A claim does not become verified because it looks organized.
It becomes stronger when every part of the claim is connected to a source, every source is checked in context, and every uncertainty is written down before the conclusion is written.
That is the purpose of an evidence log.
In OSINT, the evidence log is not paperwork. It is the part of the workflow that prevents a researcher from mixing facts, indicators, assumptions, and conclusions in the same paragraph. It forces the investigation to stay visible.
If a claim cannot be logged clearly, it is probably not ready to be summarized clearly.
What an Evidence Log Is
An evidence log is a structured record of what you checked, what each source supports, what it does not support, and what still remains open.
It should answer five questions:
- What exact part of the claim am I checking?
- Which source did I use?
- What does that source actually show?
- What is the limitation of that source?
- What confidence level is justified?
The log does not need to be complex. For most claim verification tasks, a simple table is enough.
The important point is separation.
A source may support one part of a claim but not another. A timestamp may support publication time but not recording time. A username match may support a lead but not an identity. A visual match may support location but not date. A local article may support that an event happened but not that a specific video shows that event.
The evidence log keeps those boundaries visible.
Start With One Claim
Before creating the log, write the claim as one sentence.
Example:
This video shows police using tear gas during a protest in Madrid on 10 June 2026.That sentence contains several smaller claims:
- the content is a video;
- the actor is police;
- the action is the use of tear gas;
- the event is a protest;
- the location is Madrid;
- the date is 10 June 2026;
- the video is connected to that specific event.
Do not verify the sentence as one block.
Break it into components first. Then log evidence for each component separately.
The Basic Evidence Log Template
Use this structure:
| Claim Component | Source Checked | What the Source Shows | Limitation | Confidence | Next Step |
|---|---|---|---|---|---|
| Location | Street-level imagery | Building shape and signage appear consistent with the claimed street | Visual match only; no date confirmation | Medium | Find local source from the same date |
| Date | Original upload timestamp | Video was uploaded on 10 June 2026 | Upload time is not recording time | Low/Medium | Check earlier uploads and event reports |
| Event | Local media report | A protest was reported in Madrid on that date | Does not prove this video shows that protest | Medium | Compare location and timing |
| Actor | Uniform and vehicle markings | Clothing and vehicle markings appear consistent with police presence | Visual indicators are not enough alone | Low/Medium | Look for official or independent reporting |
| Media origin | Platform search | Same video appears on multiple accounts | Reposts may not identify original source | Low | Search for earliest visible upload |
This table is not a final conclusion. It is the working surface of the investigation.
Each row should be specific enough that another person can understand what was checked and why the confidence level was assigned.
Column 1: Claim Component
The first column should contain only one component at a time.
Weak entry:
The video is real.Better entries:
The video was recorded in Madrid.
The video was uploaded on 10 June 2026.
The video shows a protest.
The protest involved police.
The visible incident involved tear gas.The goal is not to make the work longer. The goal is to avoid accidental confirmation.
If the location is verified, that does not verify the date. If the date is plausible, that does not verify the actor. If the event happened, that does not prove this media belongs to it.
Separate rows protect the conclusion from moving too fast.
Column 2: Source Checked
This column should identify the source type and, in your private notes, the exact URL, archive link, screenshot filename, document title, or database record.
Examples:
- original platform post;
- archived page;
- local media article;
- official statement;
- map or street-level imagery;
- satellite imagery;
- weather record;
- company registry;
- domain record;
- public court document;
- public blockchain explorer;
- public abuse report;
- secondary article.
The evidence log should make the source hierarchy clear.
An official document, an archived page, a local report, a repost, and a screenshot are not equivalent. They may all be useful, but they do not support the same level of confidence.
Column 3: What the Source Shows
This is the most important column.
Write only what the source shows, not what you want it to mean.
Weak entry:
Confirms the claim.Better entry:
Confirms that a protest was reported in Madrid on 10 June 2026.Better still:
Reports a protest in central Madrid on 10 June 2026, but does not include the same video or name the exact street visible in the footage.This kind of wording protects the investigation from overclaiming.
Most sources do not confirm a full claim. They support a fragment.
Column 4: Limitation
Every source has a limitation.
Writing it down is not a sign of weakness. It is how OSINT stays honest.
Common limitations include:
- upload date is not recording date;
- caption is not independent evidence;
- screenshot lacks source context;
- repost may not identify the original uploader;
- metadata may be stripped, edited, or unavailable;
- reverse image search may miss earlier versions;
- machine translation may distort names or terms;
- map imagery may be outdated;
- official statements may be partial;
- similar usernames do not prove same identity;
- wallet activity does not prove personal attribution;
- absence of results does not prove absence of evidence.
If you cannot name the limitation, you may be trusting the source too much.
Column 5: Confidence
Confidence should describe the strength of the evidence for that component, not the confidence of the whole claim.
Use simple levels:
| Confidence Level | Meaning |
|---|---|
| High | Multiple relevant sources support the component, and the main alternatives have been checked |
| Medium | Evidence is consistent and useful, but at least one important gap remains |
| Low | The source creates a lead or weak indicator, but it is not enough for a finding |
| Unknown | The component has not been checked or the available evidence is unclear |
Avoid using “verified” too early.
