Stop posting now. Preserve accounts and devices and collect native exports within 72 hours. Contact family-law counsel once preservation begins.
Summary of the process
This section gives a fast, step-by-step plan to preserve evidence and limit exposure.
Quick process list
- Stop posting and interacting on all accounts immediately.
- Preserve devices and issue a litigation hold as soon as possible.
- Export native account archives and save device images.
- Log every action, hash files and keep a clear evidence chain.
- Hire family-law counsel and a forensic examiner when the case is contested.
What this achieves
It prevents further harmful posts and preserves stronger evidence than screenshots.
Aim to stop posting now and collect exports within 72 hours when possible.
Stop here for a moment and write down account names.
Step 1: preserve accounts and devices
Preservation starts the moment separation or a risky post appears.
Stop posting, commenting and reacting on every platform.
Keep devices powered and avoid factory resets, logouts or mass deletions.
Make a short list of all accounts and linked emails.
Litigation hold basics
A litigation hold names custodians, accounts, devices and a retention period.
A hold asks custodians to preserve messages, photos, backups and cloud storage.
Record the hold date and who received the notice.
How to notify custodians
Send the hold to relevant persons or an IT custodian with account lists.
Include device identifiers and cloud account emails when known.
Write the notice as an email and save a copy of the sent item.
Step 2: export natively and document
Native exports carry timestamps, message IDs and server-side metadata that screenshots lack.
How to get native exports fast
Meta: Settings > Your Facebook Information > Download Your Information for Facebook and Instagram.
Google/YouTube: Google Account > Data & privacy > Download with Google Takeout.
X, TikTok, Snapchat: use account settings or file formal data requests through support.
Save and verify files
Store exports in read-only folders and compute a SHA-256 hash for each file.
Record who downloaded, when and where each export is stored.
Keep at least two secure copies in different locations.
Screenshots vs native exports
Screenshots capture appearance but not metadata or server logs.
Native exports include message IDs, timestamps and often delivery logs.
Screenshots help short-term, but never replace native files in court.
Make a short note of where you took each screenshot.
Step 3: privacy settings and limiting further exposure
Adjust settings to reduce new risk without breaking the chain of custody.
App-by-app quick settings
Facebook/Instagram: make accounts private, remove tag permissions and restrict past posts.
TikTok: make account private, restrict duets and comments; save drafts locally.
Snapchat: do not clear chat history; ask recipients to save snaps for preservation.
Turn off location sharing and geotagging
Disable location services for social apps on phones and remove EXIF geotags from photos.
When geotags remain in server copies, preserve those server logs via export.
Document every privacy change
Take a time-stamped note when changing settings and save a screenshot of each page.
Add the screenshot hash and file path to the activity log.
App-specific step-by-step actions:
- For Facebook and Instagram, go to Settings & privacy → Settings → Your Facebook Information → Download Your Information to request a native export
- For tag controls use Profile → Settings → Privacy → Profile and Tagging to require manual tag approval and remove past tags. On Instagram: Profile → Menu → Settings → Privacy → Account Privacy to switch to Private and Settings → Privacy → Tags to limit who can tag you. On TikTok: Profile → Menu → Settings and privacy → Privacy to set Account Privacy to Private, disable "Duet" and restrict comments
- Use Settings → Privacy → Personalization and data to request a data archive
On Snapchat: Profile → Settings → Who Can → Contact Me and View My Story to restrict access, and avoid clearing chat while capturing screenshots and requesting recipient saves. On X: Settings and Support → Settings and Support → Settings → Privacy and safety → Protect your Tweets to make posts private and Settings → Your account → Download an archive to request native exports.
Document the exact time and account when each setting changes and save a screenshot for the log.
This table helps prioritize preservation by platform and risk. Save it and apply platform-specific steps first.
| Platform |
Red-flag behaviors |
Recoverability |
Key metadata |
Immediate action |
| Facebook / Instagram |
Location check-ins, group posts, story bragging, tagged purchases |
High |
Post IDs, timestamps and server logs. EXIF may be stripped at upload. Rely on native exports and provider logs when possible. Document both server and device sources in the chain of custody. |
Download archive, remove tags, set private |
| TikTok |
Short videos with location, duets that imply contact |
Medium-High |
Video file metadata, server logs and view history |
Make private, request archive, save drafts |
| Snapchat |
Ephemeral snaps, saved chat snapshots, story evidence |
Medium |
Delivery logs, recipient saves and device copies |
Preserve recipients, request archives |
| X (Twitter) |
Deleted threads, quote replies, DMs |
High |
API logs, tweet IDs and timestamps |
Download archive, capture threads, subpoena logs |
| LinkedIn / YouTube / Google |
Employment claims, income posts, video evidence |
High |
Account history, monetization records and uploads |
Download archives, save professional messages |
Forensic basics, subpoenas and legal rules
Server logs, timestamps and EXIF data prove when and where content existed.
Metadata shows file creation times, device IDs and sometimes GPS coordinates.
A forensic report can detect edits, resaves or timestamp manipulation.
The most frequent error at this point is relying only on screenshots.
E-discovery and legal paths
The Federal Rules of Civil Procedure cover electronic discovery in federal cases.
The Stored Communications Act and other laws affect how providers release content.
Subpoenas and preservation requests
Counsel can issue subpoenas or 2703(d) orders to get provider logs and backups.
Preservation letters ask providers to retain server copies pending legal process.
