A lawyer or a detective can move fast on a clean handoff and slowly — or not at all — on a shoebox of screenshots. The good news is that getting evidence into usable shape is mostly discipline, not expertise: preserve the originals, label what you have, and keep a simple record of how it has been handled. This guide walks through that.
1. Preserve the originals
Keep the native files — message exports, emails with full headers, photos, documents — not just screenshots. Make copies and work from those; leave the originals untouched and read-only. Do not rename, crop, or “clean up” anything. NIST’s forensic guidance frames the whole process around protecting the integrity of the original data.
2. Build a labeled inventory
List every item with a short description, the date you collected it, and where it came from. Number the items so you and the lawyer can refer to them unambiguously. A timeline pairs well with this — see how to build a timeline — because it ties each item to the moment it matters.
3. Keep a simple chain of custody
Note who has had each item, when, and what was done with it. SWGDE’s digital-evidence best practices treat this custody record as the baseline for defensible handling. For an individual it can be a plain log; if the case is heading to court, a credentialed examiner can establish a stronger, documented custody record and authenticate the items.
4. Hand it off the right way
Give the lawyer or investigator the inventory, the preserved originals, and your timeline — and tell them honestly what you did to collect each piece. If you need the originals stored with hashing and a documented custody trail, SleuthX’s evidence vault is built for exactly that, and this guide covers turning evidence into a court exhibit.
