All resources
    Checklist11 min readUpdated June 2026

    Evidence pack basics

    Online-harm evidence pack checklist

    A practical, field-tested checklist for preserving source links, timestamps, screenshots, media, account context, and custody notes before material changes or disappears — and for assembling them into a file counsel can actually use.

    01

    Why the first hours matter

    Online-harm evidence is unusually volatile. Posts are deleted by their authors after the first wave of attention, accounts are renamed or abandoned, platforms remove content through their own enforcement, and reposts strip the context that connects material to an identifiable source. Every one of those events can happen within hours of publication, and each one permanently degrades what a later review can establish. The single highest-value habit is simple: preserve first, evaluate later. A capture that turns out to be irrelevant costs minutes; a missing capture can cost the matter.

    02

    Start with source material, not interpretation

    The first task is to preserve what exists: where it appeared, when it was captured, who or what account published it, and how related material was found. Resist the urge to annotate, crop, or summarize at this stage — interpretation belongs in a separate layer, added later and recorded as its own step. Keep legal characterization out of the capture record entirely; that judgment belongs to counsel.

    • Source URL exactly as published, not a share-shortened variant
    • Capture timestamp with timezone (UTC recommended) and the source of that timestamp
    • Visible account or profile identifiers: handle, display name, profile URL, avatar
    • Full-page screenshot or screen recording, uncropped
    • HTML and original media files where the platform allows it
    • How the material was found (search, notification, tip, monitoring) — provenance of discovery matters too

    03

    Capture the context, not just the post

    A single post rarely carries a matter. What gives material weight is its surroundings: the replies that show audience and effect, the reposts that show distribution, the profile state that connects the account to a person or pattern, and the adjacent posts that establish intent or campaign. Capture outward from the central item in rings — the post, its thread, the account, the distribution.

    • The full thread or comment chain around the item, not just the item
    • Reposts, quote-posts, and mirrors with their own URLs and timestamps
    • The publishing profile as it looked at capture time — bios change
    • Related posts from the same account within the relevant window
    • Engagement signals visible at capture (counts change; record what was true when)

    04

    Keep a custody spine

    Each item should connect back to a simple custody record: who captured it, when, where the file is stored, what its hash is, what changed after capture, and which later review or export used it. This does not need specialist tooling to start — it needs consistency. A capture without a custody trail invites exactly the authenticity challenge that careful capture was meant to prevent.

    • Capture owner (person or system) per item
    • File name or evidence ID that the chronology can reference
    • SHA-256 hash recorded at capture where tooling allows
    • Storage location and any movement between locations
    • Review status and reviewer role
    • Export history: what went out, in which version, to whom

    05

    Label the basis of every statement

    The strongest evidence files distinguish ruthlessly between what was observed at capture, what was reported by the client or a third party, and what is inferred from patterns. A chronology entry that says "account created on March 3 (observed at capture)" carries different weight than "client recalls first contact in early March (reported)". Mixing the two without labels is the fastest way to lose a reviewer's trust in the whole file.

    • Observed: visible in the captured material itself
    • Reported: stated by the client or a witness, pending verification
    • Inferred: a connection drawn from patterns — always marked as such

    06

    Common mistakes that weaken a pack

    Most weaknesses in self-collected evidence repeat across matters. They are all avoidable at capture time and mostly unfixable afterwards.

    • Cropped screenshots that remove the URL bar, timestamp, or surrounding thread
    • Annotations drawn onto the original image instead of kept as a separate layer
    • Screenshots of screenshots forwarded through chat apps, stripping metadata
    • No record of when a capture was made — a screenshot without a date is a claim, not a record
    • Gaps in the chronology silently bridged by memory instead of marked as gaps
    • Deleting "irrelevant" material early — relevance is a judgment for later and for counsel

    07

    Separate evidence from advice

    A useful pack prepares counsel and qualified reviewers without pretending to make the legal decision. Label facts, sources, and uncertainties clearly; leave legal categories as suggestions for review rather than conclusions. The file should make a reviewer faster and more confident — never make their judgment for them.

    FINIUM LEGAL

    Want this structured for a real matter?

    Send one public URL or representative matter and review the kind of source-aware evidence file Finium is built to prepare.

    Request sample packFor Law Firms