# Investigation Scope

| Field | Value |
|---|---|
| Case ID | `{{case_id}}` |
| Scope Owner | `{{scope_owner}}` |
| Authorized By | `{{authorized_by}}` |
| Authorization Reference | `{{authorization_reference}}` |
| Start Time | `{{start_time}}` |

## Included Systems

| System | Reason In Scope | Evidence Sources | Owner |
|---|---|---|---|
| `{{system_1}}` | `{{reason_1}}` | `{{sources_1}}` | `{{owner_1}}` |

## Excluded Systems

| System | Reason Excluded | Approval |
|---|---|---|
| `{{system_excluded_1}}` | `{{reason_excluded_1}}` | `{{approval_1}}` |

## Authorized Actions

- [ ] Read-only triage
- [ ] Evidence acquisition
- [ ] Log export
- [ ] Memory acquisition
- [ ] Cloud snapshot preservation
- [ ] Containment actions

Containment, cleanup, reboot, credential rotation, or destructive actions require explicit operator authorization and custody notes.

## Questions

- `{{question_1}}`
