rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md

@@ -0,0 +1,712 @@
+---
+name: rt-evidence-chain
+description: "Document chain of custody for all evidence collected during engagement. SHA-256 hash each piece of evidence, log collection timestamp, collector identity, storage location, and access history. Creates tamper-evident custody log. Uses autodoc_engine.py custody command. Essential for legal admissibility and professional engagement conduct."
+---
+
+# rt-evidence-chain
+
+## Overview
+
+The evidence chain of custody is the backbone of professional engagement conduct. Every screenshot, HTTP response, terminal log, exported credential, and tool output artifact is evidence. Without a rigorous chain of custody, evidence can be challenged as tampered, misattributed, or fabricated — destroying the engagement's legal standing and the operator's credibility.
+
+This skill documents the formal process for collecting, hashing, timestamping, and logging evidence throughout the engagement lifecycle. It must be executed continuously from first contact through final report delivery — not as a post-engagement cleanup task.
+
+### When This Skill Applies
+
+- **Always.** Every piece of evidence collected during any phase (recon, exploitation, post-exploitation, lateral movement) must pass through this process.
+- Immediately after collecting any artifact that will appear in the final report.
+- Before sharing evidence externally (client portal, encrypted email, secure drop).
+- When handing off evidence between operators on a team engagement.
+- When evidence storage location changes (local operator machine → shared engagement vault).
+
+### Legal and Professional Context
+
+A chain of custody log answers four questions that legal counsel, client security teams, and certification bodies will ask:
+
+1. **What** exactly was collected (filename, content description, SHA-256 hash)?
+2. **When** was it collected (UTC timestamp, precision to the second)?
+3. **Who** collected it (operator alias or full name as contracted)?
+4. **Where** is it stored (path, encryption status, access controls)?
+
+Failure to maintain this log does not just fail audits — it can expose the operator and the client to legal liability if evidence is later contested in litigation or regulatory proceedings.
+
+### Position in the Engagement Lifecycle
+
+```
+Scope Definition → ROE Signed → Reconnaissance → Exploitation → Post-Exploitation → Reporting
+      ↑                                  ↑               ↑              ↑              ↑
+      └──────────────────────────────────┴───────────────┴──────────────┴──────────────┘
+                                    rt-evidence-chain runs at EVERY arrow
+```
+
+---
+
+## Prerequisites
+
+Before running this skill, confirm:
+
+1. Engagement is initialized: `python3 _rtexit/scripts/autodoc_engine.py init --ref ENG-2024-047 --client "Meridian Financial Group" --methodology ptes`
+2. Output directory structure exists: `_rtexit-output/docs/evidence/` must be present (created by `init`).
+3. You have an operator alias or name as it appears in the engagement contract.
+4. The evidence file you are logging already exists on disk at its final storage path.
+
+---
+
+## Step-by-Step Workflow
+
+### Step 1 — Collect and Save the Evidence File
+
+Before logging, the evidence must exist on disk at its intended storage location. Do not log a temporary path — log the final destination.
+
+```bash
+# Create the evidence directory for this finding
+mkdir -p _rtexit-output/docs/evidence/screenshots
+mkdir -p _rtexit-output/docs/evidence/terminal-logs
+mkdir -p _rtexit-output/docs/evidence/http-logs
+mkdir -p _rtexit-output/docs/evidence/exports
+
+# Example: Save a screenshot of authenticated admin panel access
+# (taken with your screen capture tool of choice, then moved here)
+cp ~/Desktop/admin-panel-auth-bypass.png \
+   _rtexit-output/docs/evidence/screenshots/F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png
+
+# Example: Save terminal output showing privilege escalation
+script -q -c "id && whoami && cat /etc/shadow | head -5" \
+   _rtexit-output/docs/evidence/terminal-logs/F-007-privesc-proof-2024-11-14T143105Z.txt
+
+# Example: Save a Burp Suite HTTP log export
+cp ~/burp-exports/sqli-proof.xml \
+   _rtexit-output/docs/evidence/http-logs/F-003-sqli-request-response-2024-11-14T091244Z.xml
+```
+
+**Naming convention for evidence files:**
+
+```
+{FINDING-ID}-{brief-description}-{YYYY-MM-DDTHHMMSZ}.{ext}
+
+Examples:
+  F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png
+  F-003-sqli-union-select-response-2024-11-14T091244Z.xml
+  F-012-lsass-dump-mimikatz-output-2024-11-14T161830Z.txt
+  F-019-s3-bucket-public-listing-2024-11-14T174501Z.json
+```
+
+Never use spaces. Use UTC timestamps. Include the finding ID so custody records and findings tracker entries are trivially cross-referenced.