For example:
Location: High
Date: Low/Medium
Actor: Medium
Original source: UnknownThat is a valid result.
A claim can be partially verified. A careful conclusion should say so.
Column 6: Next Step
The last column keeps the investigation moving.
It should contain one concrete action:
- find earliest visible upload;
- compare street-level imagery;
- check weather for the claimed date;
- search local-language reports;
- archive the current page;
- identify original document;
- verify company registration number;
- compare usernames across platforms;
- check whether two sources are independent;
- ask whether the source supports the exact claim or only the context.
The next step should not be “research more.”
It should say what to check next.
A More Detailed Template for Sensitive Claims
For more complex investigations, use a wider log:
| Component | Verification Question | Source Type | Source / Link | Finding | Supports | Does Not Support | Confidence | Open Question |
|---|---|---|---|---|---|---|---|---|
| Location | Does the video match the claimed place? | Map / street-level imagery | [URL or local note] | Facade, sign and road layout appear consistent | Possible location | Date, actor, event | Medium | Need independent local source |
| Time | Was the media recorded on the claimed date? | Timestamp / archive / weather | [URL or local note] | Uploaded on same date; weather appears plausible | Publication window | Recording time | Low/Medium | Need earlier upload search |
| Source | Who first posted it? | Platform search / archive | [URL or local note] | Earliest visible post found from account X | Current earliest known source | Original capture | Low | Search other platforms |
| Event | Did the event happen? | Local media / official statement | [URL or local note] | Event reported in same city on same date | General event context | This specific video | Medium | Match event location |
| Conclusion | What can be said now? | Evidence log | Internal summary | Location and event are consistent; recording date remains open | Limited finding | Full verification | Medium | Do not publish as fully verified |
This version is useful when the claim involves identity, security incidents, conflict footage, platform behavior, financial traces, or legal risk.
How AI Can Help Without Becoming the Source
AI can help create and review an evidence log.
It should not fill the log with facts unless you provide the sources.
Useful prompt:
Create an evidence log template for this claim.
Break the claim into separate components.
For each component, suggest source types, likely limitations, and possible false positives.
Do not decide whether the claim is true.
Claim:
[paste claim]After you collect sources, use a second prompt:
Review this evidence log.
Identify weak assumptions, missing source types, overclaimed findings, and components with insufficient evidence.
Do not add facts that are not present in the log.
Evidence log:
[paste log]This keeps AI in the right role.
It helps structure the investigation, challenge weak reasoning, and improve clarity. It does not replace source checking.
Common Mistakes in Evidence Logs
The most common mistakes are small but serious.
Treating a Source as a Conclusion
A source is not a conclusion. It is a piece of support for a specific component.
Do not write:
Source confirms the whole story.Write:
Source confirms that the event was reported, but does not verify the media origin.Forgetting the Date Checked
Online sources change.
Pages are edited. Posts are deleted. Search results shift. AI answers change. Platform labels appear and disappear.
Always record when you checked the source. If the claim matters, archive the page or keep a contextual screenshot with URL and timestamp.
Confusing Consistency With Verification
“Consistent with” is useful language.
It is also limited language.
A video can be consistent with a location and still have the wrong date. A username can be consistent with a lead and still belong to another person. A technical indicator can be consistent with one explanation and still have alternatives.
Use cautious wording until the evidence supports stronger wording.
Logging Only Supporting Evidence
An evidence log should include negative checks and failed searches.
If you searched for earlier uploads and found none, record that. If you checked local media and found related reports but not the exact incident, record that. If a source type was unavailable, record that too.
Failed checks help explain the limits of the conclusion.
From Evidence Log to Conclusion
The conclusion should follow the log.
Not the other way around.
Before writing a final paragraph, review the confidence levels:
- Which components are supported?
- Which components are only consistent?
- Which components remain unknown?
- Which source types are missing?
- Which alternative explanations remain plausible?
Then write the conclusion with limits.
Example:
The available evidence supports the location claim with medium confidence and confirms that a related protest occurred in Madrid on the stated date. However, the current sources do not establish the original uploader or prove that the footage was recorded during that specific event. The claim should be treated as partially supported, not fully verified.That kind of conclusion may feel less dramatic.
It is also more useful.
Copyable Evidence Log Template
Use this as a starting point:
| Claim Component | Verification Question | Source Checked | What the Source Shows | Limitation | Confidence | Next Step |
|---|---|---|---|---|---|---|
| Entity | Who or what is being identified? | Unknown | ||||
| Action | What allegedly happened? | Unknown | ||||
| Location | Where did it allegedly happen? | Unknown | ||||
| Time | When did it allegedly happen? | Unknown | ||||
| Source Origin | Where did the claim or media first appear? | Unknown | ||||
| Context | What surrounding event or situation is claimed? | Unknown | ||||
| Alternative Explanation | What else could explain the evidence? | Unknown | ||||
| Conclusion | What can be said with limits? | Evidence log review | Unknown |
The template is simple by design.
A strong investigation does not need a complicated table. It needs a visible chain between claim, source, finding, limitation, and conclusion.
If that chain is missing, the answer may sound confident, but the verification is not complete.
Project Osint
Join the community
