Q: Why do some investigations take 3 turns? A: They represent weeks of real forensic work compressed into game turns. Mechanically (v2.2): pay the cost and use your action on the turn you start; the roll and results arrive at the start of the turn the Duration completes. Only one multi-turn investigation may be in flight at a time.

Q: What modifiers apply to my roll? A: Skill (+1 to +3), narrative explanation (+1 to +2), prior investigations (+1), challenge circumstances (-1 to -2).


Version History

cards/forensics/core-deck/evidence-cards.md

Forensics Module: Evidence & Findings Cards (Core Deck)

Version: 2.2 - Playtest Edition Card Count: 12 Evidence Cards + 4 Findings Cards = 16 Total Printable: Yes


Overview

Evidence Cards represent specific findings discovered during forensic investigations. They document what was found, how it was found, and what investigative leads it provides.

Findings Cards represent conclusions drawn from the evidence—these feed recommendations into Hardening, Network Building, and Audit modules.

Chain of Custody rule (v2.2): +5% Chain of Custody every time an Evidence card is discovered AND the team states how it was preserved (hash, imaging, log export); the TO may award +10% for exemplary handling. This stacks with any Chain of Custody impact printed on the card.

No Double Counting (v2.2): When an investigation discovers an Evidence card, apply ONLY the Evidence card's printed "Impact on Progress Meters" (plus the Chain of Custody handling bonus above). The investigation card's own advance line applies only when no Evidence card is produced (e.g., partial success).


Evidence Card Structure

Each Evidence Card includes: - Card ID: Unique identifier (EVD-01 through EVD-12) - Type: Category of evidence (Malware, Credentials, Movement, Exfiltration, Infrastructure, Timeline) - Title: Specific finding name - MITRE ATT&CK: Technique this evidence relates to - Description: What was found and where - Discovery Source: Which Investigation Action cards typically find this evidence - Chain of Custody: Admissibility rating (Strong/Moderate/Weak) - Investigative Lead: What the team can do next with this finding - Connection to Attack: Links to threat cards and attack phases


Evidence Cards (12 Total)

EVD-01: Credential Dumper Malware

╔════════════════════════════════════════════════════════════════╗
║              EVD-01: CREDENTIAL DUMPER MALWARE                 ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence                                    ║
║ MITRE ATT&CK: T1003 (OS Credential Dumping), T1556 (Modify Auth)║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Malware sample recovered from compromised system that dumps    ║
║ user credentials (SAM file, LSASS process, password hashes,    ║
║ or Kerberos tickets). Examples: Mimikatz, PwDump, LaZagne.     ║
║                                                                 ║
║ Where It Was Found:                                            ║
║ - In System32 directory (hidden with attributes)               ║
║ - In %Temp% directory (temporary staging)                      ║
║ - In admin user AppData (stealth installation)                 ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker objective: Privilege escalation                     ║
║ - Persistence vector: Credential harvesting                    ║
║ - Attack phase: Privilege escalation → lateral movement        ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Binary file can be hashed (MD5, SHA-1, SHA-256)             ║
║ - File timestamps document creation/modification               ║
║ - Admissible in court with hash validation                     ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - DISK-01/DISK-02: Found as file artifact                      ║
║ - MEM-01/MEM-02: Found as running process in memory            ║
║ - MALW-01: Behavior shows credential dumping actions           ║
║ - MALW-02: Code analysis identifies dumping capabilities       ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We found a credential dumper. Let's analyze its behavior      ║
║ (MALW-01) to understand exactly what credentials were captured.║
║ Then we can assume those accounts are compromised."            ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +15% (shows escalation phase)                  ║
║ - Attribution: +10% (dumper choice shows attacker sophistication)║
║ - Timeline: +10% (timestamp shows when escalation occurred)    ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Implement credential guard to prevent dumping"   ║
║ → NETWORK BUILDING: "Isolate admin credentials in PAW"         ║
║ → AUDIT: "Verify controls around credential access logging"    ║
╚════════════════════════════════════════════════════════════════╝

