Skip to content
XDR Forensics Knowledge Base

Managing Database Usage (Close vs Archive)

Overview

Section titled “Overview”

Customers sometimes ask how to “delete” cases and reclaim disk space. In XDR Forensics, cases cannot be deleted. Instead, Close and Archive are used, and the impact is primarily on database usage (PostgreSQL).

This guidance applies to both SaaS and self-hosted deployments.

Key Concepts

Section titled “Key Concepts”
  • DB Usage refers to storage used in PostgreSQL (the application database).
  • Case.ppc and Drone.zip are source files that can be re-read if a case is reopened after Close.
  • Some evidence types (PST, CSV, Tornado) are stored only as database records, not as files.

What Happens When a Case Is Closed

Section titled “What Happens When a Case Is Closed”

When a case is closed, only specific database records are deleted.

Deleted from PostgreSQL

  • Records derived from Case.ppc
  • Records derived from Drone.zip

Not deleted (remains in PostgreSQL)

  • User-generated data such as:
    • Comments
    • Flags
    • Activity logs
    • Notes
    • Manually created findings
  • Evidence types that exist only as database records (see PST/CSV/Tornado below)

Example

Section titled “Example”

If a case has a DB Usage value of 10 GB and only 10 MB of that is user-generated data, the DB Usage becomes ~10 MB after the case is closed. User-generated data usually occupies a negligible amount of space.

Important Note: “Historical DB Usage”

Section titled “Important Note: “Historical DB Usage””

The sizes shown in Settings → Investigation Hub Historical DB Usage represent only PostgreSQL storage. They do not include the sizes of Case.ppc or Drone.zip files.

Reopening a Closed Case

Section titled “Reopening a Closed Case”

If a case is reopened:

  • Case.ppc and Drone.zip are re-read
  • Their data is written back into PostgreSQL

Because Case.ppc and Drone.zip are compressed files, they do not take up much disk space as files, but they may expand significantly in the database.

Example

Section titled “Example”

A 50 MB Case.ppc file might occupy 3 GB when written to the database. There is no fixed ratio; it could be 500 MB or 2 GB depending on the evidence content.

Special Case: PST, CSV, Tornado Evidence

Section titled “Special Case: PST, CSV, Tornado Evidence”

PST, CSV, and Tornado evidence are not stored as files in XDR Forensics. Only the database records exist. Because XDR Forensics does not have the original source files to recreate these records, they are not deleted when a case is closed.

Why this matters

Section titled “Why this matters”

If a case contains only PST/CSV/Tornado evidence, closing the case will not change DB usage, because there is no Case.ppc or Drone.zip data to delete.

Example case contents

Section titled “Example case contents”
  • 4 GB PST evidence
  • 2 GB CSV evidence
  • 1 GB Tornado evidence
  • 5 GB Case.ppc (acquisition/triage/full text search tasks)
  • 3 GB Drone.zip (findings)

When this case is closed, DB usage decreases from 15 GB to 7 GB.

What Happens When a Case Is Archived

Section titled “What Happens When a Case Is Archived”

When a case is archived:

  • Only the case status changes
  • The case cannot be reopened

Archiving does not reduce database usage beyond what already happened during Close.

Summary (Short Version)

Section titled “Summary (Short Version)”
  • Cases cannot be deleted.
  • Closing a case removes DB records created from Case.ppc and Drone.zip, which may significantly reduce DB usage.
  • User-generated content remains and is usually very small.
  • Archiving only changes status and prevents reopening; it does not further reduce DB usage.