Attorney-ready intake
Digital Evidence Intake Checklist for Attorneys
Preservation-first steps before analysis begins
Early handling choices can influence reliability and defensibility later. This checklist is designed to help counsel preserve potentially relevant digital information while maintaining clean separation from interpretation or expert opinion.
Quick guidance
- Preservation comes first: protect and document before analysis
- Define authorization and scope in writing
- Minimize access: avoid changing the data you may later need
- Maintain traceability: document who handled what, when, and why
1) Confirm authorization and scope
- Identify the client and the custodian(s) of the data
- Confirm legal authority / consent for collection or exports
- Define the time range, accounts, devices, and data types in writing
- Document any preservation holds or litigation hold notices
2) Identify key data sources
Common sources
- Mobile phones (iOS / Android)
- Laptops/desktops and external drives
- Email (Microsoft 365, Google Workspace, ISP email)
- Cloud storage (OneDrive, Google Drive, Dropbox, iCloud)
- Messaging (SMS, iMessage, WhatsApp, Signal, Slack, Teams)
- Social accounts and web portals (as applicable)
Details to capture
- Device model, OS version, and passcode availability
- Account identifiers (email, usernames, tenant/org info)
- 2FA methods and recovery options
- Where data is synced or backed up
3) Preserve immediately actionable items
- Stop unnecessary activity that could overwrite or delete relevant data
- Disable auto-delete features where appropriate and authorized
- Document system settings that affect retention (e.g., message history, backups)
- Capture a basic inventory: what exists, where, and who has access
Note: Specific actions depend on the platform and authorization. Avoid “do-it-yourself” steps that can change metadata or create spoliation risk.
4) Plan a defensible collection approach
- Choose exports or imaging appropriate to the matter and scope
- Prefer read-only acquisition methods designed to reduce alteration risk
- Establish chain-of-custody style documentation from the start
- Decide how materials will be securely stored and transferred
5) Documentation to expect (preservation-first)
- Authorization record and defined scope
- Acquisition log and handling notes
- Transfer record supporting traceability
- Verification record (e.g., hash values) where appropriate
What to avoid
- Selective “curation” by custodians (forwarding, copying, screenshot-only workflows)
- Repeated open-and-save actions that modify metadata
- Unlogged transfers between devices or people
- Mixing preservation steps with interpretation or case conclusions
Next step
If you’d like preservation-first handling with defensible documentation for downstream review, start with email-first intake and a written scope.
Scenario guides in this cluster
- digital evidence preservation before lawsuit
- divorce and family-law evidence preservation
- employment dispute evidence preservation
- insurance claim evidence preservation
- litigation hold vs evidence preservation