There is an excellent book, A Guide to Forensic Testimony, which I love and I always recommend to my students. It is a must read if you are going to testify in court, as it will open your eyes to how things work. A perfect case can be a lost case if the expert witness is not able to properly translate the findings for the audience.
How can a forensic investigator make sure he strikes a balance between his work and a users' right to privacy?
In a corporate environment there should be policies that take care of this, defining what a forensic Investigator can or cannot do. However, in many cases they are actually not in place, and you will have to use your common sense. But beware: the boundaries and interpretation of law are not easy to understand for a forensic examiner, and our common sense is sometimes not valid.
I always recommend to check with a lawyer as required. My advice would be: "be conservative and ask for expert advice if in doubt."
Said that, our forensic tools can also help, as they allow us to do "blind searches" over the evidence which, with the right keywords, might be enough evidence that something is fishy.
What are the fundamental differences in investigating Windows, Linux and Mac OS X systems?
The difference is that in the Windows environment almost every artifact is a proprietary format and requires a different tool and technique for analysis, while in the Linux and Mac OS X worlds (which are part of the same *NIX family) artifacts are typically text or pseudo-text (some plist files can be compressed, but they can easily be decompressed on the fly).
This allows easily automating many of the tasks in Linux/Mac investigations, consequently speeding them. Also there are many more obscure artifacts in the Windows world that we tend to discover day by day, being the Registry a world on its own.
When I teach the SANS FOR408 course, in which we cover many of those artifacts, the vast majority of the students are not familiar with most of these artifacts, including very experienced professionals.
What does your SANS training course look like? What skills can attendees expect to acquire?
Think of a SANS course like one of the most extreme learning experiences you've ever had. One of the old sayings that students repeat is: "It feels like drinking from a firehose!" A SANS course is much more than just teaching some material.
Every instructor makes an effort to share his own real world experience (which in my case is 15+ years in computer security and forensics), in an intense and passionate way. We cover lots and lots of content, in a VERY hands-on way, with demos, in-class discussions, experience sharing, real world examples, etc.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.