+
+---
+
+### Step 2 — Compute the SHA-256 Hash (Manual Verification)
+
+The `autodoc_engine.py` script computes the hash automatically, but operators should also record it manually in their session notes so there is a second independent verification point.
+
+```bash
+# Linux / macOS
+sha256sum _rtexit-output/docs/evidence/screenshots/F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png
+
+# Windows PowerShell
+Get-FileHash "_rtexit-output\docs\evidence\screenshots\F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png" -Algorithm SHA256
+
+# Python (cross-platform)
+python3 -c "
+import hashlib, sys
+path = sys.argv[1]
+h = hashlib.sha256()
+with open(path, 'rb') as f:
+    for chunk in iter(lambda: f.read(8192), b''):
+        h.update(chunk)
+print(h.hexdigest(), path)
+" _rtexit-output/docs/evidence/screenshots/F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png
+```
+
+**Example output:**
+
+```
+a3f8d291cc047e1b9f2c7a4e883d0912f5b67c9a1d3e2f4b6a8c0d7e9f1a2b3  F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png
+```
+
+Record this hash in your operator notes immediately. If the file is later modified (even by a file system operation), the hash will change and the discrepancy will be detectable.
+
+---
+
+### Step 3 — Log Evidence to the Custody Chain
+
+Use `autodoc_engine.py custody` to append a tamper-evident entry to `_rtexit-output/docs/evidence/chain-of-custody.md`.
+
+**Syntax:**
+
+```bash
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding <FINDING-ID> \
+  --evidence <PATH-TO-EVIDENCE-FILE> \
+  --operator <OPERATOR-NAME>
+```
+
+**Real examples:**
+
+```bash
+# Log the admin panel screenshot for finding F-007
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding F-007 \
+  --evidence "_rtexit-output/docs/evidence/screenshots/F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png" \
+  --operator "Sarah Okonkwo"
+
+# Log the SQLi HTTP log for finding F-003
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding F-003 \
+  --evidence "_rtexit-output/docs/evidence/http-logs/F-003-sqli-request-response-2024-11-14T091244Z.xml" \
+  --operator "Sarah Okonkwo"
+
+# Log a terminal log for a privilege escalation finding
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding F-012 \
+  --evidence "_rtexit-output/docs/evidence/terminal-logs/F-012-lsass-dump-mimikatz-output-2024-11-14T161830Z.txt" \
+  --operator "Marcus Reyes"
+
+# Log a non-file artifact (e.g., a URL screenshot described inline)
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding F-019 \
+  --evidence "S3 bucket s3://meridian-backups-prod publicly accessible — listing confirmed via AWS CLI, no auth required" \
+  --operator "Sarah Okonkwo"
+```
+
+**Expected output:**
+
+```
+Evidence logged: F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png
+   SHA-256: a3f8d291cc047e1b9f2c7a4e883d0912f5b67c9a1d3e2f4b6a8c0d7e9f1a2b3
+```
+
+---
+
+### Step 4 — Register the Finding in finding_tracker.py
+
+Evidence without a linked finding is an orphan. Every custody entry should correspond to a tracked finding. If the finding does not yet exist in the tracker, add it now.
+
+```bash
+# Add a new finding to the tracker
+python3 _rtexit/scripts/finding_tracker.py add \
+  "Authentication Bypass on Admin Portal via Direct Object Reference" \
+  HIGH \
+  8.1 \
+  "https://admin.meridianfinancial.com/dashboard" \
+  --cwe CWE-639 \
+  --mitre "T1078.003" \
+  --phase "exploitation" \
+  --operator "Sarah Okonkwo" \
+  --notes "Admin panel accessible by modifying user_id parameter. No server-side authorization check. Full account takeover of any user including org admins."
+
+# Check the tracker to confirm the finding ID assigned
+python3 _rtexit/scripts/finding_tracker.py list
+
+# Example output:
+# F-007 | HIGH  | 8.1 | Authentication Bypass on Admin Portal via Direct Object Reference | https://admin.meridianfinancial.com/dashboard | exploitation | confirmed
+```
+
+Use the assigned finding ID (e.g., `F-007`) in all subsequent custody log entries for that finding.
