Lars Daniel's Portfolio

Lars Daniel

February 13, 2026

Article at Linkedin

Cell Phone Evidence Disappears: Use This Preservation Letter Before It's Too Late

When it comes to mobile device evidence, time is not on your side.

Unlike paper documents or even desktop computers, cellular devices are in a constant state of change. Location data, application logs, system artifacts, and usage history are routinely overwritten not through intentional deletion, but simply through normal device operation.

In many cases, critical forensic artifacts can disappear within 7 to 30 days, sometimes just from the device being powered on.

Most attorneys understand the importance of issuing a litigation hold. But a standard preservation letter isn't enough for mobile devices. Telling someone to "preserve your phone" without specific technical instructions is like telling them to preserve a sandcastle while the tide is coming in. Without proper guidance, well-meaning compliance can still result in spoliation.

That's why I created this template. It provides clear, device-specific instructions that non-technical parties can follow to actually preserve the data you'll need for forensic examination. It addresses the unique challenges of both iOS and Android devices and explains not just what to do, but why each step matters.

Dear [Recipient]:

This firm represents [Client Name] regarding [brief case description, e.g., "a commercial vehicle accident that occurred on [Date] at [Location]"]. This letter constitutes a formal demand for preservation of evidence and litigation hold notice regarding all digital and electronic evidence contained within mobile devices relevant to this matter.

IMMEDIATE PRESERVATION REQUIRED

Mobile devices contain critical digital evidence that is extremely fragile and can be permanently destroyed through routine use, remote deletion, or improper handling. Best practices of mobile device data can be lost through network commands, battery depletion, app updates, or user actions. Immediate and proper preservation is essential.

CRITICAL: All relevant mobile devices must be immediately isolated from networks and preserved in their current state. No one should access, use, modify, reset, or attempt to examine these devices except pursuant to an agreed protocol with qualified forensic examiners present.

DEVICES TO BE PRESERVED

All mobile devices that may contain relevant evidence must be preserved, including but not limited to:

Smartphones (iPhone, Android, or other operating systems)

Tablets (iPad, Android tablets, Surface, etc.)

Smartwatches (Apple Watch, Samsung Galaxy Watch, Fitbit, Garmin, etc.)

Laptops with cellular capability

Vehicle-installed phones or tablets

Work phones and personal phones if used during relevant time periods

Backup or secondary devices even if not primary phone

EVIDENCE TO BE PRESERVED

Mobile devices contain multiple types of evidence that must be preserved in their entirety, including but not limited to:

Communication Data:

  • Call logs (incoming, outgoing, missed, duration, timestamps)
  • Text messages (SMS/MMS) including deleted messages
  • Messaging apps (WhatsApp, Facebook Messenger, Signal, Telegram, etc.)
  • Voicemail messages and visual voicemail
  • Email accounts accessed from device
  • Video call logs (FaceTime, Zoom, Teams, etc.)

Location and Movement Data:

  • GPS coordinates and location history
  • Cell tower connection data
  • WiFi connection points
  • Bluetooth connection logs
  • App-based location data
  • Geotagged photos and posts
  • Navigation and map search history

Application Data:

  • Social media apps and posts (Facebook, Instagram, TikTok, Twitter/X, Snapchat, etc.)
  • Dating apps if relevant
  • Ride-sharing apps (Uber, Lyft)
  • Food delivery apps showing location/time
  • Banking apps showing transaction locations/times
  • All app installation, usage, and deletion history

Media and Files:

  • Photos and videos (including deleted items)
  • Screenshots
  • Downloaded files
  • Voice recordings and memos
  • Documents and PDFs

Device Activity Data:

  • Screen on/off times
  • App usage timestamps and duration
  • Notification logs
  • Device unlock/lock events
  • Typing/input activity logs
  • Screen interaction data

System and Metadata:

  • Device identifying information (IMEI, serial numbers, phone numbers)
  • Operating system version and update history
  • Network connection logs
  • Bluetooth pairing history
  • Cloud sync settings and history
  • Backup information

IMMEDIATE ISOLATION PROCEDURES REQUIRED

To prevent data loss or remote deletion, the following steps must be taken IMMEDIATELY upon receipt of this letter:

Custodian Passcode:

  • Document the passcode for the phone.

Network Isolation:

  • Enable Airplane Mode on all devices
  • Turn OFF WiFi (verify it's off even in Airplane Mode)
  • Turn OFF Bluetooth
  • Remove SIM cards if safely possible
  • Place devices in Faraday bags if available. Only use aluminum foil if properly tested Faraday bags are not available

Stolen Device Protection

  • Disable stolen device protection features.

