eDiscovery Platforms: What They Are, How They Work, and Why Evidence Authenticity Is the Critical Point
Every modern dispute turns on data that is born digital. Emails, corporate chats, shared documents, system logs, video calls, web pages: most of the information that matters in a case no longer exists on paper, but inside servers, cloud services and devices. The problem is that this material is vast, scattered and easy to alter.
A company caught up in litigation may have to sift through millions of documents to find the few dozen that actually count, and it has to do so in a traceable, defensible way and within the deadlines the proceeding imposes. This is exactly what eDiscovery platforms are for: specialized systems that manage the identification, collection, analysis and production of digital evidence for legal and investigative purposes.
Yet there is one aspect that almost every guide on the subject overlooks, and it is the one that makes the difference in court: finding the right document is not enough, you also have to be able to prove that the document is authentic, intact and collected without alteration. A chat or a screenshot captured carelessly can be challenged and excluded, however relevant it may be on the merits. In this guide we look at what eDiscovery platforms are, how the process works according to the EDRM model, what they do and how to choose one. And we look at why the real critical point is the admissibility of the evidence, and how TrueScreen steps in precisely there.
What is eDiscovery (electronic discovery)
eDiscovery, or electronic discovery, is the process of identifying, collecting, analyzing and producing information in electronic form to be used as evidence in a legal proceeding, an internal investigation or a compliance activity.
The term grew out of the legal concept of discovery: the phase, typical above all of common law systems, in which the parties to a case exchange the evidence in their possession before trial. When evidence stopped being paper files and became files on a disk, discovery became electronic discovery. Today the concept applies well beyond Anglo-Saxon courts: any organization that has to respond to a request from an authority, run an internal investigation into fraud or misconduct, or demonstrate its regulatory compliance, is effectively doing eDiscovery.
The material eDiscovery works on has a technical name: ESI, or Electronically Stored Information. The category covers a vast range of content:
- emails and their attachments;
- work documents (text files, spreadsheets, presentations);
- instant messaging and corporate chats;
- databases and management systems;
- audio and video files, including recordings of video calls;
- web pages, posts and social media content;
- metadata, access logs and system traces.
What makes ESI so distinctive, and the reason a dedicated discipline exists at all, is metadata: the hidden information that travels with every digital file, such as the creation date, the author, later changes, the origin. Metadata is often decisive in court because it tells the story of the data. But it is also very fragile: a botched collection, a simple save or the forwarding of an email can alter it irreversibly, wiping out the evidentiary value of the content.
eDiscovery, computer forensics and digital forensics: the differences
eDiscovery, computer forensics and digital forensics are often used interchangeably, but they describe distinct if connected fields. Understanding the difference helps in choosing the right tools.
eDiscovery has a procedural, document-centric focus. It works on large volumes of already existing ESI, with the goal of finding, examining and producing the documents relevant to a dispute. The question it answers is: in this mass of data, which pieces of evidence do I need and how do I hand them to the other side?
Digital forensics has an investigative, technical focus. It acquires and analyzes single sources of evidence in depth (a device, a storage medium, a network trace) preserving their integrity down to the single bit, often to reconstruct how something happened: an unauthorized access, a deletion, a tampering.
In practice the two disciplines meet constantly. eDiscovery relies on forensic methodologies in the phases where evidence has to be acquired and preserved in an unassailable way; digital forensics provides the technical rigor that makes evidence admissible. Their meeting point is forensic acquisition: the moment a digital item is captured in a way that lets you prove its authenticity, integrity and certain date. This is where much of admissibility is decided, and this is where TrueScreen operates.
The EDRM model: the 8 phases of eDiscovery
The reference standard for describing the eDiscovery process is the EDRM, the Electronic Discovery Reference Model. It breaks the whole flow into progressive phases, from locating the data to using it in court. It is not a rigid sequence to be walked through once: in practice you often go back, refine the criteria, narrow the scope. But the eight phases remain the shared map that lets legal professionals, IT teams and forensic consultants speak the same language.
| # | EDRM phase | Goal |
|---|---|---|
| 1 | Identification | Locate where the relevant data lives |
| 2 | Preservation | Lock the data to prevent alteration (legal hold) |
| 3 | Collection | Acquire the data preserving integrity and metadata |
| 4 | Processing | Deduplicate, filter and index to reduce volume |
| 5 | Review | Examine documents for relevance and privilege |
| 6 | Analysis | Reconstruct relationships, timelines and patterns |
| 7 | Production | Hand over evidence in the format the case requires |
| 8 | Presentation | Use the evidence at the hearing or filing |
1. Identification
This is the initial mapping phase. You establish who holds potentially relevant information (the so-called custodians), where that data sits (mailboxes, file servers, cloud, devices, messaging apps) and which time frame is relevant to the case. The goal is to define a defensible scope: neither too broad, to avoid wasting resources, nor too narrow, to avoid leaving decisive evidence out.
