Spoke · Guide

ESI Collection from M365, Slack and Google Workspace: A Practitioner's Checklist

Most evidence now lives in cloud collaboration tools, not on a hard drive. Collecting it defensibly means preserving metadata and provenance, not exporting a screenshot. This is the checklist.

Published 18 June 2026 · 7 min read

Why cloud ESI is different

When you collect from a laptop you hold the disk. In the cloud you hold an account and an interface, and the interface decides what metadata you keep. A casual export can strip the very fields that prove when a message was sent, by whom, and whether it was altered. Treat every cloud collection as a question of method first and content second. The wider workflow is covered in the eDiscovery workflow automation guide.

Microsoft 365

Microsoft 365 spans Exchange email, SharePoint, OneDrive, and Teams. Use the native eDiscovery and preservation tools rather than manual downloads, place the relevant custodians on hold, and record the scope, the custodians, and the time window of the collection. Teams messages and their edits, reactions, and attachments need particular care because a flat export can lose the thread structure.

Google Workspace

Google Workspace covers Gmail, Drive, and Chat. Collect through the platform's vault and export tools so message metadata and file revision history are preserved. Record which account, label, or shared drive was in scope and the date range, and keep the export manifest with the data.

Slack

Slack export behaviour depends on the plan and on whether you need public channels, private channels, or direct messages. Know the limits before you rely on it: retention settings can mean older messages are already gone, and direct messages may need a specific export tier. Document what the export did and did not include.

The defensibility rules that apply to all three

Preserve original metadata, do not rely on screenshots or copy-paste.
Hash the collected data and record the hash at the point of collection.
Record the source, account, method, scope, and time window for every collection.
Keep the export manifest and the legal hold record together.

An ESI collection checklist

Use native preservation and export tools, not manual downloads.
Place custodians on hold before collecting.
Preserve metadata, thread structure, and revision history.
Record source, account, method, scope, and time for each collection.
Hash at collection and keep the manifest with the data.
Note any platform limits that affected what was collected.

Frequently asked questions

How do you collect eDiscovery data from Microsoft 365?

Use the native eDiscovery and preservation tools, place custodians on hold, and export with metadata intact, recording the scope, custodians, and time window rather than downloading files by hand.

Can you collect Slack messages for eDiscovery?

Yes, but what you can export depends on the plan and on retention settings, and direct messages may need a specific export tier. Confirm the limits and document what the export included.

What is the most common ESI collection mistake?

Relying on screenshots or manual downloads that strip metadata. The fix is to collect through tools that preserve original metadata and to record the collection method.