Database Evidence

Database forensics is a branch of digital forensics used to investigate database content and metadata. We provide our law firm and corporate clients with the following eDiscovery database services to get through the discovery process and find your evidence as quickly as possible.

Database Discovery Overview

Database forensics is multi-faceted and may require multiple strategies to secure your evidence during discovery. While each case and database are unique, the general overview involves these steps:

  1. Negotiate discovery protocol agreement.
  2. Understand the database design.
  3. Choose the appropriate strategy to extract the database evidence.

Negotiate Discovery Protocol Agreement

We work with both parties to negotiate a discovery protocol agreement at the outset of discovery in a meet and confer Zoom or in-person meeting. Before locating your evidence, we need to identify the relevant date period, customers, entities, transaction amounts, and search terms for filtering the information the parties need, and where it might be found. This helps speed the overall discovery process and greatly reduces discovery disputes and inefficiencies.

Database Structure and Design

The next step is to understand the database structure and design. We would review the data dictionary to reveal the database’s table structure and how the data in each table relates to one another. This allows our expert to consolidate the data across many tables and produce your desired records into an understandable format that is meaningful to the parties. This step usually goes quickly given our expert’s extensive database relational design expertise.

5 Ways to Secure Evidence with Database Forensics  

There are many ways to extract the evidence you need from a database. Several methods may be used based upon the particular database and the application being used to add, insert, and delete information in the database.

1. Use the Application’s Report Features

A user requires the application to interact with data in a database. This is usually referred to as the “front end”. Sometimes, the most efficient and cost-effective way to get the data you need in litigation is to take advantage of the same application that users rely on to interact with the database. Some applications are more robust than others, but this approach is generally the easiest, fastest, and least expensive.

For example, some applications have extensive reporting features. You might be able to run standard reports in the application to consolidate the data you need per your discovery protocol. Additionally, some applications also provide a custom reporting feature that allows power users to collate the information in custom reports. If the application’s reporting features are not comprehensive, then we look to the application’s export features.

2. Use Export Features to Export the Database Evidence

Depending on the application’s export functionality, we can export the data into a usable format for legal review. For example, the export format typically includes CSV, XML, or other data formats, which can be opened with Microsoft Excel or other common applications. This solution saves the time and expense of doing database programming, which is the next strategy for extracting data responsive to the discovery protocol.

3. Custom Reports and Database Exports

In some cases, it is most efficient and cost-effective to have the database vendor create custom reports and exports that provide the responsive data per the discovery protocol. The vendor can do this with their own sample database and usually do not need the source database that contains confidential client information.

4. Database programming

Only if the application does not provide satisfactory reporting and export features, then we would do the database programming to extract the data directly from the database (without using the existing application). While programming is a more expensive route, it allows us to extract information across multiple tables using custom queries. Custom programming provides unified records for your legal review and production in accordance with the discovery protocol, and appropriately culled to relate to the claims and defenses in the case.

5. Custom application

Sometimes we create a custom application the parties can use to extract the information they need. This is often referred to as a “Query by Form” where users can enter their own criteria to extract the evidence they need. This option consolidates the requested data and the requirements of the discovery protocol into an application.  One or more parties, their lawyers, and litigation support staff can use the application for legal review. This provides the most tailored solution to the needs of the case, but is usually the more expensive solution compared to the above.

Database Forensics: Collection and Authentication

Howe Law Firm uses forensically sound tools and procedures in the above-described strategies to ensure your evidence remains fully defensible. To further aid in authentication, we can complete a database compare against multiple databases; restore and compare backups and transaction logs; and verify the data against archive databases, and data warehouses.

After extracting data from the database per the discovery protocol, one or both parties will need to conduct a legal review. We typically provide the Review Set as Evidence Reports in Microsoft Excel format. Each responsive record is listed in individual rows in the Excel spreadsheet. In turn, each row is a consolidated record in the database that involves data across many tables. As a result, using Microsoft Excel simplifies legal review because individual reviewers do not have to understand the database structure, or relational database design theory, to review the potential evidence.


Our reports are very user-friendly and allow legal reviewers to quickly mark each record. In a notes field, reviewers can add context for a record. Additionally, they can quickly categorize individual records based on responsiveness with the following fields:

  • N – Not responsive
  • R – Responsive
  • P – Privilege
  • H – Hot doc

Searching and Sorting Data

Microsoft Excel allows reviewers to easily sort and group columns. Our Evidence Report spreadsheets include built-in filtering by date, entity, and other important criteria. Excel also makes it easy to search for data using the global find feature and to hide columns and rows so you can focus on the most important information during your legal review.

Production Set

Post legal review, we will produce a spreadsheet with the responsive and not privileged information to the other party. We can also include a privileged log to show the records that were excluded based on attorney-client or other privileges.

Similar to the review set described above, we provide this in Microsoft Excel spreadsheets, with Bates numbers. Also, we can convert the spreadsheets to view as one record per page with a Bates number.

Deposition or Trial Exhibits

If requested, we can prepare exhibits for depositions and trial. Database evidence can be difficult for judges or juries to understand. A compelling exhibit will clearly show how the database evidence relates to the claims or defenses of the case

Types of Databases

There are many databases from which we can secure your evidence. The most common database we collect, preserve, analyze, and review include:

  • Microsoft SQL Server
  • Oracle
  • MySQL
  • Postgre SQL
  • Microsoft Access
  • MongoDB
  • IBM Db2