Triage Methodology (Phase Sequencing & Decision Engine)

What problem does it solve?

This skill resolves the hard operational problem of deciding which DFIR extraction and analysis phases to run, in what order, and why—based on what evidence is actually present—so triage can progress without manual orchestration.

Core Features & Use Cases

• Phase sequencing & decisioning: Dynamically selects phases, enforces preconditions, and supports break-condition reordering when specific high-signal findings appear.
• Idempotent, audit-friendly execution: Invokes fixed black-box phase scripts and relies on completion-signal files plus per-script audit logs for repeatable runs.
• Cross-phase synthesis outputs: Drives generation of core consolidated artifacts such as IOC master, timelines, attack-path graphs, anomaly checks, and (optionally) CVE attribution.

Use Case: Given mixed Windows artifacts (KAPE zip, registry hives, EVTX, IIS logs) plus optional memory/pcap, the ISC uses this playbook to orchestrate evidence extraction, hunting, credential access, anti-forensics characterization, and then produces an investigation graph and anomaly summary for reporting.

Quick Start

Ask the orchestrating agent to invoke the triage-methodology skill at the start of Period 1, then have it sequence phases according to the Phase Catalog and Break Conditions based on evidence inventory in the case root.