In a corporate environment there should be policies that take care of this, defining what a forensic Investigator can or cannot do. However, in many cases they are actually not in place, and you will have to use your common sense. But beware: the boundaries and interpretation of law are not easy to understand for a forensic examiner, and our common sense is sometimes not valid.
I always recommend to check with a lawyer as required. My advice would be: "be conservative and ask for expert advice if in doubt."
Said that, our forensic tools can also help, as they allow us to do "blind searches" over the evidence which, with the right keywords, might be enough evidence that something is fishy.
What are the fundamental differences in investigating Windows, Linux and Mac OS X systems?
The difference is that in the Windows environment almost every artifact is a proprietary format and requires a different tool and technique for analysis, while in the Linux and Mac OS X worlds (which are part of the same *NIX family) artifacts are typically text or pseudo-text (some plist files can be compressed, but they can easily be decompressed on the fly).
This allows easily automating many of the tasks in Linux/Mac investigations, consequently speeding them. Also there are many more obscure artifacts in the Windows world that we tend to discover day by day, being the Registry a world on its own.
When I teach the SANS FOR408 course, in which we cover many of those artifacts, the vast majority of the students are not familiar with most of these artifacts, including very experienced professionals.
What does your SANS training course look like? What skills can attendees expect to acquire?
Think of a SANS course like one of the most extreme learning experiences you've ever had. One of the old sayings that students repeat is: "It feels like drinking from a firehose!" A SANS course is much more than just teaching some material.
Every instructor makes an effort to share his own real world experience (which in my case is 15+ years in computer security and forensics), in an intense and passionate way. We cover lots and lots of content, in a VERY hands-on way, with demos, in-class discussions, experience sharing, real world examples, etc.
We all love this field, students and instructors, and both enjoying and learning as much as possible is the final objective. Always with a focus on real world practical things, on things that you can put to use as soon as you go back to the office.