How to Obtain Slack Data for eDiscovery and Investigations

How to Obtain Slack Data for eDiscovery and Investigations

We've updated our Guide to Discovery and Investigations in Slack! A guide to handling Slack data in litigation and internal investigations, this guide lays out the basics of Slack, from an introduction to the app, to Slack preservation settings, how to export data from Slack, and tips for efficient, effective review. Read it online or download your copy here.

On Monday, Logikcull launched its new Slack feature, allowing legal teams to deal with Slack data simply and easily. This feature opens up a whole new world of valuable data for modern legal professionals, as the email inbox is increasingly replaced by other forms of communication. Companies that adopt Slack, for example, see email usage decline by 48.6 percent on average. And that’s a lot of companies. Slack has more than seven million daily users and is used by more than 70 percent of the Fortune 100. If you’re not dealing with Slack data, you’re letting potentially game-changing evidence go undiscovered.

Slack data can be extremely rich. Each message log contains information on text, attachments, response types, edits and deletions, and more. In addition to messages, Slack’s integrations allow it to operate as a centralized hub for all sorts of information. A Slack integration can create a notification every time a spreadsheet is updated, for example, or allow you to make payroll and finance decisions directly from the platform.

Slack’s app directory lists dozens of apps broken down by categories such as file management, finance, project management, security and compliance, and more. The Time Doctor app tracks user activities and provides statistics on “where time was spent such as viewing websites and applications used when working.” The Stripe app sends messages when charges are made, invoices updated, transfers sent and more. The Spectr app offers real-time legal advice, delivered directly in Slack, from a “professional legal advisor.” These are in addition to incredibly popular integrations like Google Drive, Zoom, Jira, and Salesforce.

A poll in Slack.

All of this creates a potentially discoverable record within Slack.

But how do you get that data in the first place?

Exporting Data From Slack

For teams looking into Slack data, accessing everything Slack records can be difficult. First, the type of Slack plan one has will impact how easily Slack data can be retrieved. Right now, Slack has four primary pricing plans:

  • Free plans, primarily used by smaller organizations
  • Standard plans, designed for most businesses
  • Plus plans, allowing for more control over data
  • Enterprise plans, for large organizations operating across several Slack workspaces

Currently, Slack allows workspace owners and administrators, across all plans, to easily export data from public channels.

That data includes public messages, public files, archived channels, and integration activity logs.    

To access records from private channels and direct messages, the process is more difficult.

Administrators of free and standard plans must request access to export all workspace data. They are required to provide either:

  • Valid legal process,
  • Consent of members, or
  • A requirement or right under applicable laws

Enterprise customers, on the other hand, can export all data, public or private, and may integrate third-party applications to export, retain, and archive messages and files continuously.

Here's how each export type works:

Obtaining Slack Data Through Standard and Corporate Exports

The two most common ways to export data from Slack are through the program’s “Standard Export” or “Corporate Export.”

Standard Exports are available to most plan types and allow workplace owners and administrators to export all the public data from their workspace. That includes messages shared in public channels as well as links to files that have been publicly shared. Edit and deletion logs are also available through Standard Export, but only for public messages. (Here’s a step-by-step guide to obtaining Slack data through Standard and Corporate Exports.)

With a Standard Export, the only way to limit the data you retrieve is by date range. The export will include all public data, plus files identifying the workspace channels, users, and integrations, within the selected dates. When the export is complete, it can be downloaded as a ZIP file. Each workspace channel will be given its own folder in the file, and each day’s communication will be a single JSON file.

As Standard Exports are limited to public data, they will not include direct messages between Slack users or messages in private channels. For a more complete export of your data, you will have to follow the steps above or upgrade your plan to allow access to Corporate Exports or Slack’s eDiscovery Grid.

Slack’s second export option is the Corporate Export. Corporate Exports are available only to accounts on the Plus plan. Workplace owners must apply to use the Corporate Export and once such exports are activated on a plan, Standard Exports are no longer available.

Corporate Exports allow for the export of private data, including direct messages between users, private channels, and edit and deletion logs. They also allow administrators to schedule regular exports on a daily, weekly, or monthly basis. Corporate Exports produce data in the same manner as Standard Exports, organized by channel and with each day’s worth of messages collected as a single JSON file.

