Data365 Evidence
structured technical review (when separately retained) Preservation & media assessment Evidence Handling
Boston-based, serving clients nationwide by appointment
Menu
Overview
Overview
Services
Evidence Preservation Litigation Hold Data Acquisition Chain of Custody Device Forensics Cloud Evidence Defensible Documentation Expert Advisory
Engagement Process
Engagement Overview Process Intake Checklist Email Intake Prep Checklist Preservation Workflows Priority Preservation Pathway After Preservation Core Overview Forensic Methodology Scope FAQ Fees & Billing
Documentation Standards
Chain of Custody: Foundational Principles Chain of Custody in Civil Litigation Evidence Types Preservation vs. Forensic Analysis Deliverables & Documentation Standards Glossary Secure Storage, Retention & Destruction Access Control & Custody Integrity Conflict & Neutrality Policy Privacy & Data Handling Standards References Security & Governance Overview Sample Documents eDiscovery Readiness Remote Evidence Preservation All standards & guides
Insights
View all insights Why Evidence Preservation Matters Ransomware Incident: Preservation Legal & Insurance Matters Sony Pictures Cyber Incident Colonial Pipeline Ransomware When Evidence Is Lost What Chain of Custody Means in Civil Litigation
About
About Data365 Engagement Model
Contact
Contact Privacy Terms Security Start Intake
Attorney-ready intake

Digital Evidence Intake Checklist for Attorneys
Preservation-first steps before analysis begins

Early handling choices can influence reliability and defensibility later. This checklist is designed to help counsel preserve potentially relevant digital information while maintaining clean separation from interpretation or expert opinion.

Email-first contact Review scope

Quick guidance

  • Preservation comes first: protect and document before analysis
  • Define authorization and scope in writing
  • Minimize access: avoid changing the data you may later need
  • Maintain traceability: document who handled what, when, and why

1) Confirm authorization and scope

  • Identify the client and the custodian(s) of the data
  • Confirm legal authority / consent for collection or exports
  • Define the time range, accounts, devices, and data types in writing
  • Document any preservation holds or litigation hold notices

2) Identify key data sources

Common sources

  • Mobile phones (iOS / Android)
  • Laptops/desktops and external drives
  • Email (Microsoft 365, Google Workspace, ISP email)
  • Cloud storage (OneDrive, Google Drive, Dropbox, iCloud)
  • Messaging (SMS, iMessage, WhatsApp, Signal, Slack, Teams)
  • Social accounts and web portals (as applicable)

Details to capture

  • Device model, OS version, and passcode availability
  • Account identifiers (email, usernames, tenant/org info)
  • 2FA methods and recovery options
  • Where data is synced or backed up

3) Preserve immediately actionable items

  • Stop unnecessary activity that could overwrite or delete relevant data
  • Disable auto-delete features where appropriate and authorized
  • Document system settings that affect retention (e.g., message history, backups)
  • Capture a basic inventory: what exists, where, and who has access

Note: Specific actions depend on the platform and authorization. Avoid “do-it-yourself” steps that can change metadata or create spoliation risk.

4) Plan a defensible collection approach

  • Choose exports or imaging appropriate to the matter and scope
  • Prefer read-only acquisition methods designed to reduce alteration risk
  • Establish chain-of-custody style documentation from the start
  • Decide how materials will be securely stored and transferred

5) Documentation to expect (preservation-first)

  • Authorization record and defined scope
  • Acquisition log and handling notes
  • Transfer record supporting traceability
  • Verification record (e.g., hash values) where appropriate

What to avoid

  • Selective “curation” by custodians (forwarding, copying, screenshot-only workflows)
  • Repeated open-and-save actions that modify metadata
  • Unlogged transfers between devices or people
  • Mixing preservation steps with interpretation or case conclusions

Evidence Preservation vs. Forensic Analysis

What happens after evidence is preserved?

Next step

If you’d like preservation-first handling with defensible documentation for downstream review, start with email-first intake and a written scope.

Contact (email-first) Start intake

Related governance

Administrative governance references that support controlled storage, retention coordination, and authorization-based disposition (informational only).

Related guides

If you are evaluating preservation steps or planning next actions, these guides cover common questions and handoff boundaries.

Scenario guides in this cluster

Related guides