+
+---
+
+### Step 5 — Log the Activity to the Engagement Timeline
+
+Every significant evidence collection event should also appear in the engagement timeline for chronological reconstruction.
+
+```bash
+python3 _rtexit/scripts/autodoc_engine.py log \
+  --skill rt-evidence-chain \
+  --phase exploitation \
+  --finding F-007 \
+  --operator "Sarah Okonkwo" \
+  --note "Collected auth bypass proof screenshot and logged to chain of custody"
+```
+
+---
+
+### Step 6 — Verify the Custody Log
+
+After logging, inspect the custody log to confirm the entry is correct.
+
+```bash
+cat _rtexit-output/docs/evidence/chain-of-custody.md
+```
+
+The log is append-only markdown. Do not edit existing rows. If an error was made, add a new correction row with a note in the evidence description field.
+
+---
+
+### Step 7 — Encrypt and Secure Evidence Storage
+
+Raw evidence files must never sit in plaintext on an unencrypted disk. After logging custody, encrypt the evidence directory before any break in operator session.
+
+```bash
+# Option A: GPG symmetric encryption of the entire evidence directory (quick)
+tar -czf _rtexit-output/docs/evidence/evidence-bundle-2024-11-14.tar.gz \
+    _rtexit-output/docs/evidence/
+
+gpg --symmetric \
+    --cipher-algo AES256 \
+    --compress-algo none \
+    _rtexit-output/docs/evidence/evidence-bundle-2024-11-14.tar.gz
+
+# Store the passphrase in the engagement password vault (1Password / Bitwarden engagement item)
+# Shred the unencrypted archive
+shred -vzu _rtexit-output/docs/evidence/evidence-bundle-2024-11-14.tar.gz
+
+# Option B: VeraCrypt container (recommended for long-running engagements)
+# Mount the container before the session, dismount after.
+# All _rtexit-output/docs/evidence/ writes go directly into the mounted container.
+
+# Option C: Encrypted engagement repository (git-crypt or BlackBox)
+# Already covered by engagement setup if git-crypt is initialized
+```
+
+---
+
+### Step 8 — Team Handoff (Multi-Operator Engagements)
+
+When handing off evidence to another operator (shift change, specialization handoff):
+
+```bash
+# 1. Export the current custody log state
+cp _rtexit-output/docs/evidence/chain-of-custody.md \
+   _rtexit-output/docs/evidence/chain-of-custody-snapshot-2024-11-14T180000Z.md
+
+# 2. Have the receiving operator verify file hashes independently
+# (Receiving operator runs sha256sum on each file and compares to custody log)
+
+# 3. Log the handoff event
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding ALL \
+  --evidence "Evidence custody transferred from Sarah Okonkwo to Marcus Reyes at 2024-11-14T18:00:00Z. All files verified by hash comparison. Storage location: shared engagement vault /Volumes/ENG-2024-047-vault/evidence/" \
+  --operator "Sarah Okonkwo"
+```
+
+---
+
+## Templates
+
+### Template 1: Evidence Collection Session Log
+
+Create this file at the start of any evidence collection session:
+
+```markdown
+# Evidence Collection Session — ENG-2024-047
+# File: _rtexit-output/docs/evidence/session-logs/session-2024-11-14-okonkwo.md
+
+**Date:** 2024-11-14
+**Operator:** Sarah Okonkwo (sarah.okonkwo@redteamops.io)
+**Session Start:** 09:00 UTC
+**Session End:** 18:30 UTC
+**Engagement:** ENG-2024-047 — Meridian Financial Group External Penetration Test
+**Phase:** Exploitation
+
+## Evidence Collected This Session
+
+| Time (UTC) | Finding | File | SHA-256 (first 16 chars) | Notes |
+|------------|---------|------|--------------------------|-------|
+| 09:12:44 | F-003 | F-003-sqli-request-response-2024-11-14T091244Z.xml | a3f8d291cc047e1b | Burp export of UNION SELECT payload and full DB response |
+| 11:34:07 | F-005 | F-005-ssrf-aws-metadata-2024-11-14T113407Z.txt | 7c2e94ab1f830d62 | curl output showing IMDSv1 access returning IAM credentials |
+| 14:30:22 | F-007 | F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png | d91e5fc2a847b013 | Screenshot: admin panel with user_id=1 showing org admin account |
+| 16:18:30 | F-012 | F-012-lsass-dump-mimikatz-output-2024-11-14T161830Z.txt | 88f3a21cd490e7b5 | Mimikatz sekurlsa::logonpasswords output — 4 NTLM hashes extracted |
+
+## Storage Location
+All evidence stored at: _rtexit-output/docs/evidence/
+Encrypted bundle: engagement-vault:/ENG-2024-047/evidence/
+
+## Handoff Notes
+Handed off to Marcus Reyes at 18:30 UTC. Vault passphrase delivered via Signal OTP channel.