EVD-02: Command-and-Control Callback Domain

╔════════════════════════════════════════════════════════════════╗
║              EVD-02: C2 CALLBACK DOMAIN                        ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Infrastructure                                    ║
║ MITRE ATT&CK: T1071 (Application Layer Protocol), T1573 (Encrypted║
║              Channel), T1008 (Fallback Channels)               ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Domain name or IP address that malware communicates with for   ║
║ command and control. Examples:                                 ║
║ - checkupdate.ru (looks legitimate but is attacker-controlled) ║
║ - 192.0.2.45 (direct IP address)                              ║
║                                                                 ║
║ Where It Was Found:                                            ║
║ - In malware strings (hardcoded in binary)                     ║
║ - In network traffic (outbound connections)                    ║
║ - In memory (communication buffers)                            ║
║ - In DNS logs (DNS queries)                                    ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker still has access (if domain still active)           ║
║ - C2 infrastructure operator (may be reused for other campaigns)║
║ - Attack sophistication (legitimate-looking domain = higher skill║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Network logs document domain/IP communication                ║
║ - PCAP files timestamp the traffic                             ║
║ - DNS logs show query history                                  ║
║ - Admissible with supporting traffic analysis                  ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - MALW-01: Dynamic analysis shows C2 connections               ║
║ - MALW-02: Static analysis finds hardcoded domains             ║
║ - NET-01: Network traffic analysis identifies unusual domains  ║
║ - NET-02: Deep packet inspection reconstructs C2 commands      ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We found the C2 domain. Let's do THREAT-01 analysis to:       ║
║ - WHOIS lookup (registrant info)                               ║
║ - Historical DNS records (see past resolutions)                ║
║ - Infrastructure mapping (what else is hosted on this IP?)     ║
║ - Passive DNS (VirusTotal, Shodan, etc)"                       ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +15% (confirms persistence vector)             ║
║ - Attribution: +25% (infrastructure links to threat group)     ║
║ - Timeline: +5% (timestamps when C2 was active)                ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Block C2 domain via firewall, DNS sinkhole"      ║
║ → NETWORK BUILDING: "Implement egress filtering to C2 ranges"  ║
║ → AUDIT: "Review firewall rules for C2 domain blocking"        ║
║                                                                 ║
║ THREAT INTEL:                                                  ║
║ Can be shared with ISP/CISA for coordinated takedown/blocking. ║
╚════════════════════════════════════════════════════════════════╝

EVD-03: Persistence Mechanism (Scheduled Task)

╔════════════════════════════════════════════════════════════════╗
║              EVD-03: PERSISTENCE MECHANISM (SCHEDULED TASK)    ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence                                    ║
║ MITRE ATT&CK: T1053 (Scheduled Task/Job), T1543 (Create/Modify ║
║              System Process)                                   ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Scheduled task or cron job configured to execute malware at    ║
║ regular intervals (hourly, daily, on system startup). Ensures  ║
║ malware runs even if process is killed or system reboots.      ║
║                                                                 ║
║ Example:                                                       ║
║ - Task: "Windows_Update_Service" (disguised name)              ║
║ - Runs: System startup + every 4 hours                         ║
║ - Executes: C:\Windows\System32\msupd.exe (hidden location)    ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker skill level (simple but effective)                  ║
║ - Intent: Long-term access/persistence                         ║
║ - Sophistication: Low-to-medium (persistence is basic)         ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Task definition stored in XML (Windows registry/filesystem)  ║
║ - Can be exported and hashed                                   ║
║ - Creation/modification timestamps available                   ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - DISK-01: Task files in Windows registry/filesystem           ║
║ - LOG-01: Task execution appears in logs                       ║
║ - MEM-01: Task execution visible in running processes          ║
║ - MALW-01: Dynamic analysis shows task creation               ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We found a scheduled task executing malware. Key questions:   ║
║ - When was this task created? (timestamp analysis)             ║
║ - What executable does it run? (acquire and analyze - MALW-01) ║
║ - Is the executable still present? (filesystem search)         ║
║ - Is the task still active? (persistence threat)"              ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +20% (clearly shows persistence phase)         ║
║ - Timeline: +15% (task timestamps show when persistence installed)║
║ - Attribution: +5% (persistence technique is common)           ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Implement AppLocker/code signing for scheduled   ║
║              task executables"                                 ║
║ → NETWORK BUILDING: "Enable scheduled task logging and analysis"║
║ → AUDIT: "Verify controls on scheduled task creation"          ║
╚════════════════════════════════════════════════════════════════╝

EVD-04: Suspicious Admin Login (Timeline)

╔════════════════════════════════════════════════════════════════╗
║              EVD-04: SUSPICIOUS ADMIN LOGIN (TIMELINE)         ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Credentials & Access                                     ║
║ MITRE ATT&CK: T1078 (Valid Accounts), T1021 (Remote Services), ║
║              T1550 (Use Alternate Authentication Material)     ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Administrator account login with suspicious characteristics:   ║
║ - Unusual time (3 AM instead of business hours)                ║
║ - Unusual location (different country/VPN)                     ║
║ - Unusual source (remote desktop instead of VPN)               ║
║ - Batch processing (multiple logins in seconds)                ║
║                                                                 ║
║ Example Log Entry:                                             ║
║ 2024-10-15 03:22:15 - User: Administrator                      ║
║ Source: 192.0.2.100 (Russia)                                   ║
║ Protocol: RDP / SSH                                            ║
║ Success: Yes                                                   ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Credential compromise (credentials being used by attacker)   ║
║ - Privilege level compromised (admin account)                  ║
║ - Lateral movement likely (attacker on network now)            ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Log entry with timestamp and source                          ║
║ - digitally signed event log                                   ║
║ - Corroborated by other log sources                            ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - LOG-01: Event Log Analysis shows unusual logon event         ║
║ - LOG-02: Correlation across multiple systems                  ║
║ - TIMELINE-01: Used to establish attack progression            ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Admin account was compromised. Questions to answer:           ║
║ - When was the password changed? (before or after login?)      ║
║ - What other logins occurred after this? (lateral movement)    ║
║ - Was there any password reset? (attacker covering tracks)     ║
║ - What systems did this account access? (scope of compromise)" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +20% (clear escalation point)                  ║
║ - Timeline: +25% (login timestamp anchors timeline)            ║
║ - Attribution: +10% (geolocation may hint at attacker origin)  ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Implement MFA on admin accounts"                 ║
║ → NETWORK BUILDING: "Isolate admin access to PAW"              ║
║ → AUDIT: "Review admin account access controls and logging"    ║
╚════════════════════════════════════════════════════════════════╝

