Cybersecurity – Investigations and E-Discovery

Cybersecurity – Investigations and E-Discovery is a function of the Privacy & Security Office, whose goal is to facilitate the preservation, delivery, and analysis of forensically accurate data as authorized and sanctioned under current university process and privacy policy.

How do I contact Investigations and E-discovery?

  • Request assistance by emailing
    • If you know which person you wish to work with on any given request, it’s ok to address them but to make sure your request makes it into the official work queue, always also mail
    • (Note: For general questions or other non-investigations-related things, email

What do they do?

  • E-Discovery
  • Records preservation
  • Device and other evidence collection, chain-of-custody
  • Forensic imaging of university-owned devices
  • Short-term forensic storage
  • Facilitation of access to infrastructure or functionality for authorized stakeholders and cases
  • Facilitation of procurement of forensic resources
  • Facilitation of data retrieval and sorting under approved “Request for Access” requests
  • FOIA assistance
  • Assistance for officially sanctioned investigations
  • Legal process response

What resources might I need?

  • “Request for Access” form. This is part of the official data access process. Needs director-level and “one-up” executive sign-off from the requesting unit, plus approval from the Office of the CIO (typically reviewed/signed by the Chief Privacy & Security Officer)
  • Investigations expertise and evidence-handling training highly recommended

Who they do it do it for?

  • University of Illinois’ unit and administrative executives, as approved and in accordance with policy and established process
  • University partners with pre-existing agreements/MOUs negotiated and on file with the Office of the Chief Privacy & Security Officer
  • University Legal Counsel

What timelines are standard?

    • All timelines layed out are tentative, and dependent upon multiple disruptive factors which may dely work product delivery, including investigative load, overriding job priority, or cybersecurity emergencies.
    • The current norms unfortunately compel us to remind you that at this time, you should expect delays in delivery.
    • Due to the current investigations case load and the uptick experienced, you should also expect the possibility that a higher priority job might affect the delivery timeline of your request.
  • Requests will be picked up and assigned within 24 hours of arrival in the queue.
  • Requests will be evaluated administratively and prioritized no more than 96 hours from the time of assignment.
  • 3 week turnaround typical for all imaging requests involving a single device, depending on delays
    • add 1 week per additional device
  • 3 week turnaround typical for all collection (email archives, files) requests, depending on delays
  • 4 week turnaround for all collection requests in response to legal process, depending on delays
    • The extra week is for the analysis report required
  • 1 week turnaround on “Request for Access” processing (not including the time needed to facilitate the retrieval of the needed data by the sponsoring unit) 

Possible Impacts

Investigations and E-discovery services use resources borrowed from the Cybersecurity Incident Response team. Cybersecurity incident response will always take priority over any E-discovery or non-security investigations job. As such, it is difficult to determine the extent to which any requestor’s job will be delayed. Delays are common.

Deviations of Process

Any request to change job priority should be addressed to the manager of Investigations and E-discovery, carbon copying  

This service/function expectation(s) documentation is provided such that all who engage with it may understand what any given service/function promises to do or provide, for whom, on what timeline, and how well.