+```
+
+---
+
+### Template 2: Per-Finding Evidence Block (for Report Appendix)
+
+This block goes into the report appendix for each finding.
+
+```markdown
+## Evidence Block — F-007: Authentication Bypass on Admin Portal
+
+**Finding ID:** F-007
+**Severity:** HIGH (CVSS 8.1)
+**Asset:** https://admin.meridianfinancial.com/dashboard
+**Phase Discovered:** Exploitation — 2024-11-14
+
+### Artifact Registry
+
+| Artifact | Type | SHA-256 Hash | Collected | Operator |
+|----------|------|--------------|-----------|----------|
+| F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png | Screenshot | a3f8d291cc047e1b9f2c7a4e883d0912f5b67c9a1d3e2f4b6a8c0d7e9f1a2b3 | 2024-11-14T14:30:22Z | Sarah Okonkwo |
+| F-007-idor-burp-request-2024-11-14T143315Z.xml | HTTP Request/Response | 7f1d3a82bc940e4c1a6b5f2d8e3c9070a1b4d7f2e5c8a0b3d6e9f2a5b8c1d4 | 2024-11-14T14:33:15Z | Sarah Okonkwo |
+| F-007-account-list-dump-2024-11-14T143842Z.json | Data Export | 2b9e6d4a1c7f0e3b5a8d2f1c4e7a0b3d6c9f2a5b8e1d4c7f0a3b6d9e2c5f8 | 2024-11-14T14:38:42Z | Sarah Okonkwo |
+
+### Reproduction Evidence
+
+**Request (from F-007-idor-burp-request-2024-11-14T143315Z.xml):**
+```
+GET /api/v2/users/1/profile HTTP/1.1
+Host: admin.meridianfinancial.com
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjo4NzQsInJvbGUiOiJ2aWV3ZXIifQ.xK9mP3qR2sT7uV0w
+Cookie: session=b3NlcjhoYXNub2lkZWE=
+```
+
+**Response (truncated — see artifact for full response):**
+```json
+{
+  "user_id": 1,
+  "email": "ceo@meridianfinancial.com",
+  "role": "org_admin",
+  "mfa_enabled": false,
+  "api_key": "mfg_live_sk_K7mNpQ2rS9tU4vW1xY6zA8bC3dE5fG0h"
+}
+```
+
+**Screenshot:** See F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png — shows admin dashboard rendered for CEO account after IDOR parameter manipulation.
+
+### Chain of Custody Notes
+All artifacts verified intact as of 2024-11-20T09:00:00Z prior to report delivery.
+No modifications made after initial collection. Hash verification passed.
+```
+
+---
+
+### Template 3: Bulk Evidence Registration Script
+
+Use this when you have collected many artifacts at once (e.g., after an automated scan phase) and need to log them all to the custody chain efficiently.
+
+```bash
+#!/usr/bin/env bash
+# bulk-custody-log.sh
+# Logs all evidence files in a directory to the custody chain.
+# Usage: bash bulk-custody-log.sh <finding-id> <evidence-dir> <operator-name>
+#
+# Example:
+#   bash bulk-custody-log.sh F-019 _rtexit-output/docs/evidence/exports "Sarah Okonkwo"
+
+FINDING_ID="$1"
+EVIDENCE_DIR="$2"
+OPERATOR="$3"
+SCRIPT="python3 _rtexit/scripts/autodoc_engine.py"
+
+if [ -z "$FINDING_ID" ] || [ -z "$EVIDENCE_DIR" ] || [ -z "$OPERATOR" ]; then
+    echo "Usage: bash bulk-custody-log.sh <finding-id> <evidence-dir> <operator-name>"
+    exit 1
+fi
+
+echo "[*] Bulk custody logging for $FINDING_ID from $EVIDENCE_DIR"
+echo "[*] Operator: $OPERATOR"
+echo ""
+
+file_count=0
+for f in "$EVIDENCE_DIR"/*; do
+    [ -f "$f" ] || continue
+    echo "[+] Logging: $f"
+    $SCRIPT custody \
+        --finding "$FINDING_ID" \
+        --evidence "$f" \
+        --operator "$OPERATOR"
+    file_count=$((file_count + 1))
+done
+
+echo ""
+echo "[*] Done. $file_count files logged to chain of custody."
