# 10 · Case Management & Chain of Custody (SDK & CLI)

Create a workspace & case, register evidence, and log CoC — **dry-run first**.

In [None]:
# Parameters you can tweak
from pathlib import Path
WORKSPACE = Path.cwd() / "lab_workspace"
CASE_NAME = "lab_demo_case"
WORKSPACE.mkdir(exist_ok=True)
print("Workspace:", WORKSPACE)

In [None]:
# SDK flow (no external tools required).
from forensic.core.framework import ForensicFramework
from forensic.core.evidence import EvidenceType
from forensic.core.chain_of_custody import ChainOfCustody

fw = ForensicFramework(workspace=WORKSPACE)
case = fw.init_case(CASE_NAME)  # idempotent
print("Case directory:", case.case_dir)

# Register a dummy text file as 'log' evidence
ev_dir = case.case_dir / "evidence"
ev_dir.mkdir(parents=True, exist_ok=True)
dummy = ev_dir / "router_export.log"
dummy.write_text("deterministic test artifact\n")

fw.add_evidence(EvidenceType.LOG, dummy, description="Deterministic demo log")
coc = ChainOfCustody(case.case_dir)
events = coc.get_chain()
print("CoC events:", len(events))
print(events[-1] if events else "no events")

### Optional: run equivalent CLI commands (tolerant)

In [None]:
import subprocess, shutil
if shutil.which("forensic-cli"):
    subprocess.run(["forensic-cli","--workspace",str(WORKSPACE),
                    "case","create","--name",CASE_NAME,
                    "--description","Lab demo"], check=False)
else:
    print("forensic-cli not found — skipping CLI demo.")