EVD-05: Lateral Movement Evidence (Pass-the-Hash)

╔════════════════════════════════════════════════════════════════╗
║              EVD-05: LATERAL MOVEMENT (PASS-THE-HASH)          ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Lateral Movement                                         ║
║ MITRE ATT&CK: T1550 (Use Alternate Authentication Material),   ║
║              T1110 (Brute Force), T1021 (Remote Services)      ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Evidence that attacker used stolen password hashes to access   ║
║ other systems without knowing the plaintext password.          ║
║ NTLM hash reuse across systems allows lateral movement.        ║
║                                                                 ║
║ What It Shows:                                                 ║
║ - Compromised account: admin-user (hash: A1B2C3D4E5F6...)      ║
║ - Lateral targets: File server, database server, backup server ║
║ - Movement pattern: Sequential access across infrastructure    ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attack sophistication (understanding Windows auth)           ║
║ - Network enumeration (attacker knew what systems exist)       ║
║ - Scope of compromise (multiple systems accessed)              ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠                                   ║
║ - Hash captured from memory/SAM file                           ║
║ - Corroborated by network logs (successful auth events)        ║
║ - Can be cryptographically validated                           ║
║ - Admissible with supporting evidence (network logs)           ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - LOG-02: Cross-system log correlation shows pattern           ║
║ - NET-01: Network traffic shows auth attempts                  ║
║ - MEM-01/MEM-02: Hash visible in memory                        ║
║ - DISK-01/DISK-02: SAM file contains hashes                    ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Attacker used pass-the-hash technique. Next steps:            ║
║ - Determine all systems accessed with this hash                ║
║ - Check what actions were taken on each system                 ║
║ - Look for privilege escalation or data access on each system" ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +25% (shows sophisticated lateral movement)    ║
║ - Timeline: +15% (timestamps show movement sequence)           ║
║ - Attribution: +15% (technique sophistication shows skill)     ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Implement Credential Guard, Mimikatz mitigations"║
║ → NETWORK BUILDING: "Network segmentation to limit lateral move"║
║ → AUDIT: "Verify Controls on credential reuse prevention"      ║
╚════════════════════════════════════════════════════════════════╝

EVD-06: Data Exfiltration Evidence

╔════════════════════════════════════════════════════════════════╗
║              EVD-06: DATA EXFILTRATION EVIDENCE                ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Exfiltration                                             ║
║ MITRE ATT&CK: T1020 (Automated Exfiltration), T1030 (Data      ║
║              Transfer Size Limits), T1048 (Exfil Over Alt      ║
║              Protocol)                                         ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Evidence of large data transfer from internal network to       ║
║ external attacker-controlled destination.                      ║
║                                                                 ║
║ Characteristics:                                               ║
║ - Volume: 100+ GB transferred in 6-hour window                 ║
║ - Timing: During non-business hours (3-8 AM)                   ║
║ - Destination: External IP/domain (attacker server)            ║
║ - Protocol: HTTPS, FTP, or custom protocol                     ║
║ - Pattern: Consistent data rate (not bandwidth-throttled)      ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Scope of compromise (what was accessed)                      ║
║ - Attacker objective (data theft vs. ransomware)               ║
║ - Attack timeline (when exfiltration occurred)                 ║
║ - Attacker infrastructure (location of receiving server)       ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Network flow logs (NetFlow, sFlow, or IDS logs)              ║
║ - PCAP files with packet timestamps                            ║
║ - Firewall logs documenting outbound connections               ║
║ - Cryptographic hashes of transferred data                     ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - NET-01: Network traffic analysis shows volume anomalies      ║
║ - NET-02: Packet inspection shows data being transferred       ║
║ - LOG-02: Firewall/proxy logs show external connections        ║
║ - MALW-01: Dynamic analysis shows file staging before exfil   ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Massive data exfiltration detected. Critical questions:       ║
║ - Exactly which files/databases were exfiltrated?              ║
║ - How many customer records are affected?                      ║
║ - Can we identify specific data types stolen?                  ║
║ - Is the data still being transferred (ongoing threat)?"       ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +20% (confirms attacker objectives)            ║
║ - Timeline: +20% (exfil duration/timing)                       ║
║ - Attribution: +10% (exfil infrastructure may be reused)       ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Data loss prevention (DLP) controls"             ║
║ → NETWORK BUILDING: "Egress filtering, traffic inspection"     ║
║ → DISASTER RECOVERY: "Breach notification scope (data volume)" ║
║ → AUDIT: "Data protection controls and encryption review"      ║
╚════════════════════════════════════════════════════════════════╝