+echo "[*] Custody log: _rtexit-output/docs/evidence/chain-of-custody.md"
+```
+
+---
+
+## Integration with finding_tracker.py and autodoc_engine.py
+
+### Complete Workflow Integration Example
+
+This shows the full sequence from discovery through custody logging for a real finding.
+
+**Scenario:** Operator discovers an unauthenticated SSRF vulnerability on `https://api.meridianfinancial.com/v2/fetch` that reaches AWS IMDS and returns IAM credentials.
+
+```bash
+# 1. Collect the evidence
+mkdir -p _rtexit-output/docs/evidence/terminal-logs
+
+# Run the exploit and capture output
+curl -sk "https://api.meridianfinancial.com/v2/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/MeridianProd" \
+    > _rtexit-output/docs/evidence/terminal-logs/F-005-ssrf-iam-creds-2024-11-14T113407Z.txt
+
+# Also capture the full HTTP exchange
+curl -sk -v "https://api.meridianfinancial.com/v2/fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/MeridianProd" \
+    2>&1 > _rtexit-output/docs/evidence/http-logs/F-005-ssrf-full-exchange-2024-11-14T113512Z.txt
+
+# 2. Register the finding in finding_tracker.py
+python3 _rtexit/scripts/finding_tracker.py add \
+  "SSRF to AWS IMDS Exposes Production IAM Credentials" \
+  CRITICAL \
+  9.8 \
+  "https://api.meridianfinancial.com/v2/fetch" \
+  --cwe CWE-918 \
+  --cve CVE-2019-SSRF-IMDS \
+  --mitre "T1552.005" \
+  --phase "exploitation" \
+  --operator "Sarah Okonkwo" \
+  --notes "SSRF via url parameter reaches IMDSv1. Returns AccessKeyId, SecretAccessKey, Token for role MeridianProd. Role has iam:CreateAccessKey and s3:* permissions — full AWS account compromise possible."
+
+# Confirm finding ID
+python3 _rtexit/scripts/finding_tracker.py list --severity CRITICAL
+# Output: F-005 | CRITICAL | 9.8 | SSRF to AWS IMDS Exposes Production IAM Credentials | ...
+
+# 3. Log evidence to chain of custody
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding F-005 \
+  --evidence "_rtexit-output/docs/evidence/terminal-logs/F-005-ssrf-iam-creds-2024-11-14T113407Z.txt" \
+  --operator "Sarah Okonkwo"
+
+python3 _rtexit/scripts/autodoc_engine.py custody \
+  --finding F-005 \
+  --evidence "_rtexit-output/docs/evidence/http-logs/F-005-ssrf-full-exchange-2024-11-14T113512Z.txt" \
+  --operator "Sarah Okonkwo"
+
+# 4. Log the activity to the engagement timeline
+python3 _rtexit/scripts/autodoc_engine.py log \
+  --skill rt-evidence-chain \
+  --phase exploitation \
+  --finding F-005 \
+  --operator "Sarah Okonkwo" \
+  --cmd "curl -sk 'https://api.meridianfinancial.com/v2/fetch?url=http://169.254.169.254/...'" \
+  --note "SSRF confirmed, IAM credentials obtained, chain of custody logged"
+
+# 5. Check the current custody log
+cat _rtexit-output/docs/evidence/chain-of-custody.md
+```
+
+### Verify Finding Stats Before Report
+
+```bash
+# Get a finding summary before writing the report
+python3 _rtexit/scripts/finding_tracker.py stats
+
+# List all confirmed findings
+python3 _rtexit/scripts/finding_tracker.py list --status confirmed
+
+# Export findings to JSON for report generation
+python3 _rtexit/scripts/finding_tracker.py export \
+    > _rtexit-output/docs/reports/findings-export-2024-11-20.json
+```
+
+---
+
+## Quality Checklist
+
+Use this checklist before finalizing the evidence package for report delivery.
