The Digital Evidence Preservation Imperative
Digital evidence has a unique characteristic that distinguishes it from every other evidence category: it can disappear completely, with no trace it ever existed, through ordinary device use. A deleted text message may be recoverable today and unrecoverable tomorrow — not because anyone destroyed it deliberately, but simply because the phone’s operating system wrote new data over the storage space where the message was cached.
This reality creates an obligation for attorneys anticipating litigation that is more urgent than any comparable obligation in traditional evidence law: act immediately to preserve digital evidence, or accept that it may be gone forever. This guide provides a practical framework for that preservation effort.
The Litigation Hold: Your First Step
As soon as litigation is reasonably anticipated — before it is filed, before a complaint is served — issue a written litigation hold notice to every person likely to have relevant digital evidence. The hold must be specific: identify what categories of evidence must be preserved, on what devices and platforms, and for what time period.
For digital evidence, a litigation hold should specify: all smartphones, tablets, and laptops, all email accounts (personal and business), all cloud storage accounts, all messaging app accounts (WhatsApp, Signal, Telegram, iMessage), all social media accounts, and any specialized platforms relevant to the matter (financial apps, project management tools, GPS apps).
Send the hold notice in writing, get acknowledgment, and document compliance. Courts have held attorneys personally responsible for spoliation that occurred after litigation was foreseeable but before a proper hold was issued.
Device Preservation: Immediate Steps
For Your Client’s Devices
Instruct your client to take these steps immediately: enable airplane mode or turn off automatic backup to prevent cloud overwrites, disable automatic app updates which can sometimes affect cached data, stop using the device for new activity if it contains highly relevant evidence, and contact a forensic examiner to create a forensic image as soon as possible.
For Evidence on Opposing Party Devices
You cannot control opposing party devices directly, but you can: send a preservation demand letter immediately, file for emergency injunctive relief if there is evidence of imminent destruction, request a forensic examination protocol in early discovery, and monitor for spoliation evidence that can be used to seek sanctions.
Cloud and Platform Preservation
Most major platforms respond to preservation letters by placing a hold on the account data. This is distinct from production — the platform preserves but does not release data without valid legal process. Send preservation letters to relevant platforms as early as possible. Key platforms to consider: Apple (iCloud), Google (Gmail, Drive, Photos, Location History), Meta (Facebook, Instagram, WhatsApp), Microsoft (Outlook, OneDrive), Dropbox, Slack, and any industry-specific platforms.
Note that platforms have different retention policies for non-preserved data. Some delete inactive or flagged content on short cycles. Do not assume data will still be there in six months.
Social Media: Capture Before It Disappears
Social media posts can be deleted by the user at any time, and most platforms do not preserve deleted content indefinitely. If social media posts are relevant to your matter, capture them immediately through a forensically sound method — not a screenshot, but a proper web archive or third-party social media preservation tool that captures metadata along with content.
The Cost of Waiting
The most common digital evidence failure in litigation is waiting too long. Attorneys frequently do not think about digital evidence until discovery is underway. By then: auto-delete settings have cleared messaging histories, cloud backup limits have overwritten the backup containing key evidence, the device has been used extensively, overwriting deleted content, and the opposing party may have taken steps to ensure nothing remains.
Frequently Asked Questions
How do I send a legally effective preservation demand?
A preservation demand should be in writing, identify the specific categories and time period of relevant evidence, identify the specific platforms and devices that should be preserved, state that destruction after receipt will be treated as spoliation, and be sent via a method that creates a delivery record (email with read receipt, certified mail, or process server).
What sanctions are available for failure to preserve digital evidence?
Courts can impose adverse inference instructions (telling the jury to assume the destroyed evidence was harmful to the destroyer), case-dispositive sanctions (default judgment or dismissal), monetary sanctions, and in egregious cases referral for contempt or criminal charges.
Can I recover evidence after a factory reset?
Sometimes, depending on the device and how recently the reset occurred. A forensic examiner can assess what is achievable for a specific device. Physical chip-off extraction can sometimes recover data even after a factory reset on certain devices. Act immediately rather than assuming it is hopeless.
How do I preserve evidence from a work device?
Work devices are typically controlled by the employer. Preservation obligations run to both the individual employee and the employer. Issue preservation notices to both. Employers have independent obligations when they are on notice of litigation involving their employees.
What is a forensic image and why is it better than copying files?
A forensic image is a bit-for-bit copy of the entire storage device, including unallocated space containing deleted content. Copying files only captures active, visible data. The forensic image preserves everything — active data, deleted data, metadata, and system artifacts — in a form that can be authenticated and examined repeatedly without altering the original.