EVD-07: Attacker Infrastructure Map

╔════════════════════════════════════════════════════════════════╗
║              EVD-07: ATTACKER INFRASTRUCTURE MAP               ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Infrastructure                                    ║
║ MITRE ATT&CK: Related to C2 infrastructure and command channels║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Connected map of attacker-controlled infrastructure including  ║
║ multiple domains, IP addresses, registrars, and services.      ║
║                                                                 ║
║ Example Infrastructure Web:                                    ║
║ - Primary C2: checkupdate.ru (IP: 192.0.2.45)                 ║
║ - Alternate C2: update-service.xyz (IP: 192.0.2.46)            ║
║ - Malware hosting: files.example.net (IP: 192.0.2.47)          ║
║ - Registrant: All registered via registrar.ru                  ║
║ - ASN: AS64512 (Ukrainian ISP network)                         ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker operational security (multiple infrastructure) ■    ║
║ - Attacker resources (ISP relationships, hosting account)      ║
║ - Attacker location hints (registrar, ASN, geolocation)        ║
║ - Attack history (domains registered months/years earlier)     ║
║ - Other campaigns (infrastructure reused for other attacks)    ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠                                   ║
║ - WHOIS records are public but can be modified                 ║
║ - Historical DNS data from passive DNS services                ║
║ - Correlations need cross-referencing                          ║
║ - Admissible with supporting evidence (traffic logs)           ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - THREAT-01: Threat attribution analysis connects domains      ║
║ - MALW-02: Static analysis finds hardcoded backup domains      ║
║ - NET-01: Network traffic shows multiple C2 attempts           ║
║ - CTI research: VirusTotal, Shodan, Passive DNS services      ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We've mapped attacker infrastructure. Next steps:             ║
║ - Search threat intelligence databases for this infrastructure ║
║ - Look for connections to known threat groups                  ║
║ - Check if infrastructure used in other campaigns              ║
║ - Contact registrar and hosting for takedown                   ║
║ - Report to ISP for blocking/monitoring"                       ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attribution: +30% (infrastructure often linked to groups)    ║
║ - Attack Chain: +15% (understanding attacker preparation)      ║
║ - Timeline: +10% (infrastructure registration dates)           ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Block all known C2 infrastructure via firewall"  ║
║ → AUDIT: "Threat intelligence integration for blocking"        ║
║ → THREAT INTEL: Shareable with industry, law enforcement       ║
╚════════════════════════════════════════════════════════════════╝

EVD-08: Encryption Keys Recovered

╔════════════════════════════════════════════════════════════════╗
║              EVD-08: ENCRYPTION KEYS RECOVERED                 ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence                                    ║
║ MITRE ATT&CK: T1140 (Deobfuscate/Decode), T1552 (Unsecured    ║
║              Credentials), T1074 (Data Staged)                 ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Encryption keys recovered from memory, disk, or malware code   ║
║ that allow decryption of:                                      ║
║ - Malware traffic (C2 communications)                          ║
║ - Stolen data archives (what was exfiltrated)                  ║
║ - Attacker staging servers (accessing their infrastructure)    ║
║ - Backdoor communications (understanding commands)             ║
║                                                                 ║
║ Examples:                                                      ║
║ - AES-256 key found in malware binary                          ║
║ - RC4 key in process memory (used for C2)                      ║
║ - TLS certificates for backdoor listener                       ║
║ - Steganography keys (hidden messages in files)                ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Encryption strength (military-grade vs. basic obfuscation)   ║
║ - Attacker sophistication (poor key management = careless)     ║
║ - What data can be decrypted (scope of analysis)               ║
║ - Backdoor capabilities (understanding command set)            ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠                                   ║
║ - Keys extracted from memory/binary must be documented         ║
║ - Extraction methodology must be explained                     ║
║ - Cross-referencing with code/behavior confirms validity       ║
║ - Admissible with supporting analysis documentation            ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - MEM-02: Deep memory analysis finds encryption keys           ║
║ - DISK-02: File carving recovers keys from slack space         ║
║ - MALW-02: Static analysis finds hardcoded keys                ║
║ - MALW-01: Dynamic analysis reveals keys generated at runtime  ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We recovered encryption keys! This is huge because:           ║
║ - We can decrypt C2 communications (see commands sent)          ║
║ - We can decrypt malware archives (understand what was stolen) ║
║ - We can access attacker staging servers (more evidence)       ║
║ - We can build stronger attribution (command content)"         ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +25% (understand full communication)           ║
║ - Attribution: +20% (commands reveal attacker objectives)      ║
║ - Timeline: +15% (command history shows action sequence)       ║
║ - Chain of Custody: +15% (encryption is strong evidence)       ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Secure key management practices"                 ║
║ → AUDIT: "Encryption and key management controls"              ║
║ → THREAT INTEL: Keys shared with law enforcement               ║
╚════════════════════════════════════════════════════════════════╝

