Digital Forensics encompasses the recovery and investigation of material found in digital devices, providing campus units a technical analysis of a security incident or recovering data maliciously removed from digital devices. This can be broken into three categories: computer and forensic data analysis, network forensics, and mobile forensics.
Computer and forensic data analysis include Windows, Windows Server and MacOS systems. Linux/BSD support is limited to non-distributed file systems and block storage devices. UCLA IT Security does not support forensics services for object storage solutions, nor cloud-based solutions.
Network forensics include analysis of NetFlows and parsing system network logs to paint a picture of threat actor movements within the campus network or within a campus unit network. Effectiveness of forensics will heavily depend on the logging practices of each campus unit as UCLA IT Security only monitors network traffic coming to and from campus networks, respecting the privacy individuals and departments.
UCLA IT Security currently does not have mobile device forensics. Embedded devices support is limited to Linux and BSD based operating systems running x86 or ARM architecture. NOTE: While UCLA IT Security can provide preliminary forensic analysis, campus units are encouraged to seek 3rd party certified digital forensic examiners if a legally stringent solution is required.
Service Level Commitments
UCLA IT Security Office will provide units with the following service level commitments:
- Device Imaging (up to 4 devices or disks) – 3 days, excluding RAID arrays
- Additional devices past four will be done on a per basis evaluation prior to transfer of device custody
- Reporting – Varies; factors include but are not limited to complexity of network topography, number of devices and system in scope, amount of data analyzed, and the uncovering of anti-forensic methods or evidence tampering
- Remediation Guidance - Will be proportional to reporting.
Campus unit must produce system(s) and device(s) for IT Security for digital forensics and imaging
All forensic services are concluded with a report outlining the timeline of the incident or forensic request, detailed steps taken by UCLA IT Security to forensically image, preserve, and analyze each device or system, and concludes with findings and post-mortem recommendations from UCLA IT Security.
Limited memory forensics can be performed if target system(s) or device(s) are still powered on, support for Linux/BSD systems is limited.
Eligibility varies per service. Contact your ITCC for details.
Only available for campus departments via service request.
ext2, ext3, ext4, XFS and BtrFS
FAT, FAT32, exFAT, NTFS. Currently UCLA IT Security does not support ReFS, introduced in Windows Server 2012.
HFS, HFS+, APFS
If the system contains Apple’s T2 co-processor UCLA IT Security does not currently have a solution to produce a forensically sound image and is unable to service your request.
Support for RAID configurations are limited to RAID 0, RAID 1, RAID 5 and RAID 6. For multi-disk parity RAID configurations, IT Security will need custody of the workstation or server for the duration of the investigation.
Additional RAID considerations:
Unless your RAID array is able to fit in a single 10TB hard drive, UCLA IT Security will need custody of the workstation or server for the duration of the investigation.
UCLA IT Security Digital Forensics is offered at no costs to campus units.