+
+### Evidence Collection Quality
+
+- [ ] Every finding in `finding_tracker.py` has at least one custody entry in `chain-of-custody.md`
+- [ ] Every custody entry references a real finding ID (no orphaned evidence)
+- [ ] All evidence files follow the naming convention: `{FINDING-ID}-{description}-{TIMESTAMP}.{ext}`
+- [ ] No evidence files have spaces in their names
+- [ ] Timestamps in filenames are UTC (suffix `Z`)
+- [ ] Screenshots show the full browser window including URL bar (not just a cropped element)
+- [ ] Terminal output captures the full command AND full output (not truncated)
+- [ ] HTTP logs include both the complete request and complete response headers and body
+- [ ] For credential findings: the credential itself is partially redacted in the report but the full value is preserved in the encrypted evidence vault
+
+### Chain of Custody Quality
+
+- [ ] `chain-of-custody.md` has no manually edited rows (only `autodoc_engine.py custody` output)
+- [ ] Every row has a non-empty operator name (not `-`)
+- [ ] Every row has a valid SHA-256 hash prefix (not `file-not-found`)
+- [ ] SHA-256 hashes in custody log match manual `sha256sum` verification output
+- [ ] No evidence files were modified after their custody entry was logged (verify with `sha256sum`)
+- [ ] Handoff events are logged with explicit custody transfer entries
+- [ ] Evidence storage location is documented in session logs
+
+### Finding Tracker Quality
+
+- [ ] Every finding has a severity (`CRITICAL/HIGH/MEDIUM/LOW/INFO`)
+- [ ] CVSS score is present and matches the severity band
+- [ ] CWE is referenced for all technical findings
+- [ ] MITRE ATT&CK technique is referenced where applicable
+- [ ] Phase is recorded (`recon/exploitation/post-exploitation/lateral-movement`)
+- [ ] Status is updated (`confirmed` — not left as default draft)
+- [ ] Affected asset URL or IP is specific (not a wildcard)
+
+### Encryption and Storage Quality
+
+- [ ] Evidence directory is encrypted before any session break
+- [ ] Evidence bundle passphrase is stored in the engagement password vault (not in a text file)
+- [ ] No evidence files remain in temporary locations (`/tmp`, `~/Desktop`, browser Downloads)
+- [ ] `chain-of-custody.md` itself is included in the encrypted bundle
+
+---
+
+## Example Output — Finished Chain of Custody Log
+
+This is what `_rtexit-output/docs/evidence/chain-of-custody.md` looks like for a real engagement after all evidence is logged:
+
+```markdown
+# Chain of Custody Log
+
+| Timestamp | Finding | Evidence | SHA-256 Hash | Operator |
+|-----------|---------|----------|--------------|----------|
+| 2024-11-12T08:44:17 | - | Engagement initialized: ENG-2024-047 Meridian Financial Group | `1a2b3c4d5e6f7a8b` | Sarah Okonkwo |
+| 2024-11-13T10:22:05 | F-001 | F-001-exposed-env-file-2024-11-13T102205Z.txt | `e4f5a6b7c8d9e0f1` | Sarah Okonkwo |
+| 2024-11-13T10:22:05 | F-001 | F-001-env-file-screenshot-2024-11-13T102355Z.png | `2c3d4e5f6a7b8c9d` | Sarah Okonkwo |
+| 2024-11-13T14:17:33 | F-002 | F-002-directory-listing-backup-files-2024-11-13T141733Z.txt | `9b0c1d2e3f4a5b6c` | Sarah Okonkwo |
+| 2024-11-14T09:12:44 | F-003 | F-003-sqli-request-response-2024-11-14T091244Z.xml | `a3f8d291cc047e1b` | Sarah Okonkwo |
+| 2024-11-14T09:58:01 | F-003 | F-003-sqli-db-dump-users-table-2024-11-14T095801Z.csv | `7f2e1d4c9a8b5e3f` | Sarah Okonkwo |
+| 2024-11-14T11:34:07 | F-005 | F-005-ssrf-iam-creds-2024-11-14T113407Z.txt | `7c2e94ab1f830d62` | Sarah Okonkwo |
+| 2024-11-14T11:35:12 | F-005 | F-005-ssrf-full-exchange-2024-11-14T113512Z.txt | `3a9d7f2b4e1c8a5d` | Sarah Okonkwo |
+| 2024-11-14T14:30:22 | F-007 | F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png | `d91e5fc2a847b013` | Sarah Okonkwo |
+| 2024-11-14T14:33:15 | F-007 | F-007-idor-burp-request-2024-11-14T143315Z.xml | `7f1d3a82bc940e4c` | Sarah Okonkwo |
+| 2024-11-14T14:38:42 | F-007 | F-007-account-list-dump-2024-11-14T143842Z.json | `2b9e6d4a1c7f0e3b` | Sarah Okonkwo |
+| 2024-11-14T16:18:30 | F-012 | F-012-lsass-dump-mimikatz-output-2024-11-14T161830Z.txt | `88f3a21cd490e7b5` | Sarah Okonkwo |