EVD-09: Attacker Command History

╔════════════════════════════════════════════════════════════════╗
║              EVD-09: ATTACKER COMMAND HISTORY                  ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity                                          ║
║ MITRE ATT&CK: T1059 (Command & Scripting Interpreter),         ║
║              T1059.001 (PowerShell)                            ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Recovered history of commands executed by attacker on          ║
║ compromised systems. Shows attacker's actions, objectives,     ║
║ and decision-making process.                                   ║
║                                                                 ║
║ Examples:                                                      ║
║ - PowerShell: Get-AdUser -Filter * | Export-CSV C:\temp\ad.csv ║
║ - CMD: dir \\backup-server\share                               ║
║ - Bash: find / -name "*.sql" -o -name "*.db" 2>/dev/null       ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Attacker objectives (looking for what? ad users? databases?) ║
║ - Attacker knowledge (familiar with Windows/Linux/networks)    ║
║ - Attack sophistication (script-kiddie vs. skilled operator)   ║
║ - Targeting specificity (random exploration vs. targeted search║
║ - Timeline of activities (sequence of commands shows progression)║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Command history from shell/terminal logs                     ║
║ - PowerShell transcript logs (if enabled)                      ║
║ - Memory forensics shows running command buffer                ║
║ - Timestamps document command execution order                  ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - MEM-02: Memory forensics finds recent command buffer         ║
║ - LOG-02: Command execution logging (PowerShell, bash history) ║
║ - DISK-01: Shell history files (.bash_history, PowerShell logs)║
║ - MALW-01: Dynamic analysis shows commands sent to shell       ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We have the attacker's command history! This shows us:        ║
║ - What systems they were looking for                           ║
║ - What data they searched for                                  ║
║ - How much time they spent on each system                      ║
║ - When they pivoted to new systems                             ║
║ - When they started exfiltration                               ║
║ - If they set up backdoors or persistence"                     ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Timeline: +25% (command timing shows exact sequence)         ║
║ - Attack Chain: +25% (command progression shows phases)        ║
║ - Attribution: +15% (command style/language hints)             ║
║ - Chain of Custody: +10% (strong admissible evidence)          ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "PowerShell transcript logging, command audit"    ║
║ → AUDIT: "Verify logging of command execution"                 ║
║ → TRAINING: "Identify what commands should have triggered alerts"║
╚════════════════════════════════════════════════════════════════╝

EVD-10: Malware Behavior Profile

╔════════════════════════════════════════════════════════════════╗
║              EVD-10: MALWARE BEHAVIOR PROFILE                  ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Malware & Persistence                                    ║
║ MITRE ATT&CK: Multiple TTPs based on observed behavior         ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Complete profile of malware capabilities and behavior based    ║
║ on dynamic analysis in sandbox environment.                    ║
║                                                                 ║
║ Profile Contents:                                              ║
║ - File system interactions (creates, modifies, deletes)        ║
║ - Registry modifications (persistence mechanisms)              ║
║ - Process creation (parent-child relationships)                ║
║ - Network communications (DNS queries, HTTP requests, IPs)     ║
║ - API calls (Windows/Linux API usage)                          ║
║ - Anti-analysis techniques (sandbox evasion)                   ║
║                                                                 ║
║ Example Output:                                                ║
║ - Name: conhost.exe (masquerading as Windows process)          ║
║ - Creates files: C:\Users\*\AppData\Local\Temp\app.exe         ║
║ - Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ║
║   (persistence)                                                ║
║ - Network: Connects to update.badsite.ru:443 every 15 minutes  ║
║ - Capabilities: Credential harvesting, File encryption, C2    ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Complete malware capabilities                                ║
║ - Attacker operational techniques                              ║
║ - Threat level (spyware vs. ransomware vs. trojan)              ║
║ - Indicators of Compromise (IOCs)                              ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - Sandbox execution video/logs document behavior               ║
║ - Timestamps and sequence recorded                             ║
║ - Reproducible analysis methodology                            ║
║ - Widely accepted malware analysis evidence                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - MALW-01: Dynamic sandbox analysis produces full profile      ║
║ - MALW-02: Static analysis validates observed behaviors        ║
║ - Combined: Behavior validated against code confirms accuracy  ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "We have the complete malware profile. Now we can:             ║
║ - Search for all instances of this malware                     ║
║ - Hunt for C2 communications on network                        ║
║ - Search for created files and artifacts                       ║
║ - Link to other malware families (code similarities)"          ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +20% (understand capabilities = understand threat)║
║ - Attribution: +15% (malware signatures match known families)  ║
║ - Timeline: +10% (behavior timing shows operation phase)       ║
║ - Chain of Custody: +10% (sandbox logs are strong evidence)    ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Controls to prevent malware execution"           ║
║ → NETWORK BUILDING: "Detection of malware C2 behaviors"        ║
║ → AUDIT: "EDR/SIEM coverage for malware detection"             ║
╚════════════════════════════════════════════════════════════════╝

