Mobile & Chat Preservation — What to Do on Day One

Why this matters. In most modern disputes, the clearest decision trail lives in iMessage/Android Messages and enterprise chat—Teams and Slack—with Signal and Telegram increasingly used by government actors, sophisticated adversaries, and people who want to avoid scrutiny. The duty to preserve arises when litigation is reasonably anticipated. Your north stars are FRCP 26(b)(1) (proportional discovery), Rule 26(f) (early planning), Rule 34 (requests/inspection), and Rule 37(e) (sanctions for loss of ESI). Courts don’t just ask whether you “kept messages”; they ask whether you identified the right sources, paused deletion, captured context, and can prove it.

Bottom line: Treat mobile and chat like core ESI. On Day One, freeze settings, map scope, build proof. Then collect in a way that preserves context, not just text.

Day One — Your Legal Mandate (15–30 minutes per custodian/source)

1) Freeze the risk settings and record what existed at the moment of hold

• Mobile: Note OS version; iMessage/Android Messages settings; iCloud/Google backup status; and any disappearing/auto-delete toggles in third‑party apps (WhatsApp, Signal, Telegram, etc.). If ephemeral messaging is enabled, disable it or implement a preservation exception/lock and save the change log. This is your first line of defense under Rule 37(e).
• Teams/Slack: Capture the org/workspace retention policy, channel-level overrides, and whether edits, deletions, and reactions are retained. Record user edit/delete privileges and any legal hold/retention labels applied. Weigh this against whether you have possession, custody or control over the data, how courts view it, and whether you want to make an argument on that.

2) Define the conversation universe so scope is defensible under Rules 26(f) and 34

Enumerate relevant channels, private channels, DMs, shared/cross‑org spaces, and any external/guest access. Export membership rosters (who had access, when). Note contextual events (edits, deletions, reactions, timestamps) because those events often explain intent and timing.

3) Build the proof file (your future defense under 37(e))

Create a “Hold – Chat/Mobile” folder for the matter. Store the hold notice, list of sources, settings screenshots, policy pages, membership exports, admin/audit change logs, tracking log and export receipts (job IDs, date/time, scope, format). Pick a processing timezone (venue or UTC) and record it so timestamps align across collections and review.

Counsel Must Physically Inspect the Device (Trust—but Verify)

Do not rely solely on custodian self‑reporting (or idnetification (self-collection is a topic for another day). Counsel (or your trained preservation lead) should physically view the phone to verify:

• All installed apps capable of messaging (including less obvious apps, secondary browsers, and alternate keyboards with chat features). On iOS, check the full App Library and “Offloaded Apps”; on Android, review both installed and disabled apps and any alternate stores.
• Whether Signal or Telegram is present even if the custodian says they “don’t use it.” Look for work‑adjacent accounts or contact lists.
• Backup status (iCloud/Google), device‑level auto‑delete settings, and app‑level disappearing message timers.
• Any signs of data migration, factory reset, or device replacement plans that need immediate preservation steps.

For BYOD, use a short consent form defining the inspection’s scope (business communications only), the search objective, and the preservation actions to be taken. Coordinate with HR/Privacy where required, but document the inspection the same day the hold issues. The inspection/viewing can be done virtually, just follow all of the steps.

Platform Playbooks (What to Prove and Preserve)

Microsoft Teams

Teams content spans channels, private channels, shared channels, and 1:1/1:many chats. Retention/holds may live in M365 Purview; edits and deletions can be retained or purged depending on policy. On Day One, record: tenant/wide retention policy, any label-based retention, and the state of audit logging. Map private/shared channels and export membership with timestamps. For collection, favor admin‑level exports/eDiscovery that retain event history (edits/deletes/reactions), timestamps, and attachments. Avoid relying on user screenshots as your primary evidence; keep them only as explanatory supplements.

Slack

Capture the workspace/org retention matrix, channel overrides, whether message events (edits/deletes/reactions) are retained, and what export modes are enabled (e.g., Discovery API, org‑wide export). Enumerate private channels, DMs, and shared channels; export membership. Select an export mode that preserves event history and save the schema/field guide alongside the data so reviewers and experts can interpret it later.

