Evidence Types

Mobile devices

Phones and tablets may contain messages, media, application data, synchronized account content, and location-linked records that can change quickly with ordinary use.

Common examples

• iPhone and Android devices
• iPad and other tablets
• Device backups and associated account exports

Common preservation risks

• Replacement, reset, upgrade, trade-in, or return to a carrier or employer
• Changes to passcodes, accounts, or synchronization settings
• Ongoing use that may alter message or application data

What to mention at intake

• Device model, condition, and whether it is still in active use
• Whether backups or linked cloud accounts exist
• Any time-sensitive turnover, travel, trade-in, or access issue

Computers and external media

Laptops, desktops, and removable media may contain user files, exports, browser data, logs, archives, and system records relevant to preservation scope.

Common examples

• Windows and Mac laptops or desktops
• External drives, USB media, and memory cards
• Server-side shares or transferred archives where access is authorized

Common preservation risks

• Reassignment, reimaging, or return of equipment
• Hardware instability or storage-media failure
• Ad hoc copying that breaks handling context

What to mention at intake

• Device type, operating system, and storage condition if known
• Whether the source can travel or must remain on site
• Whether there are related external drives, backups, or shared folders

Email and cloud repositories

Mailboxes and cloud repositories often require provider-specific export paths, admin coordination, and clear custodian or timeframe instructions before a defensible export can occur.

Common examples

• Microsoft 365, Exchange, and Google Workspace mailboxes
• OneDrive, SharePoint, Google Drive, and Dropbox repositories
• Administrative exports or downloaded account archives

Common preservation risks

• Mailbox turnover, deprovisioning, or account closure
• Shared-drive restructuring or permission changes
• Incomplete exports caused by vague date, custodian, or folder instructions

What to mention at intake

• Provider, custodian, and whether admin access exists
• Date ranges, folders, accounts, or repositories that define the scope
• Whether the output should remain in native export format or be delivered another way

Messaging and collaboration platforms

Messages and collaboration data can be preserved when an authorized export or transfer path exists and scope is clearly defined before chats, memberships, or retention settings change.

Common examples

• Text messages and messaging-app data
• Slack, Teams, or other collaboration exports where authorized
• Downloaded chat histories, shared attachments, and related exports

Common preservation risks

• Message deletion, ephemeral retention, or account membership changes
• Incomplete exports that omit attachments, reactions, or channel context
• Screenshot-only handoffs that lose handling and metadata context

What to mention at intake

• Which platform is involved and who controls access
• Whether exports, screenshots, or account-level access are available
• Whether attachments, shared files, or channel membership context matter

Logs, backups, and account records

Account-level records may help preserve access history, administrative activity, backup context, or transfer history when they fall within the confirmed matter plan and a structured export path exists.

Common examples

• Administrative logs and access-history exports
• Backup sets, restore references, and account archives
• Provider-generated account or transfer records

Common preservation risks

• Short log-retention windows
• Provider-side changes that alter what can still be exported later
• Failure to tie logs or backups to the corresponding source inventory

What to mention at intake

• Which provider or system holds the records
• Whether logs relate to a specific device, custodian, or account event
• Any short retention period or admin dependency affecting timing

Transferred media, screenshots, and third-party exports

Sometimes the matter begins with material already copied or exported by another person or system. Those materials may still be relevant, but the receipt record should distinguish them from direct-source preservation.

Common examples

• Portal downloads and vendor-produced exports
• Transferred screenshots, PDFs, and image sets
• Media or archives received from another stakeholder

Common preservation risks

• Unclear origin or incomplete transfer history
• Mixing third-party exports with direct-source material without labeling the distinction
• Assuming screenshots alone preserve all relevant context

What to mention at intake

• Who created or exported the materials originally
• Whether the original source is still available for direct preservation
• What transfer, receipt, or inventory record exists for the materials already received

What affects method selection

• The source type and current condition
• Whether the source must remain in active use
• What authority and access path are available
• Whether preservation, transfer-ready delivery, or both are required

What the initial email should include

• Source type, custodian, and current location or control
• Any reset, return, deprovisioning, trade-in, or retention deadline
• Whether backups, linked accounts, or prior exports already exist
• Who will approve scope and where the final records should go

For handling posture and governance details, see Privacy & Data Handling and Security & Compliance.