EVD-11: File Staging Artifacts

╔════════════════════════════════════════════════════════════════╗
║              EVD-11: FILE STAGING ARTIFACTS                    ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity                                          ║
║ MITRE ATT&CK: T1074 (Data Staged), T1005 (Data from Local      ║
║              System)                                           ║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Evidence of attacker staging files before exfiltration. Files  ║
║ are collected in a temporary location, compressed, encrypted,  ║
║ then transferred to attacker server.                           ║
║                                                                 ║
║ Artifacts Found:                                               ║
║ - Compressed archives (RAR, 7z, ZIP files)                     ║
║ - Partially deleted files (overwrite artifacts)                ║
║ - File lists (text files naming what to steal)                 ║
║ - Batch scripts (automated collection scripts)                 ║
║ - Temporary directories with suspicious contents               ║
║                                                                 ║
║ Example:                                                       ║
║ - C:\Staging\data_backup.7z (500 MB)                           ║
║ - C:\Staging\files_to_get.txt (list of target files)           ║
║ - C:\Staging\collect.bat (automated collection script)         ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Data that was targeted (from .txt lists)                     ║
║ - Volume of exfiltration (archive size)                        ║
║ - Compression ratio (how much data actually stolen)            ║
║ - Attacker knowledge (knew where sensitive data was)           ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: STRONG ✓                                     ║
║ - File hashes document the staging                             ║
║ - File timestamps show staging timeline                        ║
║ - File content confirms what was staged                        ║
║ - Fully admissible in court                                    ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - DISK-01/DISK-02: Staging artifacts on disk                   ║
║ - LOG-02: Batch script execution in logs                       ║
║ - MALW-01: Dynamic analysis shows staging process              ║
║ - NET-01: File transfer evidence (connection to staging dir)   ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Attacker staged specific files. This shows:                   ║
║ - Exact data that was targeted (from staging lists)            ║
║ - Attack planning (targeted vs. random)                        ║
║ - Data sensitivity (what did they prioritize)                  ║
║ - Precision of attack (narrow vs. broad data grab)"            ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attack Chain: +15% (staging phase evidence)                  ║
║ - Timeline: +20% (staging timestamps show prep phase)          ║
║ - Attribution: +10% (precision shows targeting sophistication) ║
║ - Chain of Custody: +10% (file evidence is strong)             ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Data identification and protection (DLP)"        ║
║ → AUDIT: "Data classification and access controls"             ║
║ → NOTIFICATION: "Specific data breach notification"            ║
╚════════════════════════════════════════════════════════════════╝

EVD-12: Anti-Forensics Evidence

╔════════════════════════════════════════════════════════════════╗
║              EVD-12: ANTI-FORENSICS EVIDENCE                   ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Attack Activity                                          ║
║ MITRE ATT&CK: T1070 (Indicator Removal), T1485 (Data           ║
║              Destruction), T1556 (Modify Authentication Process)║
╠════════════════════════════════════════════════════════════════╣
║ DESCRIPTION:                                                   ║
║ Evidence that attacker actively tried to cover their tracks    ║
║ using anti-forensics techniques.                               ║
║                                                                 ║
║ Anti-Forensics Found:                                          ║
║ - Event log deletion (Clear-EventLog PowerShell)               ║
║ - File timestamp manipulation (TimeStomp)                      ║
║ - Log overwriting (dd commands filling logs)                   ║
║ - File shredding (secure deletion of evidence)                 ║
║ - Registry clearing (CleanMgr, CCleaner, etc)                  ║
║ - Malware self-deletion after execution                        ║
║                                                                 ║
║ What It Reveals:                                               ║
║ - Sophistication (advanced attackers use anti-forensics)       ║
║ - Awareness (attacker knew forensics would be used)            ║
║ - Intent (intentional cover-up vs. accidental trail)           ║
║ - What they're hiding (deleted logs = they knew activities     ║
║   would be suspicious)                                         ║
║ - Attack planning (anti-forensics in playbook = pre-planned)   ║
╠════════════════════════════════════════════════════════════════╣
║ Chain of Custody: MODERATE ⚠                                   ║
║ - Evidence is lack of evidence (absences are hard to prove)    ║
║ - Comparison with known baselines shows anomalies              ║
║ - Log deletion tools detected and documented                   ║
║ - Admissible with supporting context (other evidence)          ║
╠════════════════════════════════════════════════════════════════╣
║ Discovery Source:                                              ║
║ - LOG-01/LOG-02: Gaps in logs (suspicious absences)            ║
║ - DISK-01/DISK-02: Deleted log files, anti-forensic tools     ║
║ - MEM-01/MEM-02: Anti-forensic process running in memory       ║
║ - MALW-01: Dynamic analysis shows self-deletion               ║
║ - MALW-02: Code analysis finds anti-forensic capabilities      ║
╠════════════════════════════════════════════════════════════════╣
║ Investigative Lead:                                            ║
║ "Attacker used anti-forensics. This actually helps because:    ║
║ - Proves attacker sophistication (means skilled opponent)      ║
║ - Indicates intentional harm (not accidental)                  ║
║ - Suggests what they're hiding (what logs were deleted?)       ║
║ - Helps attribution (anti-forensics technique is signature)    ║
║ - Can reconstruct from other sources (memory, network logs)"   ║
╠════════════════════════════════════════════════════════════════╣
║ Impact on Progress Meters:                                     ║
║ - Attribution: +20% (anti-forensic technique is signature)     ║
║ - Attack Chain: +10% (shows post-attack phase)                 ║
║ - Timeline: -10% (anti-forensics makes timeline harder)        ║
║ - Chain of Custody: +5% (proves intentional cover-up)          ║
╠════════════════════════════════════════════════════════════════╣
║ Feeds Into Modules:                                            ║
║ → HARDENING: "Immutable logging (cloud, WORM storage)"         ║
║ → NETWORK BUILDING: "Centralized log aggregation"              ║
║ → AUDIT: "Log integrity and anti-tampering controls"           ║
╚════════════════════════════════════════════════════════════════╝

