Managing database usage

Overview

Customers sometimes ask how to “delete” cases and reclaim disk space. In AIR, cases cannot be deleted. Instead, Close and Archive are used, and the impact is primarily on database usage (PostgreSQL).

This guidance applies to both SaaS and self-hosted deployments.

Key Concepts

• DB Usage refers to storage used in PostgreSQL (the application database).

• Case.ppc and Drone.zip are source files that can be re-read if a case is reopened after Close.

• Some evidence types (PST, CSV, Tornado) are stored only as database records, not as files.

What Happens When a Case Is Closed

When a case is closed, only specific database records are deleted.

Deleted from PostgreSQL

• Records derived from Case.ppc

• Records derived from Drone.zip

Not deleted (remains in PostgreSQL)

• User-generated data such as:

  • Comments

  • Flags

  • Activity logs

  • Notes

  • Manually created findings

• Evidence types that exist only as database records (see PST/CSV/Tornado below)

Example

If a case has a DB Usage value of 10 GB and only 10 MB of that is user-generated data, the DB Usage becomes ~10 MB after the case is closed. User-generated data usually occupies a negligible amount of space.

Important Note: “Historical DB Usage”

The sizes shown in Settings → Investigation Hub Historical DB Usage represent only PostgreSQL storage. They do not include the sizes of Case.ppc or Drone.zip files.

Reopening a Closed Case

If a case is reopened:

• Case.ppc and Drone.zip are re-read

• Their data is written back into PostgreSQL

Because Case.ppc and Drone.zip are compressed files, they do not take up much disk space as files, but they may expand significantly in the database.

Example

A 50 MB Case.ppc file might occupy 3 GB when written to the database. There is no fixed ratio; it could be 500 MB or 2 GB depending on the evidence content.

Special Case: PST, CSV, Tornado Evidence

PST, CSV, and Tornado evidence are not stored as files in AIR. Only the database records exist. Because AIR does not have the original source files to recreate these records, they are not deleted when a case is closed.

Why this matters

If a case contains only PST/CSV/Tornado evidence, closing the case will not change DB usage, because there is no Case.ppc or Drone.zip data to delete.

Example case contents

• 4 GB PST evidence

• 2 GB CSV evidence

• 1 GB Tornado evidence

• 5 GB Case.ppc (acquisition/triage/full text search tasks)

• 3 GB Drone.zip (findings)

When this case is closed, DB usage decreases from 15 GB to 7 GB.

What Happens When a Case Is Archived

When a case is archived:

• Only the case status changes

• The case cannot be reopened

Archiving does not reduce database usage beyond what already happened during Close.

Summary (Short Version)

• Cases cannot be deleted.

• Closing a case removes DB records created from Case.ppc and Drone.zip, which may significantly reduce DB usage.

• User-generated content remains and is usually very small.

• Archiving only changes status and prevents reopening; it does not further reduce DB usage.