2. Preservation (and legal hold)
Once identified, the relevant data must be protected at once from any alteration or deletion, accidental or intentional. The typical instrument is the legal hold: a formal freeze that suspends normal deletion policies and requires the material to be kept intact. This phase is extremely delicate, because the destruction of evidence, even when unintentional (so-called spoliation), can weigh heavily on the case. What matters is not only the content but also the metadata and, above all, the ability to prove that from the moment of the hold nothing has changed. It is the first point at which integrity becomes an evidentiary problem, not merely a technical one.
3. Collection
The preserved data is acquired and transferred to a controlled environment where it can be processed and analyzed. The golden rule is to collect without altering: every file must keep its original metadata and every operation must be logged, so that the chain of custody can be reconstructed, that is the documented history of who touched the evidence, when and how. A collection carried out without forensic methodology is the most common and most expensive flaw in the whole process, because it undermines the admissibility of everything that comes after.
4. Processing
The collected material is almost always huge and full of repetition. In this phase platforms remove duplicate files, apply filters (by date, sender, keyword) to discard what is clearly irrelevant (culling), standardize formats and build a searchable index. The goal is to turn millions of items into a manageable set for the reviewers, cutting the cost of the next phase, which is the most expensive one.
5. Review
This is the heart, and the biggest cost item, of eDiscovery. Documents are examined to establish two things: whether they are relevant to the case and whether they are covered by privilege, the professional secrecy between lawyer and client, and as such must be excluded from production. At high volumes manual review is impractical, which is why artificial intelligence technologies come into play, such as TAR (Technology Assisted Review) and predictive coding, which learn from human reviewers' decisions and automatically classify document relevance.
6. Analysis
Alongside review, analysis relates documents to one another: it reconstructs the timeline of events, groups emails into conversations (threading), spots near-duplicates, maps the communication networks among the people involved. It serves to make sense of the whole and to guide legal strategy.
7. Production
The selected documents are handed over to the opposing parties or the authority in the agreed formats, with the necessary redactions of sensitive or confidential information. This is the phase in which evidence leaves the internal environment and enters the proceeding itself: for this reason it must be complete, intact and accompanied by everything that proves its genuineness.
8. Presentation
The final phase is the use of the evidence in the context where it must have effect: the hearing, the filing, the mediation, the meeting with the authority. Here what matters is clarity, order and, once again, the ability to demonstrate that what is shown corresponds exactly to what was collected, with no break from the origin.
What an eDiscovery platform does
An eDiscovery platform is the system that manages these phases in a single, traceable and defensible environment. Beyond the differences between products, the functions you expect to find recur:
- Advanced search: engines that allow keyword searches, boolean queries, metadata filters and, increasingly, semantic search, to find the relevant documents in huge sets.
- Deduplication: detection of identical or near-identical files, so the same content is not reviewed several times.
- Assisted review (TAR / predictive coding): automatic relevance classification based on machine learning, to cut the time of the most expensive phase.
- Redaction: masking of personal, sensitive or confidential data before production.
- Chain of custody and operation log: immutable record of every operation performed on every document, an indispensable requirement for defensibility in court.
- Legal hold management: issuing, monitoring and documenting preservation holds to custodians.
- Structured production: exporting evidence in the formats the proceeding requires, with redactions applied.
The thread that ties all these functions together is one: defensibility. Every operation must be explainable, documented and repeatable, because in litigation what counts is not only what you found, but how you found it and whether you can prove it.
The eDiscovery platform landscape
One principle helps you find your way in this market: no eDiscovery platform does everything at the same level. Each one is specialized in a part of the process, and the choice depends on where the center of gravity of the case sits. To simplify, three broad families of solutions can be distinguished.
End-to-end document review platforms are the standard in law firms and large legal departments: names such as Relativity, Everlaw, Nuix, DISCO and Exterro belong to this category. Their strength is the central phases of processing, review and production: they are the natural choice when the center of gravity of the case is reviewing millions of documents the organization already holds.
Tools integrated into corporate ecosystems, such as Microsoft Purview eDiscovery for Microsoft 365 or Google Vault for Google Workspace, are specialized in the data living inside those collaboration platforms: they offer search, hold and export without having to leave the environment already in use. Their strength is convenience on internal data.
Finally there is a family of platforms specialized in the forensic capture and certification of evidence. Their strength is not reviewing large volumes, but acquiring evidence at the source in an unassailable way, guaranteeing its authenticity and legal value. They answer a question the other two families do not address: how do I acquire and certify a piece of digital evidence with a value that withstands challenge in court? This is the family TrueScreen belongs to.
The critical point of eDiscovery: admissibility and authenticity of evidence
In an eDiscovery project, almost all the attention goes to the central phases: how much review costs, how efficient predictive coding is, how many documents can be filtered out in processing. These are legitimate questions, but they shift the gaze away from the point where cases are really lost: the admissibility of the evidence.
A piece of digital evidence is admissible when it can be shown to be authentic (it is what it claims to be), intact (it has not been altered after collection) and tied to a certain date (it can be placed in time in an uncontestable way). If even one of these requirements wavers, the other side can ask for it to be excluded. And at that point it does not matter how relevant the evidence was: out of the file, out of the case.
