When a forensic investigation is carried out in the enterprise environment, most of the important data are stored in database servers, and data stored in them are very important elements for a forensic investigation. As for database servers with such data stored, there are over 10 various kinds, such as SQL Server and Oracle. All the methods of investigating a database system are important, but this study suggests a single methodology likely to investigate all the database systems while considering the unique characteristics of each database system. A method of detecting a server and acquiring and investigating data in the server can be effectively used for such an investigation on the enterprise environment. For the existing investigation on server systems, severs should be shut down, and disc imaging should be conducted first. However, such a method may inflict great losses on the company in some cases. That is why we need a method to acquire data of a server in on-line state, and this study discusses this method. Besides, on the basis of methodology, this study attempts to determine a possibility that this new forensic investigation method can be practically used by directly applying this method to SQL Server and MySQL databases. Copyright © 2012 John Wiley & Sons, Ltd.