# MASForensics case definition — template
#
# Copy this file to `case.yaml` and edit it for your case. If `case.yaml`
# exists in the working directory, `python main.py` loads it automatically;
# otherwise main.py falls back to interactive single-image selection.
#
# A case is a set of evidence sources. Each source has:
#   id              optional — auto-derived from label if omitted ("src-<slug>")
#   label           human-readable name
#   type            disk_image | mobile_extraction | archive | media_collection
#   access_mode     image | tree   (optional — defaults by type)
#                     image = block device / disk image, navigated by Sleuth Kit
#                     tree  = mounted filesystem / unpacked extraction, path-based
#   owner           optional — the person the source is associated with
#   path            filesystem path (relative paths resolve against this file)
#   partition_offset  image-mode only — sector offset of the partition to analyze
#   meta            optional free-form notes
#
# NOTE: at the current refit stage only image-mode (disk) sources are
# analysable; tree-mode sources are accepted but skipped.

case_id: example-case
name: "Example forensic case"
meta:
  notes: "free-form case-level metadata"

sources:
  - id: src-suspect-laptop
    label: "Suspect laptop disk image"
    type: disk_image
    access_mode: image
    owner: "John Doe"
    path: image/suspect_laptop.E01
    partition_offset: 0               # run `mmls <image>` to find the right offset

  - id: src-suspect-phone
    label: "Suspect phone extraction"
    type: mobile_extraction
    access_mode: tree
    owner: "John Doe"
    path: image/suspect_phone.zip