The paradox is that the problem almost always starts upstream, in preservation and collection. A screenshot taken by hand and pasted into a document proves nothing about its own authenticity: anyone can edit it. A chat exported without methodology carries no guarantee that it has not been tampered with. A web page saved as is today might not exist tomorrow, and without a certification of the capture there is no way to prove what it showed at that precise moment. It is precisely the most common content in today's disputes, the content born on the web, on social media and in messaging, that is the most fragile on the evidentiary front.
This is the point TrueScreen focuses on.
TrueScreen: the eDiscovery platform specialized in evidence authenticity
TrueScreen is the platform that lets professionals and companies obtain authentic and reliable digital information in their most critical processes, making operations faster, fraud-proof and compliant with the main regulations. Through a complete process of data acquisition, verification and certification at forensic quality, TrueScreen guarantees the authenticity, traceability and legal validity of information throughout its entire lifecycle.
Like every eDiscovery platform, TrueScreen too has its own specialization. It is the authenticity of evidence: acquiring and certifying digital evidence with legal value, so that it is admissible beyond dispute. Within the EDRM model, this specialization covers with particular strength the phases where admissibility is built and defended: preservation, collection, production and presentation. In this way TrueScreen follows the evidence through its entire lifecycle, from the moment of capture to the moment it is made available, guaranteeing integrity and legal value at every step.
Preservation
TrueScreen acquires content preserving its integrity right at the source and keeps it compliant over time. Every piece of evidence is born locked at the exact moment it is captured, with the documented guarantee that from that instant nothing has changed. It is the most solid form of preservation: it does not protect data after finding it, it locks and authenticates it at the very moment it exists.
Collection
Collection is targeted and forensic. TrueScreen captures the content relevant to the case (a web page, a video, a conversation, a document, an email, a photo) preserving its metadata and building a complete, verifiable chain of custody. It is a precise, certified collection, designed exactly for the content that is hardest to make admissible with traditional tools.
Production
What TrueScreen produces is already-certified evidence, accompanied by everything that attests to its authenticity and ready to be filed in court or shared with opposing parties. The evidence does not have to be made credible after the fact: it leaves the acquisition process with its own certification of legal value already built in.
Presentation
Through the Certified Data Room, TrueScreen makes it possible to present evidence in a secure, orderly and traceable way, maintaining continuity with the origin of the collection. Whoever receives the evidence can verify its authenticity independently, without having to take anyone's word for it.
The value TrueScreen brings to the whole eDiscovery process is therefore cross-cutting: it makes sure every piece of evidence enters the flow already authentic, intact and with a certain date. On cases with large document volumes TrueScreen works alongside review and production platforms, bringing the part where it is strongest: the acquisition and certification of evidence at the source. And when the decisive evidence is a chat, a screenshot, a photo, an email, a video or a web page, TrueScreen covers its entire lifecycle, from capture to presentation.
Legal use cases
TrueScreen's specialization translates into concrete scenarios that recur every day in law firms and in-house legal departments. TrueScreen acquires and certifies virtually any type of digital content:
- Chats and messaging. A conversation can hold the proof of an agreement, a threat or a breach: acquired with TrueScreen, it reaches court with the guarantee that it has not been modified and with the certain date of capture.
- Emails. A single decisive email can be certified in full, content and metadata, to prove its authenticity and origin.
- Screenshots for complaints and defamation. An offensive post or unlawful content must be captured before it disappears: TrueScreen certifies its authenticity and moment of acquisition, turning it from an easily challenged item into solid evidence.
- Photos and images. A photograph used as evidence can be certified to prove its authenticity and the absence of manipulation.
- Web pages. A site, an ad, a review or a contract term published online is volatile content that might be gone tomorrow: certified capture fixes what that page showed at that precise instant.
- Videos and video calls. Recordings that document a fact, a statement or a meeting, acquired and certified in a way that withstands scrutiny in court.
- Audio. Voice recordings and audio messages certified in their integrity and anchored to a certain date.
- System logs and technical files. Access traces, application logs and other technical files can be acquired and certified to document an event in an unassailable way.
In all these cases the common denominator is the same: the evidence is fragile and easy to challenge, and without forensic certification at the source it risks being unusable, however relevant it may be.
How to choose an eDiscovery platform
There is no single best platform: there is the one suited to the type of disputes and evidence you deal with. A few useful criteria to find your bearings:
- Nature of the evidence. If the case revolves around large volumes of already-archived corporate documents, you need tools that are strong on processing and review. If it revolves around volatile, easily challenged content (web, social, chat, photos, video), the decisive factor is the ability to acquire and certify forensically at the source.
- Robustness of the chain of custody. Check that every operation is logged immutably and that the platform produces enough documentation to defend admissibility in court.
- Legal value of the certification. Not all certifications are equal: what counts is the legal validity, ideally internationally recognized, of what the platform produces.
- Coverage of the phases you need. Identify which phases of the EDRM model actually concern your work and verify that the platform covers them solidly, instead of taking total coverage for granted.
- Integration with the rest of the process. The acquisition and certification platform must be able to feed the tools used for review and production without friction, when the case calls for it.
A mature approach, today, is often to combine several tools according to their specializations: a platform strong on review for the large document volumes and a platform like TrueScreen to acquire and certify, with legal value, the evidence that is hardest to make admissible.