Findings Cards (4 Total)

These are synthesis cards representing conclusions from forensic findings:

FIND-01: Threat Attribution Report

╔════════════════════════════════════════════════════════════════╗
║              FIND-01: THREAT ATTRIBUTION REPORT                ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions                                     ║
║ Triggered When: Attribution Confidence ≥ 70%                   ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING:                                                       ║
║ Attack attributed to [Threat Group Name]                       ║
║ Confidence Level: [60-90% based on evidence]                   ║
║ Associated Techniques: [MITRE ATT&CK TTPs]                     ║
║ Previous Targets: [Industries/organizations previously targeted]║
║ Likely Motivation: [Financial gain, espionage, etc]            ║
║                                                                 ║
║ RECOMMENDATIONS:                                               ║
║ 1. Notify law enforcement (FBI, Interpol if international)     ║
║ 2. Share intelligence with industry ISACs                      ║
║ 3. Monitor for indicators of re-engagement                     ║
║ 4. Implement defenses targeting group's known TTPs             ║
║                                                                 ║
║ FEEDS INTO MODULES:                                            ║
║ → HARDENING: "Defense-in-depth against attributed group"       ║
║ → AUDIT & COMPLIANCE: "Threat model update with attributed group"║
║ → INCIDENT RESPONSE: "Playbook for future incidents from group"║
╚════════════════════════════════════════════════════════════════╝

FIND-02: Attack Surface Analysis

╔════════════════════════════════════════════════════════════════╗
║              FIND-02: ATTACK SURFACE ANALYSIS                  ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions                                     ║
║ Triggered When: Attack Chain ≥ 75%                             ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING:                                                       ║
║ Entry Point: [Method used for initial compromise]              ║
║ Exploited Vulnerability: [CVE, weak auth, configuration gap]   ║
║ Escalation Point: [Where privilege escalation occurred]        ║
║ Lateral Movement Paths: [Systems accessed after pivot]         ║
║                                                                 ║
║ ROOT CAUSE:                                                    ║
║ - [Patch missing, configuration weakness, process gap]         ║
║                                                                 ║
║ RECOMMENDATIONS:                                               ║
║ 1. Patch entry-point vulnerability immediately                ║
║ 2. Implement detection for exploitation attempts               ║
║ 3. Restrict lateral movement (network segmentation)            ║
║ 4. Update architecture to prevent this attack path             ║
║                                                                 ║
║ FEEDS INTO MODULES:                                            ║
║ → HARDENING: "Specific technical hardening measures"           ║
║ → NETWORK BUILDING: "Architecture redesign to block attack path"║
║ → AUDIT: "Control gap remediation"                             ║
╚════════════════════════════════════════════════════════════════╝

FIND-03: Persistence Mechanisms Discovered

╔════════════════════════════════════════════════════════════════╗
║              FIND-03: PERSISTENCE MECHANISMS DISCOVERED        ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions                                     ║
║ Triggered When: Multiple persistence artifacts found           ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING:                                                       ║
║ Primary Persistence: [Scheduled task, registry run, etc]       ║
║ Backup Persistence: [Redundant persistence methods]            ║
║ Dormancy: [How long could malware remain active undetected]    ║
║                                                                 ║
║ THREAT:                                                        ║
║ Attacker likely still has access (persistence remains active)  ║
║ - Malware calls home regularly (C2 connections)                ║
║ - Can re-establish access if initial access closed             ║
║ - May deploy additional payloads over time                     ║
║                                                                 ║
║ IMMEDIATE ACTIONS:                                             ║
║ 1. Fully remediate all discovered persistence mechanisms       ║
║ 2. Search for backup persistence (often multiple methods)      ║
║ 3. Monitor for re-establishment of access                      ║
║ 4. Assume attacker may have staged additional backdoors        ║
║                                                                 ║
║ FEEDS INTO MODULES:                                            ║
║ → HARDENING: "Persistence prevention and detection"            ║
║ → DISASTER RECOVERY: "Scope of remediation (how deep?)"        ║
║ → AUDIT: "Endpoint protection review"                          ║
╚════════════════════════════════════════════════════════════════╝

