Investigation Section Chief (DFIR — NIMS ICS Role)
CommunityRun DFIR investigations under IC authority.
Legal & Compliance#dfir#chain of custody#incident command#cop management#evidence triage#investigation orchestration#authority gates
Authorrjonhaas
Version1.0.0
Installs0
System Documentation
What problem does it solve?
It orchestrates a DFIR investigation lifecycle by defining the Investigation Section Chief role, enforcing authority boundaries, managing operational-period analysis, and producing a continuously reviewed Common Operating Picture (COP).
Core Features & Use Cases
- Authority-gated investigation decisions: Records chain-of-custody failures, scope expansion candidates, contradictions, and closure recommendations for IC ratification without halting analysis.
- Structured, period-based investigation management: Caps analysis at 4 operational periods, drives COP updates each period, and maintains a pivot ledger of outstanding actions triggered by findings.
- Evidence integrity and temporal strategy: Performs evidence inventory, chain-of-custody verification/gap documentation, and selects analysis order based on evidence relationship to the suspected attack window.
Quick Start
Have the Incident Commander invoke the Investigation Section Chief skill at case start and follow its Phase 0 initialization steps to generate and update the COP based on the available evidence.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: Investigation Section Chief (DFIR — NIMS ICS Role) Download link: https://github.com/rjonhaas/SIFTics/archive/main.zip#investigation-section-chief-dfir-nims-ics-role Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.