All resources
    Workflow13 min read

    Evidence intake

    Evidence intake workflow for online harm matters

    A lawyer-ready intake workflow for online harm evidence: preserve source material before it changes, separate observed facts from client reports, timestamp and hash captures, then export a structured file counsel can review without relying on legal conclusions or takedown promises.

    01

    What this is

    This is an evidence-operations workflow for the first intake of threats, impersonation, synthetic media, doxing, NCII, defamation, and reputational attacks. The goal is not to decide the legal claim or promise an outcome. The goal is to turn volatile online material into a structured, source-aware evidence file that a law firm, security team, or qualified reviewer can inspect quickly.

    • Best fit: law-firm intake, counsel-led online harm review, executive protection escalation, and sensitive reputation incidents
    • Output: a matter summary, source inventory, capture chronology, custody log, and export bundle
    • Boundary: evidence preparation only — not legal advice, emergency response, platform moderation, or an outcome-assurance process
    02

    Step 1: Triage without interpreting too early

    Start by recording what has been reported and what is directly observable. A client may describe harassment, impersonation, or reputational harm in urgent language; the intake record should preserve that report while keeping it separate from verified captures. This prevents the file from turning into advocacy before the evidence layer is stable.

    • Matter owner, intake date, reporter, affected person or entity, and authorized contact
    • Reported platforms, handles, URLs, usernames, aliases, and time window
    • Known sensitivity flags: intimate imagery, minors, health data, workplace material, privileged communications, executive security
    • Immediate safety handoff note when the matter suggests imminent danger; Finium is not emergency response
    03

    Step 2: Capture source material before it mutates

    Online harm evidence decays quickly: accounts rename, posts delete, mirrors multiply, and platforms can remove material before counsel sees it. Intake should capture first and analyze second. Each capture should preserve the source URL, visible context, timestamp, method, and unedited original record.

    • Primary URLs, canonical URLs, and redirects as observed
    • Full-page screenshots or recordings that include URL, visible timestamp context, account state, and surrounding thread
    • Media files where lawful and authorized to hold, stored separately from derived thumbnails or summaries
    • Discovery path: monitoring alert, client report, search result, forwarded message, or related-account review
    04

    Step 3: Preserve, timestamp, and hash the raw captures

    The preservation layer should make later handling inspectable. Store originals in a restricted location, record the timestamp source, compute SHA-256 hashes where tooling supports it, and make every derived annotation point back to the raw capture. Hashes do not prove the underlying online content was authentic; they prove the held file has not silently changed since the hash was recorded.

    • Capture timestamp with timezone and timestamp source
    • SHA-256 hash for each raw file or export object
    • Storage location and access scope by role
    • Custody event: captured, hashed, stored, reviewed, processed, exported
    05

    Step 4: Structure the file for counsel review

    A useful intake file is not a screenshot dump. It gives counsel a short route through the material: what happened, what was captured, what remains uncertain, and what next decisions are available. The legal actor remains the law firm or authorized counsel; the evidence desk prepares a record that makes their review faster and more source-aware.

    • Matter overview with no legal conclusion presented as fact
    • Chronology of observed events, reported events, and inferred links labeled separately
    • Source inventory with URLs, account identifiers, capture IDs, and custody status
    • Issue flags for counsel: impersonation, suspected synthetic media, doxing, threats, NCII, defamation, workplace, executive protection
    06

    Evidence checklist

    Use this checklist before handing the matter to counsel or an internal review lead. Missing items should be marked as missing, not silently filled with memory or inference.

    • Source inventory: every URL, profile, post, message, media object, and mirror has an ID
    • Capture record: who or what captured it, when, how, and from which route
    • Integrity record: original file stored, hash recorded where available, and derived copies separated
    • Chronology: observed, reported, and inferred facts are labeled distinctly
    • Access record: sensitive material is restricted and reviewer access is logged
    • Export record: recipient, version, date, and included evidence IDs are listed
    07

    Internal-link targets and related content

    This workflow should route readers toward Finium evidence infrastructure rather than consumer legal advice. Related Finium pages include /for-law-firms for counsel-led intake, /how-it-works for the capture → preserve → timestamp → structure → export workflow, /security for restricted evidence handling, /contact for sample-pack requests, /resources/online-harm-evidence-pack-checklist for capture basics, and /resources/chain-of-custody-online-evidence for custody records.

    08

    Frequently asked questions

    Does this replace legal intake? No. It prepares the evidence layer so a law firm can review with better source context. Should the affected person keep collecting harmful material personally? Usually no; where possible, authorized counsel, a representative, or an evidence operator should reduce repeated exposure. Does Finium remove content? No result promise is made here. Can suspected synthetic media be labeled fake at intake? No. Intake should record provenance signals and indicators consistent with manipulation, not declare a verdict.

    • Who owns legal judgment? The law firm or qualified legal reviewer, not the evidence workflow
    • What if content disappears after capture? The file should show what was captured, when, how, and how it was preserved
    • What if a platform report is filed? Record the report date, channel, reference number, response, and any state change
    • What if safety is urgent? Use emergency, law-enforcement, or security escalation channels; this workflow is not emergency response
    09

    Disclaimers and operating boundary

    This resource is an evidence-handling reference, not legal advice. It does not guarantee admission, platform action, takedown, investigation result, or legal outcome. Finium is evidence and monitoring infrastructure for online harm; law firms and authorized reviewers remain responsible for legal strategy, client advice, and formal action.

    FINIUM LEGAL

    Want this structured for a real matter?

    Send one public URL or representative matter and review the kind of source-aware evidence file Finium is built to prepare.