I am reading about the incident response. I cannot able to understand exactly the terms artifact and evidence. When i searched in google so many resources are using these terms generally. How can i find out standard definitions for these two terms? and what is the difference between them?
-
Please provide example context. Such as a sentence where these terms are used in the IT Security realm. – 700 Software Sep 28 '16 at 17:17
-
If you want to get formal re. what is "evidence" is, evidence is something that is or would be admissible in some sort of legal proceeding (including civil, criminal, administrative, etc. adjudication) or dispute resolution. An artifact is a trace you believe may have (Maybe? More likely than not? Could have been? Guess depends on your standard of proof.) left by an adversary in a system. If you don't want to get formal re. "evidence"...well, there's really not a difference that matters beyond semantics. (Source: law degree.) – mostlyinformed Sep 29 '16 at 06:40
3 Answers
Artifact: A piece of data that may or may not be relevant to the investigation / response. Examples include registry keys, files, time stamps, and event logs. You can see many defined in the ForensicArtifacts project on github.
Evidence: A piece of data (artifact) that is relevant to your investigation because it supports or refutes a hypothesis.
With our incident response software, we talk about collecting artifacts from remote hosts and analyzing them to determine if they are evidence.
- 66
- 2
Artifact: Something observed in a scientific investigation or experiment that is not naturally present but occurs as a result of the preparative or investigative procedure.
If you pull a hard drive the data is evidence.
If someone had to take ownership of a file to break into some encryption then that person will show as last updated by. That is an artifact.
- 181
- 7
-
1Also, don't forget that to be useful, evidence has to be handled in a specific way in order to maintain its usefulness. You have to be able to demonstrate that it cannot have been tampered with at any point. The so-called "chain of evidence". – Julian Knight Sep 28 '16 at 19:22
-
@Julian Knight That would depend on the legal (or, in some instances, private) rules that govern whatever court or adjudication institution you're trying to introduce the "evidence" into. You are right that some courts, under some sources of law, in some areas of the world (for eg. a federal criminal proceeding in the U.S.) might require proof of "chain-of-evidence" re. how the drive was collected, examined, and stored. Many other institutions might require lesser or essentially no such proof to let it into consideration. All depends on what type of proceeding, where, under what laws/rules. – mostlyinformed Sep 29 '16 at 06:48
-
@halfinformed I did litigation support in the US for a while and that artifact would be noted in the chain of evidence. – paparazzo Sep 29 '16 at 11:20
Artifacts would be something supporting such as an SOP or guidelines explaining the process to be followed.
Evidence would be something that proves the process is being followed.
-
Do you have any references for these definitions? They appear to be very wrong in general, but specifically wrong in terms of Incident Response. – schroeder Sep 21 '18 at 18:06