Digital Evidence 101: What Every Attorney Should Know Before Discovery 

Copyright 2026, Steve Burgess

I’ve sat across the table – or more recently, the Zoom – from a great many attorneys over the past forty years, and I’ve noticed a pattern. Litigators who can cross-examine a hostile witness into a confused puddle, who can recite the rules of evidence from memory, and who can spot a hearsay problem from across the courtroom will sometimes look at a hard drive the way the rest of us look at a tax form: with suspicion, mild dread, and the blessed hope that someone else will handle it.

That’s understandable. Law school doesn’t teach this, and it shouldn’t have to. Digital forensics is its own discipline, just as forensic accounting or medical examination are their own disciplines. But discovery in 2026 runs through digital data so thoroughly that a basic working knowledge isn’t optional anymore. So, let’s cover a few fundamentals – the things many attorneys wish they knew before the discovery clock started running.

Digital evidence is broader than most people think. It’s not just emails and the obvious files on a work computer. It’s text messages, cloud storage, app data, metadata, browser history, location information, IoT (Internet of Things) device logs, and increasingly, AI-generated or AI-assisted content. If a device touches the internet or stores information electronically, it’s a potential evidence source.

I often suggest that clients assume something may be discoverable until proven otherwise, rather than the reverse. That approach occasionally results in collecting more information than you need. The opposite approach occasionally results in explaining things to your client, or worse, to a judge.

Speaking of common misconceptions, let’s talk about deleted data. When a file is deleted on most systems, the data itself usually isn’t immediately erased. Instead, the space it occupied is marked as available for reuse. Until something else overwrites it, some or all of that information may remain recoverable.

That’s often good news. It’s also not a guarantee. How long that recovery window remains open depends on the device, operating system, storage technology, and how much the device has been used since the deletion occurred. Anyone who tells you with complete certainty, as many a client will, that deleted data is “definitely still there” or “definitely gone forever” without examining the device is hand-waving.

Metadata matters more than content sometimes. A document’s content tells you what it says. Its metadata can tell you who created it, when it was created, what software was used, and what happened to it along the way. I’ve seen metadata reveal that a supposedly contemporaneous document was actually created weeks after the event it purported to describe – not a footnote – it can sometimes be the whole case.

Chain of custody sounds like bureaucratic box-checking until you’ve seen a case turn on it. It exists because digital evidence, unlike a paper document, can be altered without leaving an obvious trace if it isn’t handled correctly. A device examined by someone without proper forensic methodology – even with the best intentions – can have its evidentiary value compromised.

This is why “I’ll just have my IT guy take a look” is a sentence that makes me wince every time I hear it. Your IT person may be excellent at fixing printers, managing servers, and keeping everyone connected to Wi-Fi. That’s a different skill set than preserving evidence for litigation. Nobody calls a forensic accountant to repair the office copier, either.

Timing changes everything. The earlier a forensic expert gets involved, the more options exist. Devices keep getting used. Cloud accounts keep syncing. Backups keep cycling and overwriting older versions. Evidence that’s recoverable today may not be recoverable in three months, and there’s rarely a reliable way to know in advance which evidence is on a fast clock and which isn’t. The cost of being wrong is usually much higher than the cost of an early consultation.

None of this requires you to become a forensic examiner yourself – that would be a strange use of your law degree, and frankly I’d be out of a job. What it does require is recognizing when a case has a digital evidence component – which, in 2026, is most of them – and bringing in the right expertise before discovery goes sideways.

The attorneys who get the best outcomes aren’t the ones who know the most about digital forensics. They’re the ones who know enough to ask the right questions at the right time.

What are some things you’ve learned about digital evidence the hard way?

Steve Burgess is a digital forensics expert witness with more than 40 years of experience and over 20,000 devices and digital media examined. He is the principal of Burgess Forensics, founded in 1984.

Don’t miss a single issue of our informative newsletter … Subscribe!