Signal (edge cases you must plan for)

Signal is device‑centric. Disappearing messages and local-only storage are common. Android supports encrypted backups; iOS does not provide a standard cloud backup for Signal content. Plan to collect from the device when proportional. On Day One, document whether disappearing timers are enabled, whether the app exists on the device, and the device’s backup state. If ephemeral settings can’t be paused, implement a preservation exception immediately and save proof of the change.

Telegram (cloud vs. device)

Cloud chats are stored on Telegram’s servers and can reflect message edits/deletes; Secret Chats are device‑to‑device with end‑to‑end encryption and may use auto‑delete. On Day One, determine whether communications are in cloud chats or secret chats. For cloud content, use exports that preserve timestamps and edit/delete events where possible. For Secret Chats, preservation typically requires device‑level collection because server‑side exports won’t capture the content.

Collection That Survives Scrutiny

• Mobile (BYOD or corp): Where proportional, target app‑level chat databases + attachments. If a full device image is required, include the day‑one proofs of backup toggles and retention settings.
• Teams/Slack/Signal/Telegram: Use admin‑level or device‑appropriate exports that retain edits, deletions, reactions, timestamps, and attachments. Re‑export if your first attempt strips event history, and log the correction.

Common Failure Patterns and Fixes

• Auto‑delete continues after the hold. Implement a retention lock/preservation exception and save the change log.
• Private spaces and DMs are missed. Scope them explicitly; add to holds and exports; keep membership with timestamps.
• Event history is missing. Switch to an export mode that keeps edits/deletes/reactions; save the schema with the data.
• No audit trail. Maintain an Admin Evidence subfolder with policy snapshots, hold activation details (who/what/when), change logs, and export receipts.

Preservation Language You Can Adapt

You can use language in your legal hold notice, comms with custodians, and wherever you need to. Here’s some sample text, modify it as you need for your use case.

Mobile (texts and chat).
“Effective immediately, do not delete, modify, or disable backups for messages or attachments in SMS/iMessage/Android Messages and work‑related chat apps (e.g., WhatsApp, Signal, Telegram). Do not change device or app retention settings. If auto‑delete or disappearing messages are enabled, notify Legal so a preservation exception can be implemented. Preserve the device in its ordinary state and report any planned device replacement or reset.” If necessary, add language about contacting counsel before swapping out a device.

Enterprise chat (Teams/Slack).
“Effective immediately, the organization will preserve applicable channels, DMs, private/shared channels, and cross‑tenant/shared spaces, including message edits, deletions, reactions, attachments, and timestamps. Legal will maintain membership lists and audit logs showing the hold scope and retention settings during the hold period. Do not delete channels or adjust retention without Legal approval.” Here you may also want to provide a contact. Be sure to take your actions enterprise wide before sending this language out, and keep an eye on audit logs for deletions of content after the notice.

What “Good” Looks Like When Challenged

When the court or opposing counsel asks you to “show your work,” you can produce:

1. Settings proof from the hold date;
2. Scope proof—channel/DM membership with timestamps;
3. Change proof—audit logs for policy edits and hold activation;
4. Export proof—job IDs with date/time, scope, and format; and
5. Processing notes—timezone, hash capture points, and any exceptions.

Together, that record reflects sound preservation under FRCP 37(e) and proportional decisions under FRCP 26.

Quick Checklist

• Record device + app retention settings at hold.
• Physically inspect the device to identify all messaging apps (including Signal and Telegram) and verify backups/auto‑delete settings.
• Enumerate channels/DMs; export membership lists.
• Confirm the hold pauses deletion; if not, implement lock/exception and log the change.
• Choose export modes that retain edits/deletes/reactions; save the schema.
• Store audit logs and export receipts with the settings proof.
• Note processing timezone and hash capture points.

Minerva26 users can leverage the full checklist within the application.

Text and chat messages have become the smoking guns and the subject of sanctions in multiple cases this year alone. Get a plan in place BEFORE you need to so you don’t miss anything when the fire erupts.

Learn more about Minerva26.