Data Preservation:

  • Power off the device.
  • Keep devices powered OFF. Do NOT connect to power

Physical Security:

  • Place devices in secure, locked location
  • Limit access to authorized personnel only
  • Document chain of custody for any handling
  • Photograph devices showing current state and any damage
  • Do not attempt to "test" or "check" device functionality

ACTIONS THAT MUST BE AVOIDED

The following actions can permanently destroy digital evidence and must be absolutely prohibited:

  • Continuing to use the device for any purpose
  • Allowing device to connect to any network (cellular, WiFi, or Bluetooth)
  • Factory resetting or wiping the device
  • Deleting any data, apps, or accounts
  • Installing any apps or software updates
  • Allowing OS or app updates to install
  • Attempting to "clean up" or organize data
  • Using device "cleaning" or optimization apps
  • Exposing device to extreme temperatures
  • Attempting amateur forensic examination
  • Providing passcodes to unauthorized persons
  • Syncing device with computers or cloud services
  • Accepting or dismissing any prompts or notifications

CLOUD AND REMOTE DATA PRESERVATION

In addition to the physical devices, the following associated data must be preserved:

Cloud Storage Accounts:

  • iCloud (for Apple devices)
  • Google Drive/Photos (for Android devices)
  • Microsoft OneDrive
  • Dropbox, Box, or other cloud services
  • Social media cloud backups

Carrier Records:

  • Detailed call records from wireless carrier
  • Text message records if stored by carrier
  • Location data maintained by carrier
  • Tower connection records

Account Access:

  • Maintain all usernames and passwords
  • Do not change passwords or security settings
  • Do not enable/disable two-factor authentication
  • Preserve any authentication devices or methods

AUTHENTICATION INFORMATION

To facilitate proper forensic examination, please preserve and document:

  • Device passcodes, PINs, or patterns
  • Biometric access (ensure authorized user available)
  • Apple ID/Google account credentials
  • App-specific passwords

SIM Card PINs

  • Any device management or parental control credentials

Note: Providing authentication information may be addressed through court orders or agreements between parties.

TIME-SENSITIVE NATURE

Mobile device evidence is extremely time-sensitive for multiple reasons:

  • Automatic deletion: Many apps automatically delete data after specific time periods
  • Storage limitations: Devices overwrite old data when storage fills
  • Carrier retention: Carriers only maintain records for limited periods
  • Remote wipe: Devices can be remotely wiped by users, employers, or carriers

Some data may be lost within days or hours. Immediate preservation is critical.

PRESERVATION PROTOCOL REQUIRED

Before any forensic examination, all parties must agree to a written protocol that specifies:

  • Qualified forensic examiners for each party
  • Extraction methods and tools to be used
  • Passcode/authentication procedures
  • Documentation and video recording requirements
  • Chain of custody procedures
  • Data sharing obligations

Until such protocol is established, devices must remain isolated and secured as described above.

LEGAL OBLIGATIONS AND CONSEQUENCES

You have a legal obligation to preserve all potentially relevant evidence once on notice of potential litigation. This preservation duty is immediate and continuing. Failure to preserve mobile device evidence may result in:

  • Spoliation sanctions including adverse inference instructions
  • Monetary sanctions and attorney fee awards
  • Dismissal of claims or defenses
  • Criminal penalties for intentional destruction of evidence
  • Personal liability for individuals who destroy evidence
  • Exclusion of beneficial evidence

Courts have repeatedly sanctioned parties for failing to properly preserve mobile device evidence, including cases where devices were continued to be used, remotely wiped, or traded in.

PROPOSED IMMEDIATE ACTIONS

To ensure proper preservation:

  • Immediately isolate all devices from networks as described above
  • Secure devices in locked location with restricted access
  • Document current device state with photographs and written inventory
  • Create inventory of all potentially relevant devices
  • Suspend any automatic deletion or retention policies
  • Preserve cloud accounts and prevent any sync operations
  • Contact our office to coordinate forensic examination

CONFIRMATION REQUIRED

Please confirm in writing as soon as feasible that:

  • All relevant devices have been identified and secured
  • Devices have been isolated from all networks
  • No one will access or use the devices
  • Cloud accounts have been preserved
  • You will cooperate in establishing an examination protocol

If any devices have already been modified, reset, wiped, lost, or destroyed, please immediately provide:

  • Description of what occurred
  • Date and time of the incident
  • Person(s) responsible
  • Any remaining data or backups
  • Steps taken to recover data

DEVICES CURRENTLY IN USE

If devices must remain in use for emergency or business continuity purposes:

  • Immediately contact our office to discuss preservation alternatives
  • Consider obtaining replacement devices
  • Create forensic preservation of current state before any continued use
  • Document all use after preservation notice
  • Disable automatic deletion features

Time is of the essence. Mobile device evidence can be lost in hours or days. Please contact me immediately at [phone] or [email] to confirm preservation and coordinate next steps.

This preservation demand applies to all potentially relevant evidence, whether specifically identified or not. When in doubt, preserve everything. This includes devices not yet identified that may contain relevant evidence.

PRESERVATION OF ADDITIONAL ITEMS

Also preserve all items associated with the mobile devices:

  • Charging cables and adapters
  • SIM cards and memory cards
  • Original packaging and documentation
  • Purchase records and contracts
  • Insurance records for devices
  • Any computers devices were synced with
  • Backup drives or devices
  • Written passwords or PINs


Built with Authory.
Get your own portfolio now!

;