How to Obtain Slack Data for eDiscovery and Investigations

How to Obtain Slack Data for eDiscovery and Investigations

We've updated our Guide to Discovery and Investigations in Slack! A guide to handling Slack data in litigation and internal investigations, this guide lays out the basics of Slack, from an introduction to the app, to Slack preservation settings, how to export data from Slack, and tips for efficient, effective review. Read it online or download your copy here.

Recently, Logikcull launched its new Slack integration and chat-specific filters, allowing legal teams to deal with eDiscovery on Slack data simply and easily. These features, together with Logikcull's ability to render, index and conduct searches on Slack data, open up a whole new world of valuable data for modern legal professionals, as the email inbox is increasingly replaced by other forms of communication. Companies that adopt Slack, for example, see email usage decline by 48.6 percent on average. And that’s a lot of companies. Slack has more than seven million daily users and is used by more than 70 percent of the Fortune 100. If you’re not dealing with Slack data, you’re letting potentially game-changing evidence go undiscovered.

Slack data can be extremely rich. Each message log contains information on text, attachments, response types, edits and deletions, and more. In addition to messages, Slack’s integrations allow it to operate as a centralized hub for all sorts of information. A Slack integration can create a notification every time a spreadsheet is updated, for example, or allow you to make payroll and finance decisions directly from the platform.

Slack’s app directory lists dozens of apps broken down by categories such as file management, finance, project management, security and compliance, and more. The Time Doctor app tracks user activities and provides statistics on “where time was spent such as viewing websites and applications used when working.” The Stripe app sends messages when charges are made, invoices updated, transfers sent and more. The Spectr app offers real-time legal advice, delivered directly in Slack, from a “professional legal advisor.” These are in addition to incredibly popular integrations like Google Drive, Zoom, Jira, and Salesforce.

A poll in Slack.


All of this creates a potentially discoverable record within Slack.

But how do you get that data in the first place?

Using Logikcull's Slack API

With our new Slack API for discovery, importing your Slack data into Logikcull is as easy as clicking the “Import from Slack” button.

Since you probably don’t want to look at every single conversation stored in your company’s Slack account, you can filter by relevant participants, the type of conversations you need to analyze—direct messages, public channel interactions, externally shared channels, etc. Once you've selected the conversations you need, they'll be automatically pulled into Logikcull. It only takes a few seconds.

Slack is the latest addition to Logikcull's growing list of cloud integrations—including Google Vault, Microsoft 365, and Box—that allows you to centralize the collection, search and review of all your data in one single place with minimal effort. Check it out:

This is the best option to bring your Slack data into Logikcull, but read on to explore other alternatives in case you're not able to leverage this integration.

Logikcull's Slack Integration is only available to subscription customers using Enterprise Grid. If you'd like access or to learn more, please contact sales@logikcull.com.

Exporting Data From Slack

For teams looking into Slack data, accessing everything Slack records can be difficult. First, the type of Slack plan one has will impact how easily Slack data can be retrieved. Right now, Slack has four primary pricing plans:

  • Free and Pro plans, primarily used by smaller organizations
  • Business+ plans, designed for most businesses
  • Enterprise plans, for large organizations operating across several Slack workspaces

Currently, Slack allows workspace owners and administrators, across all plans, to easily export data from public channels.

That data includes public messages, public files, archived channels, and integration activity logs.    

To access records from private channels and direct messages, the process is more difficult.

Administrators of free and standard plans must request access to export all workspace data. They are required to provide either:

  • Valid legal process,
  • Consent of members, or
  • A requirement or right under applicable laws

Enterprise customers, on the other hand, can export all data, public or private, and may integrate third-party applications to export, retain, and archive messages and files continuously.


Obtaining Slack Data Through Standard and Corporate Exports

The two most common ways to export data from Slack are through the program’s “Standard Export” or “Corporate Export.”

Standard Exports are available to most plan types and allow workplace owners and administrators to export all the public data from their workspace. That includes messages shared in public channels as well as links to files that have been publicly shared. Edit and deletion logs are also available through Standard Export, but only for public messages. (Here’s a step-by-step guide to obtaining Slack data through Standard and Corporate Exports.)

With a Standard Export, the only way to limit the data you retrieve is by date range. The export will include all public data, plus files identifying the workspace channels, users, and integrations, within the selected dates. When the export is complete, it can be downloaded as a ZIP file. Each workspace channel will be given its own folder in the file, and each day’s communication will be a single JSON file.

As Standard Exports are limited to public data, they will not include direct messages between Slack users or messages in private channels. For a more complete export of your data, you will have to follow the steps above or upgrade your plan to allow access to Corporate Exports or Slack’s eDiscovery Grid.

