Evidence intake
How law firms turn screenshots into evidence files
A practical walkthrough of the core transformation — from scattered screenshots, URLs, and media to a structured, timestamped evidence file that qualifies for counsel review. Covers the five-step intake pipeline, what each step needs, and where lawyers should expect breakdowns in self-collected material.
The problem with "screenshot folders"
Most online-harm material arrives as a folder of screenshots: posts, profile pages, message threads, each cropped to whatever the person thought mattered at the moment. A screenshot folder answers exactly one question reliably ("did anyone see this?") and fails at every other question counsel will ask: when was this captured, by whom, what came before and after, what was cropped out, does the source still exist, and how does this piece connect to that other piece from a different platform. The transformation from screenshots to evidence files is not about adding more software. It is about replacing the assumption that "something was captured" with a record that answers the questions a reviewer will actually ask.
Step 1: Ingestion and source anchoring
Every piece of material needs a source anchor before it becomes evidence. For a screenshot, the anchor is the original URL as it appeared when the capture was made, the timestamp of that capture (not the timestamp in the screenshot), and the capture method. For a media file, the anchor adds the file hash computed at ingestion and the extraction path (downloaded, forwarded, saved from platform UI). Material without a source anchor is a claim, not a record, and should be marked as such rather than silently included.
- Original URL or earliest known source location, captured alongside the screenshot
- Capture timestamp with timezone and source of that timestamp (system clock, NTP-synced service, third-party witness)
- Capture method recorded: browser screenshot, platform export, app screen recording, manual save
- File hash computed at ingestion if the tooling allows it
- Estimated reliability of the source anchor: confirmed at source, self-reported, inferred
Step 2: Context wrapping
A single post is rarely actionable on its own. What makes it evidence is its context: the thread it belongs to, the account that published it, the engagement it received when captured, the platform policies that apply, and the relationship to other material in the same matter. Context wrapping means attaching these surroundings to each piece without altering the original capture. The result is a bundle where each item carries its original record and a context envelope added as a separate layer.
- Thread or conversation context: what came before and after the captured item
- Publisher context: account handle, display name, profile URL at capture, bio, follower count
- Platform context: the relevant terms, reporting channel, and any platform-applied labels
- Cross-reference to related captures in the same matter with the relationship type noted (same account, same campaign, same subject)
Step 3: Timestamping and sequencing
A chronological sequence is the spine of any evidence file. Each item needs its own capture timestamp, and the items together need a timeline that shows what happened in what order. The sequencing step is where gaps become visible: a missing day, an unexplained jump between platforms, a period without captures. Good sequencing marks gaps rather than bridging them silently, because a gap a reviewer discovers on their own erodes trust in the whole file.
- Capture timestamp per item with the time source documented
- Chronological sort with items that lack reliable timestamps flagged and placed at the best-estimate position
- Gap markers between periods with no captures, noting the duration and any plausible explanation
- Event-level timestamps where the material itself shows timing (post time, message send time, notification time) recorded as metadata, not as capture time
Step 4: Integrity sealing
Once material is anchored, wrapped, and sequenced, the file needs an integrity record that protects against later allegations of silent alteration. This is not about trust — it is about inspectability. A custody log that shows each item’s hash at capture, every access event, and every export version is what lets a reviewer verify that what they are looking at now is what was captured then. The Finium evidence standard uses SHA-256 hashes recorded at capture, with a custody event log that tracks storage, access, review, and export as separate auditable entries.
- Per-item hash computed at capture and stored alongside the record
- Custody event log: capture, store, access, review, export with timestamps and actor identifiers
- Tamper-evident manifest or bundle checksum for multi-item exports
- Access control record: who saw what, when, and in which role
Step 5: Structured export
The final step is producing an output designed for its audience, not a catch-all package. A law firm receiving an evidence file for client intake needs a different format than a security team briefing an executive. The export step applies the appropriate structure: a chronology with source references, an exhibit index, a summary of findings and uncertainties, and the custody record attached. The firm remains the legal actor; the evidence file is the raw material their judgment works from.
- Chronology with each entry sourced to the original capture and hash
- Exhibit index mapping each exhibit back to its source anchor and custody entry
- Uncertainty summary stating what is observed, what is reported, and what is inferred
- Custody record as a separate appendix so reviewers can inspect the handling trail independently
- Export version and recipient logged for later reference
Frequently asked questions
What is the difference between a screenshot and a captured record? A screenshot is an image file. A captured record is the screenshot plus its source URL, capture timestamp, and custody metadata. Counsel can work with a captured record; a screenshot without those attachments is a claim. Does Finium replace the lawyers review? No. Finium produces structured evidence files that make legal review faster and more reliable. The firm evaluates the material, applies legal standards, and makes the strategic decisions. Does every case need all five steps? Simpler matters may not need the full pipeline, but the discipline applies at every scale: anchor, wrap, sequence, seal, export. Shortcutting any one step creates a question a reviewer will ask.
- A captured record = screenshot + source URL + timestamp + custody metadata
- A screenshot alone is a claim, not a record
- Finium produces files for review; counsel makes the legal decision
- All five steps apply at every scale — shortness does not excuse missing anchor metadata