+| 2024-11-14T16:45:00 | F-012 | F-012-ntlm-hashes-crack-results-2024-11-14T164500Z.txt | `4c5d6e7f8a9b0c1d` | Marcus Reyes |
+| 2024-11-14T18:00:00 | ALL | Evidence custody transferred from Sarah Okonkwo to Marcus Reyes at 2024-11-14T18:00:00Z. All files verified by hash comparison. Storage: engagement-vault:/ENG-2024-047/evidence/ | `custody-transfer-event` | Sarah Okonkwo |
+| 2024-11-15T09:04:11 | F-015 | F-015-stored-xss-payload-execution-2024-11-15T090411Z.png | `1e2f3a4b5c6d7e8f` | Marcus Reyes |
+| 2024-11-15T09:08:33 | F-015 | F-015-xss-cookie-theft-poc-2024-11-15T090833Z.html | `9f0a1b2c3d4e5f6a` | Marcus Reyes |
+| 2024-11-19T11:00:00 | ALL | Pre-report hash verification pass completed. All 16 evidence files verified intact. No discrepancies. Verified by: Sarah Okonkwo | `verification-event` | Sarah Okonkwo |
+```
+
+---
+
+## Common Mistakes to Avoid
+
+### Mistake 1: Logging Evidence After the Fact
+
+**Wrong approach:** Collecting evidence during the engagement and logging it all to the custody chain the day before report delivery.
+
+**Why it fails:** If asked when evidence was collected, the custody timestamps will not match your session notes or tool output timestamps. This discrepancy can be used to challenge the evidence's authenticity.
+
+**Correct approach:** Log every artifact within 15 minutes of collecting it. Make it a habit — collect, save, hash, log, continue.
+
+---
+
+### Mistake 2: Using Temporary or Generic Filenames
+
+**Wrong:** `screenshot1.png`, `output.txt`, `burp-export.xml`
+
+**Why it fails:** Provides no context for which finding the evidence relates to, when it was collected, or what it shows. Tracing custody becomes impossible without cross-referencing multiple logs.
+
+**Correct:** `F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png`
+
+---
+
+### Mistake 3: Modifying Evidence After Logging
+
+**Wrong:** Taking a screenshot, logging it to custody, then cropping out a sensitive watermark or redacting a client name from the image before adding it to the report.
+
+**Why it fails:** The SHA-256 hash logged in the custody chain will no longer match the modified file. This constitutes evidence tampering.
+
+**Correct approach:** Keep the original file unmodified in evidence storage. Create a separate copy for the report with `F-007-admin-panel-auth-bypass-REDACTED-for-report.png` and note this in the report appendix. Log the original to custody; keep the redacted copy labeled clearly as a report artifact, not an evidence artifact.
+
+---
+
+### Mistake 4: Not Including the Full Command and Context in Terminal Logs
+
+**Wrong terminal log:**
+```
+sekurlsa::logonpasswords
+...output truncated...
+```
+
+**Why it fails:** No timestamp, no system context, no proof of which target this was run on.
+
+**Correct terminal log:**
+```
+[2024-11-14 16:18:30 UTC] Operator: Marcus Reyes
+[2024-11-14 16:18:30 UTC] Target: 10.20.30.41 (MFGDC01.meridianfinancial.local)
+[2024-11-14 16:18:30 UTC] Command: privilege::debug && sekurlsa::logonpasswords
+
+  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
+ .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+ ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+ ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
+ '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
+  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
+
+Authentication Id : 0 ; 1823994 (00000000:001bd2fa)
+Session           : Interactive from 2
+User Name         : svc_backup
+Domain            : MERIDIANFINANCIAL
+Logon Server      : MFGDC01
+Logon Time        : 2024-11-14 15:30:12
+SID               : S-1-5-21-3847261920-1482476501-2308754932-1108
+        msv :
+         [00000003] Primary
+         * Username : svc_backup
+         * Domain   : MERIDIANFINANCIAL
+         * NTLM     : 4d6f72656e6f4861736849744e6f576f
+         * SHA1     : 3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c
+```
+
+---
+
+### Mistake 5: Orphaned Evidence (No Corresponding Finding)
+
+**Wrong:** Logging evidence to custody with `--finding F-999` when F-999 does not exist in `finding_tracker.py`.