FIND-04: Investigative Gaps & Recommendations

╔════════════════════════════════════════════════════════════════╗
║              FIND-04: INVESTIGATIVE GAPS & RECOMMENDATIONS     ║
╠════════════════════════════════════════════════════════════════╣
║ Type: Findings/Conclusions                                     ║
║ Triggered When: Investigation completes (Victory or Failure)   ║
╠════════════════════════════════════════════════════════════════╣
║ FINDING:                                                       ║
║ Key Questions Answered:                                        ║
║ - [ ] Attack entry point identified?                           ║
║ - [ ] Attacker motivation understood?                          ║
║ - [ ] Threat actor identified (attribution)?                   ║
║ - [ ] Data compromised: volume and sensitivity?                ║
║ - [ ] Current access status: eliminated or ongoing?            ║
║ - [ ] Persistence mechanisms: removed or active?               ║
║                                                                 ║
║ Remaining Questions:                                           ║
║ - [List specific unknowns from the investigation]              ║
║ - [What evidence gaps prevent complete understanding]          ║
║ - [What would close these gaps (more investigation, experts)]  ║
║                                                                 ║
║ NEXT STEPS:                                                    ║
║ 1. [If gaps remain: External forensics firm for deep analysis] ║
║ 2. [Law enforcement involvement for attribution/prosecution]   ║
║ 3. [Threat intelligence: share findings with industry]         ║
║ 4. [Lessons learned: update hardening/network architecture]    ║
║                                                                 ║
║ FEEDS INTO MODULES:                                            ║
║ → AUDIT & COMPLIANCE: "Post-incident review and control updates"║
║ → TRAINING: "Lessons learned session with all teams"           ║
║ → STRATEGIC: "Investment in detection/response capabilities"   ║
╚════════════════════════════════════════════════════════════════╝

Evidence Card Combinations

Fast Track (Quick Investigation - 4 Turns, respecting Durations)

Result: Quick understanding of attack progression without full attribution


Complete Investigation (5-6 Turns)

Result: Complete attack narrative with attribution


Advanced Investigation (7+ Turns)

Result: Expert-level forensic analysis, actionable threat intelligence


FAQ

Q: Can I discover the same Evidence card twice? A: No. Each Evidence card represents a unique finding. Multiple investigations may point to the same finding (confirming it), but you only gain progress once.

Q: What if I fail an investigation? A: No Evidence discovered, but you've used a turn and Budget. You can retry next turn (costs full Budget again), or move to different investigation.

Q: How do I use Evidence Cards to support my narrative? A: Reference specific Evidence cards when describing findings to Threat Orchestrator or in debrief. Chain of Custody rating shows admissibility in court.


Version History

cards/print-templates/tracker-sheets.md

Tracker Sheets (Print & Play)

Version: 2.2 - Playtest Edition

Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.


Universal Tracker Sheet (all modules)

Turn Track

Cross off as each turn ends. Circle your turn limit before starting.

 1   2   3   4   5   6   7   8   9   10   11   12   13   14   15   16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]

Budget Track

Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.

150 145 140 135 130 125 120 115 110 105 100  95  90  85  80  75
 70  65  60  55  50  45  40  35  30  25  20  15  10   5   0

Reputation / Score Track (0-100)

100  95  90  85  80  75  70  65  60  55  50  45  40  35  30  25  20  15  10  5  0

Uncontained Threats (Incident Response)

 0   1   2   3   4   5
[ ] [ ] [ ] [ ] [ ] [ ]      Penalty at start of turn: -5 Budget each

Forensics Module Sheet — Progress Meters

Advance each meter per card effects. Victory thresholds marked ▲.

ATTRIBUTION      0   10   20   30   40   50   60   70   80   90▲  100
TIMELINE         0   10   20   30   40   50   60   70   80▲  90   100
ATTACK CHAIN     0   10   20   30   40   50   60   70   80▲  90   100
CHAIN OF CUSTODY 0   10   20   30   40   50   60   70▲  80   90   100

Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70

Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):

Evidence card Documented? (+5% CoC) Analyzed?

Disaster Recovery Module Sheet

Crisis Progress Tracks

INVESTIGATION   0   10   20   30   40   50   60   70   80   90   100
REMEDIATION     0   10   20   30   40   50   60   70   80   90   100
COMMUNICATION   0   10   20   30   40   50   60   70   80   90   100

Stakeholder Trust (0-100%; any stakeholder at 0% = company collapses)

Stakeholder 100 80 60 40 20 (critical) 0 (LOSS)
Customers
Employees
Regulators
Board / Investors
Media / Public

Deadline Timeline (mark scheduled events at setup)

Turn 1 2 3 4 5 6 7 8
Scheduled event
Deadline Customers notified (recommended) Regulator penalties begin GDPR 72h — regulators notified

Multi-turn action in flight: ____ (completes Turn _)


Audit & Compliance Module Sheet — Scoring Worksheet

# Domain Stars (1-5) PASS (3★+) / FAIL (1-2★) Key gap found
1 Network Segmentation
2 Identity & Access
3 Detection & Monitoring
4 Backup & Recovery
5 Cloud Security
6 Security Operations

Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).


Network Building Module Sheet — Score Sheet

Category Points Notes
Requirements met per requirement card
Security coverage per rules scoring table
Capability coverage per rules scoring table
Budget management per rules scoring table
TOTAL

Components placed:

Component Cost Capacity used / total

Budget remaining: ___ / starting ___