Slack’s second export option is the Corporate Export. Corporate Exports are available only to accounts on the Plus plan. Workplace owners must apply to use the Corporate Export and once such exports are activated on a plan, Standard Exports are no longer available.

Corporate Exports allow for the export of private data, including direct messages between users, private channels, and edit and deletion logs. They also allow administrators to schedule regular exports on a daily, weekly, or monthly basis. Corporate Exports produce data in the same manner as Standard Exports, organized by channel and with each day’s worth of messages collected as a single JSON file.


Data Retention In Slack

Keep in mind, too, what Slack data may be available. Slack can quickly generate vast amounts of information. There are, first and foremost, the millions of messages that can be exchanged in a workspace in one day. Then there is the associated metadata, the timestamps, channel information, edit logs and the like. And don’t forget all the records created by integrations.

By default, that data is stored forever. But, Slack allows workspace owners to customize their message and file retention policies. Files may be kept for the lifetime of the workspace or deleted after a specified time period.

Message retention can be set to:

  • Retain everything, forever
  • Retain all messages but not revisions
  • Delete messages and revisions after a specified period
  • Let users set their own retention policies

Retaining all information is Slack’s default setting. If an administrator does not take action to change their retention policy, they could soon find themselves sitting upon a vast history of Slack conversations, reactions, integrations, and more—a potentially valuable resource, or a possibly costly liability, depending on your perspective.

Under the last option, individual team members control the retention of data in private channels and direct messages. One user’s messages could be eradicated at the end of every day, while another’s are preserved for all time. It's not the cleanest approach to information governance.

How a workspace’s data is retained will impact what is available for export and, subsequently, use in an investigation or discovery process.


Slack eDiscovery Software: Making Sense of Slack Data

Then there’s a question of what to do with that information once you have it. As mentioned above, Slack exports come in JSON format. JSON is the JavaScript Object Notation file format. JSON makes exchanging data between machines easy. To interpret that data, however, you need a degree in computer programming—or a tool that can make sense of it.

Here, for example, is what a simple record of a user joining a channel looks like when exported directly from Slack:

{
"user": "UA0JHQYUT",
"text": "<@UA0JHQYUT> has joined the channel",
"type": "message",
"subtype": "channel_join",
"ts": "1522794741.000217"
}

The more complex a record becomes, the more difficult it is to parse. The information for a single comment on a shared file, for example, can easily stretch over three pages, almost all of it nearly indecipherable. This is not data that’s made for easy review.

To take advantage of Slack data, you’ll need a tool that allows you to make sense of it. Today, Logikcull lets you do so easily, intuitively, and reliably.  Once your data is synced or exported from Slack, you can quickly ingest it into Logikcull. During the upload process, that data goes through 3,000 automated processing steps: text is rendered and indexed for the most accurate eDiscovery search available, metadata is extracted and preserved to protect against spoliation, quality control tags are applied, and much more.

Most importantly, Logikcull turns Slack data from this:

{
 “user”: “U6NJNUGSH”,
 “inviter”: “U5KTXUGSW”,
 “text”: “ has joined the channel”,
 “type”: “message”,
 “subtype”: “channel_join”,
“ts”: “1502749986.378906”
}
{
 “user”: “U026B7H8B”,
 “inviter”: “U5KTXUGSW”,
 “text”: “ has joined the channel”,
 “type”: “message”,
 “subtype”: “channel_join”,
 “ts”: “1502749986.378906”
}

To this:

A rendering of Slack data in Logikcull ediscovery and investigations platform

But apart from rendering JSON code, Logikcull provides you with chat-specific filters that allow you to parse chat data and surface the important conversations. Applying Logikcull's Culling Intelligence to chat, you can now filter Slack content by criteria like conversation participants, channel, sender, deleted and edited messages, and even reactions.

Chat data requires search paradigm, so we decided to build one:


It’s the closest thing a legal team can get to a searchable log of all conversation and knowledge, to Slack.

For more information on discovery and investigations in Slack, download our new guide here.

This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.

4,500+ legal professionals love our newsletter, where they get the latest tech and discovery news, case law, best practices, and more!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Follow Logikcull on social media

Logikcull + MS365

Logikcull integrates seamlessly with Office 365 for incredibly fast, always reliable cloud-to-cloud eDiscovery.

logikcull + ms365

Related articles

Cull Me If You Can: Ten Exciting New Features + A Big Announcement
Presenting Logikcull’s Summer Launch Event: Cull Me If You Can
New in Logikcull: “Only” Operator for Email Fields, Account-Level Custodians, Downloadable Transcriptions with Timestamps, and More