+
+**Why it fails:** During report review, the scribe or project manager cannot correlate the custody entry with a tracked finding. The evidence may be omitted from the report entirely.
+
+**Correct approach:** Always run `python3 _rtexit/scripts/finding_tracker.py list` to confirm the finding ID exists before using it in a custody log entry.
+
+---
+
+### Mistake 6: Skipping Custody for "Minor" or "Informational" Findings
+
+**Wrong:** Only logging custody for CRITICAL and HIGH findings because INFO and LOW findings "don't matter for legal."
+
+**Why it fails:** Informational findings sometimes become critical during client debrief when the client provides additional context. If you did not log custody at collection time, you cannot retroactively prove when or how you collected the evidence.
+
+**Correct approach:** Log custody for every finding at every severity level. The cost of running one command is negligible. The cost of missing evidence in a disputed engagement is not.
+
+---
+
+### Mistake 7: Storing Evidence in Cleartext Outside the Engagement Vault
+
+**Wrong:** Leaving `F-005-ssrf-iam-creds-2024-11-14T113407Z.txt` containing live AWS IAM credentials in `~/Downloads/` or an unencrypted project folder.
+
+**Why it fails:** Exposes real client credentials outside a controlled storage environment. Violates engagement confidentiality obligations and potentially applicable data protection regulations (GDPR, CCPA, SOC 2 requirements for MSP/security firms).
+
+**Correct approach:** Move every evidence file into the encrypted engagement vault within 15 minutes of collection. Never let evidence persist in temporary locations overnight.
+
+---
+
+## Output Directory Structure
+
+```
+_rtexit-output/docs/evidence/
+├── chain-of-custody.md                          ← Master custody log (append-only)
+├── screenshots/
+│   ├── F-003-sqli-error-disclosure-2024-11-13T142201Z.png
+│   ├── F-007-admin-panel-auth-bypass-2024-11-14T143022Z.png
+│   └── F-015-stored-xss-payload-execution-2024-11-15T090411Z.png
+├── terminal-logs/
+│   ├── F-005-ssrf-iam-creds-2024-11-14T113407Z.txt
+│   ├── F-012-lsass-dump-mimikatz-output-2024-11-14T161830Z.txt
+│   └── 20241114_rt-evidence-chain_2024-11-14T180000Z.txt  ← autodoc_engine log files
+├── http-logs/
+│   ├── F-003-sqli-request-response-2024-11-14T091244Z.xml
+│   ├── F-005-ssrf-full-exchange-2024-11-14T113512Z.txt
+│   └── F-007-idor-burp-request-2024-11-14T143315Z.xml
+├── exports/
+│   ├── F-003-sqli-db-dump-users-table-2024-11-14T095801Z.csv
+│   ├── F-007-account-list-dump-2024-11-14T143842Z.json
+│   └── F-019-s3-bucket-public-listing-2024-11-14T174501Z.json
+└── session-logs/
+    ├── session-2024-11-13-okonkwo.md
+    ├── session-2024-11-14-okonkwo.md
+    └── session-2024-11-14-reyes.md
+```
+
+---
+
+## Tools Referenced
+
+| Tool | Purpose |
+|------|---------|
+| `autodoc_engine.py custody` | Primary custody logging — SHA-256 hashing and chain-of-custody append |
+| `autodoc_engine.py log` | Engagement timeline logging for activity context |
+| `finding_tracker.py add` | Register findings so custody entries have a valid finding ID to reference |
+| `finding_tracker.py list` | Verify finding IDs before custody logging |
+| `sha256sum` / `Get-FileHash` | Manual hash verification independent of autodoc_engine |
+| `gpg --symmetric` | Evidence bundle encryption for transit and storage |
+| `shred` | Secure deletion of cleartext temporary files |
+| `script` | Terminal session capture with timestamps |
+| Burp Suite | HTTP request/response logging and export |
+| EyeWitness / gowitness | Screenshot capture for web evidence |