I have recently attended a SANS Forensic course in London. It was the best training course I have ever been to, not only the content was really interesting and very well delivered but all the extra activities surrounding the training course were outstanding (presentations, challenges, social events, etc).
Forensic was new to me and I found the techniques taught as very good eye openers in two different ways:
–Forensic techniques can be applied to other area of IT security than just forensic investigations, such as malware analysis and DLP. The latter was a bit of a surprise to me, but by understanding some of the forensic techniques you can also understand how part of a DLP engine would work when searching for specific files on filesystems (at rest) and recognised/tagged when on the network (on the move). I will find it interesting to see if my new knowledge of forensic can come handy with any DLP work I do.
–It is impressive how much information can be salvaged from any devices you use. My key takeaway was about how secure delete applications may not prevent access to the deleted data as much as first thought. It indeed depends of the data lifecycle, if it was cached at some point, if the OS fragmentation management moved/duplicated some of it allocated data blocks, etc.
Although I am not specifically working on Forensic at the moment, this is an area of new interest which I hope to keep practicing and integrate with some of the work I do.
Below is a nice general overview on computer forensics:
Techrepublic
And a very good Open Source website on that topic:
http://www2.opensourceforensics.org/home