A technical note on recovery: deleted posts and messages are not magic; they are reconstructed from provider backups, device images and recipient copies.
A short practical note for strategy: pairing native exports with device images increases recovery odds.
Be aware of limitations: platform retention varies, encryption can block retrieval, and EXIF is often stripped at upload. Always pair native exports with device images and a documented chain of custody to maximize evidence value.
Use vetted tools that preserve metadata and support a chain-of-custody log.
Device imaging: FTK Imager and Magnet AXIOM capture device images with metadata.
Web capture and OSINT: Hunchly, Archive.today and the Wayback Machine record web appearances.
Mobile extraction: Cellebrite can recover deleted messages from backups.
Vetting vendors and standards
Choose vendors familiar with family-court rules in the relevant state and who provide affidavits.
Ask for sample reports that show raw metadata and the preservation hashes.
Anonymized case example
A typical case: parent posts frequent partying photos while claiming full-time caregiving.
The court reduced custody and ordered supervised visits after server logs matched timestamps.
That outcome shows social posts can contradict custody testimony and alter rulings.
Data points and professional sources
An ABA survey (2018) found a majority of family-law attorneys encounter online evidence in cases.
A National Center for State Courts summary (2019) reports rising use of digital evidence in custody disputes.
EFF guidance (2020) highlights retention and privacy limits when seeking provider data.
An anonymized custody matter showed native exports and server logs placing a caregiver at late-night events. The court adjusted parenting time and ordered supervised exchanges.
These outcomes depended on native exports, device images and hashed files with a chain of custody rather than on unauthenticated screenshots alone.
Errors that ruin preservation
Small mistakes often destroy the best evidence and credibility.
Deleting instead of preserving
Deleting content can trigger spoliation claims when litigation is expected.
Providers may still retain server copies, and deletion can look like concealment.
Relying only on screenshots
Screenshots lack server metadata and are easy to challenge for authenticity.
Always pair screenshots with native exports and a logged chain of custody.
Reactive public confrontation
Publicly confronting a partner can escalate the dispute and create evidentiary noise.
Avoid public posts or messages that will be used to show intent or harassment.
When this method does not apply
This guidance is not for emergencies involving immediate physical danger.
If safety is at risk, contact law enforcement and local shelters first.
When retained counsel advises a different plan or a court order limits action, follow legal advice.
Stop and review safety steps if the other party knows your location.
Stop posting now, preserve devices and export native archives within 72 hours when possible.
Document every step in a dated activity log and compute file hashes to prove no tampering.
A family-law attorney experienced with digital evidence coordinates subpoenas and expert collection; contact one to start preservation now.
Next steps and resources
Use the templates below to start preservation and logging, and follow the app-specific quick actions from Step 3.
Litigation hold letter
[Date]
To: [Custodian / IT / Service Provider]
Re: Preservation Notice – [Case name or matter]
You are instructed to preserve all electronic data relating to [case/matter description].
Include custodial accounts: [list emails, usernames].
Preserve devices: [list device types and identifiers].
Preserve cloud storage, backups, social accounts and messaging apps from [date range].
Do not delete, destroy, alter or overwrite any relevant data.
Signed: [Name], [Title], [Contact]
Activity log template
| Date |
Time (UTC) |
Action |
Account/Device |
File path/ID |
Hash |
Performed by |
| 2026-06-16 |
14:05 |
Downloaded Facebook archive |
email@example.com |
/evidence/fb_0616.zip |
SHA256:... |
Jane Doe |
Short chain-of-custody checklist
- Note who collected data and method used.
- Compute SHA-256 hashes for files and images.
- Store originals read-only and keep exact copies for analysis.
- Get signed affidavits from collectors where possible.
Flow of preservation
Preservation flow
Stop Posting
→
Preserve Devices
→
Export Archives
→
Log & Hash
- FTK Imager (device imaging)
- Magnet AXIOM (analysis)
- Cellebrite (mobile extraction)
- Hunchly and Archive.today (web capture)
Frequently asked questions
What not to post during separation?
Avoid photos or messages that show financial spending, new intimate partners, substance use or travel that contradicts sworn statements.
Focus on neutral communication and preserve anything relevant before removing it.
Can deleted messages be recovered?
Yes, deleted messages often remain in backups or recipients' devices and can be recovered with subpoenas or device imaging.
Recovery depends on the platform and whether backups exist.
How strong is screenshot evidence?
Screenshots show appearance but rarely prove authenticity alone under evidence rules.
Combine screenshots with native exports, forensic hashes and witness statements for strength.
When should a forensic expert be hired?
Hire an examiner when metadata is disputed, files are deleted or when an opposing party challenges authenticity.
Experts prepare admissible reports and testify about technical findings.
How long do providers retain user data?
Retention varies by company and file type; many platforms keep backups and logs for months or longer.
A preservation letter or subpoena increases chances of recovering server-side copies.
Closing note
The right preservation steps protect evidence and credibility while limiting harm from impulsive posts.
Apply the short checklist, get native exports and bring counsel into the process early to coordinate subpoenas and experts.
This plan reduces risk and preserves options across custody, asset and prenup disputes.
When immediate physical safety is a concern, call emergency services first. Do not attempt preservation that might expose location or put anyone at risk.
Will social posts affect custody?
Yes, repeated hostile posts, illegal activity or evidence of neglect can affect custody and enforcement of prenup terms.
Courts weigh online conduct against sworn testimony and other proof.