Slack Corporate Exports Using the Slack eDiscovery API and Enterprise Grid

The third and final way to access Slack data for discovery and investigations is through Slack’s eDiscovery APIs. Slack’s eDiscovery API allows integrated apps to pull data directly from a Slack workspace or series of workspaces. Because these apps can integrate directly with your Slack data, they can provide more targeted collection and export of data than Standard and Corporate Exports, which collect everything available within a specific date range.

Integrations using the eDiscovery API may allow you to target collections by users or channels alone, for example, or to collect files directly from Slack, rather than collecting only a link to shared files.

However, access to the eDiscovery API is only available to accounts on Slack’s Enterprise Grid, Slack’s highest-tier plan.

Most Slack workspaces will rely on Standard or Corporate Exports to obtain data (and proof of valid legal process to obtain non-public data where necessary) and narrow their search and review after the data has been exported.

Data Retention In Slack

Keep in mind, too, what Slack data may be available. Slack can quickly generate vast amounts of information. There are, first and foremost, the millions of messages that can be exchanged in a workspace in one day. Then there is the associated metadata, the timestamps, channel information, edit logs and the like. And don’t forget all the records created by integrations.

By default, that data is stored forever. But, Slack allows workspace owners to customize their message and file retention policies. Files may be kept for the lifetime of the workspace or deleted after a specified time period.

Message retention can be set to:

  • Retain everything, forever
  • Retain all messages but not revisions
  • Delete messages and revisions after a specified period
  • Let users set their own retention policies

Retaining all information is Slack’s default setting. If an administrator does not take action to change their retention policy, they could soon find themselves sitting upon a vast history of Slack conversations, reactions, integrations, and more—a potentially valuable resource, or a possibly costly liability, depending on your perspective.

Under the last option, individual team members control the retention of data in private channels and direct messages. One user’s messages could be eradicated at the end of every day, while another’s are preserved for all time. It's not the cleanest approach to information governance.

How a workspace’s data is retained will impact what is available for export and, subsequently, use in an investigation or discovery process.

Slack eDiscovery Software: Making Sense of Slack Data

Then there’s a question of what to do with that information once you have it. As mentioned above, Slack exports come in JSON format. JSON is the JavaScript Object Notation file format. JSON makes exchanging data between machines easy. To interpret that data, however, you need a degree in computer programming—or a tool that can make sense of it.

Here, for example, is what a simple record of a user joining a channel looks like when exported directly from Slack:

"user": "UA0JHQYUT",
"text": "<@UA0JHQYUT> has joined the channel",
"type": "message",
"subtype": "channel_join",
"ts": "1522794741.000217"

The more complex a record becomes, the more difficult it is to parse. The information for a single comment on a shared file, for example, can easily stretch over three pages, almost all of it nearly indecipherable. This is not data that’s made for easy review.

To take advantage of Slack data, you’ll need a tool that allows you to make sense of it. Today, Logikcull lets you do so easily, intuitively, and reliably.  Once your data is exported from Slack, it can quickly be uploaded to Logikcull. During the upload process, that data goes through 3,000 automated processing steps: text is rendered and indexed for the most accurate eDiscovery search available, metadata is extracted and preserved to protect against spoliation, quality control tags are applied, and much more.

Most importantly, Logikcull turns Slack data from this:

 “user”: “U6NJNUGSH”,
 “inviter”: “U5KTXUGSW”,
 “text”: “ has joined the channel”,
 “type”: “message”,
 “subtype”: “channel_join”,
“ts”: “1502749986.378906”
 “user”: “U026B7H8B”,
 “inviter”: “U5KTXUGSW”,
 “text”: “ has joined the channel”,
 “type”: “message”,
 “subtype”: “channel_join”,
 “ts”: “1502749986.378906”

To this:

A rendering of Slack data in Logikcull ediscovery and investigations platform

It’s the closest thing a legal team can get to a searchable log of all conversation and knowledge, to Slack.

For more information on discovery and investigations in Slack, download our new guide here.

This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at or on Twitter at @caseycsull.

4,500+ legal professionals love our newsletter, where they get the latest tech and discovery news, case law, best practices, and more!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Follow Logikcull on social media

Logikcull + MS365

Logikcull integrates seamlessly with Office 365 for incredibly fast, always reliable cloud-to-cloud eDiscovery.

logikcull + ms365

Related articles

New in Logikcull: Slash Your Review Set 25% With Inclusive Email Detection
New in Logikcull: Self-Serve Archiving, Even Easier Legal Holds, Database Import Detection, and More!
eDiscovery Data Migration: The Easiest, Fastest, and Most Secure Way To Do It