I learned the hard way on a quiet Tuesday morning when a finance director with a steady voice and tired eyes told me, “Nothing is missing. But something is wrong.”
That is how it always begins. Not with alarms screaming or servers collapsing in flames, but with a subtle disturbance in the rhythm of the books, a reconciliation that takes longer than usual, a payment that clears twice, a supplier who calls to say thank you for money they were never owed. The peace of the company was shattered not by noise, but by instinct.
I have spent years hunting shadows on the streets and server rooms alike, and I can tell you that the gut is often the first forensic tool. When an experienced accountant says, “It feels wrong,” you do not argue with them; you listen. In Bunyoro, we have a saying: “Engeso embi zikuletera obunaku.” Bad manners bring you misery. And bad security habits bring you ruin.
The silent alarm
The company was mid-sized, growing, and ambitious. They had invested in a modern ERP system and boasted about their cyber readiness in board reports. There were policies, passwords, and confidence.
But there was no independent penetration test, no red-team simulation, no forensic readiness plan. Security was assumed, not tested. Assumption is the cousin of disaster. The anomaly was small, a vendor payment that appeared legitimate, supported by an email thread and an electronic approval. The electronic signature complied, on its face, with the Electronic Signatures Act. It bore the name, the timestamp, and the apparent intent.
On paper, it was clean. But the hash value of the invoice attachment did not match the original stored in the procurement system. That tiny string of alphanumeric characters, that sacred fingerprint of digital integrity, had changed. In digital forensics, the hash is our royal seal. If it shifts even by one character, the document is not what it claims to be. Something had been altered.
The anatomy of the betrayal
We traced the activity to an internal user account. Trusted and senior. The kind of person who attends weddings and burials in the same village as the CEO. Here, betrayal rarely comes wearing a mask. It comes with familiarity.
Let us call him Suspect 1.
He was not flamboyant at first. He was methodical. Haba na haba. Little by little. He exploited a basic weakness: shared administrative credentials for system updates. No multi-factor authentication, and role segregation. The IT manager believed trust was control, but it is not. From unallocated space on his company-issued laptop, we recovered fragments of a deleted WhatsApp database. The conversation was brief. A supplier account to be created, an invoice template shared, and a commission percentage agreed.
The smoking gun was not dramatic; it was clinical. A hidden registry key that allowed remote access software to persist after apparent uninstallation. A scheduled task triggered at 2:17 a.m., when most of Kampala slept under aging roofs and distant boda bodas.
Like a rat in the thatch of a grass-patched roof, silent, coiled, invisible until the night you finally try to sleep. Psychologically, the slip came when lifestyle outran salary. A sudden purchase of two boda bodas for relatives, school fees paid in cash, and a plot of land fenced in a matter of weeks.
In a typical household, when a trusted worker begins buying things that outpace their known income, elders whisper. They do not accuse, but observe. In corporations, we call them red flags. But they are the same human signals.
The law as a living thing
When we moved to preserve evidence, the real battle began.
The Computer Misuse (Amendment) Act, 2022, is not just ink on paper. It is a living instrument. It recognizes unauthorized access, interference, and misuse of electronic systems as crimes with teeth. But it demands precision.
Under the Evidence Act (Cap 6), particularly the provisions governing admissibility of electronic records, the court requires proof that the electronic record was produced by a reliable system, in the ordinary course of use, and that its integrity was maintained.
Integrity. That word again. So we imaged the hard drive using write-blockers. We generated MD5 and SHA-256 hash values at acquisition and re-verified them before analysis. Every transfer was logged, every device sealed, and every timestamp synchronized to a trusted time source. Chain of Custody is not paperwork; it is a spine. Break it, and the body collapses. And the defense knew it.
The crucible of the courtroom
Buganda court is not the National Theatre; it is chess. The defense lawyer was clever and Smooth. He did not deny that suspicious payments occurred but attacked the process. There is a one-hour gap, he said, pointing to the evidence log. “Between 14:00 and 15:00, the device was in transit. Who had it? Where was it stored? Could it have been altered?”
One hour. In digital forensics, one unaccounted hour can be portrayed as an eternity. He argued that the forensic image, despite matching hash values, could not be trusted because the physical custody documentation was imperfect. A leaking jerrycan, he suggested, no matter how pure the water, it could not be relied upon. This is where many cases die.
Knowing is the brother of guessing. You can suspect, infer, or feel in your bones that Suspect 1 orchestrated the fraud. But proving is the father of justice.
Circumstantial evidence, the lifestyle changes, the WhatsApp fragments, and the vendor links painted a compelling picture. But what sealed the case was the server log. Cold, binary, and Unemotional.
At 02:17:34, the system recorded an administrative override from his credentials. At 02:18:02, the vendor bank details were changed. At 02:19:11, an invoice PDF was uploaded. Its hash differed from the procurement original by three characters.
The system, configured and operating normally, recorded these events automatically. That is what the Evidence Act requires, reliability of the system, not perfection of memory.
The court accepted the logs, the hash values held, and the sanctity of digital integrity survived the cross-examination. Suspect 1 was not undone by drama. He was undone by detail.
The deeper lesson
When the dust settled, the company calculated the loss. It was not catastrophic in one blow; it was erosion. Haba na haba. Over eighteen months, funds had been siphoned in increments small enough to escape routine thresholds. Approval workflows were technically followed, but manipulated through compromised credentials. Security controls existed, but they were never stress-tested.
Untested security is no security. I have seen this pattern too many times in boardrooms that speak of digital transformation as if it were a badge rather than a discipline. We have a proverb: Ogwo Kalyamaggwa, the one who eats the thorns. The person who endures pain quietly so others may benefit.
In cybersecurity, the penetration tester is your Kalyamaggwa. He probes your system, embarrasses your weaknesses, stings your pride. Better that he bleeds on your behalf than a fraudster feasts in silence; too many companies would rather protect their egos than expose their vulnerabilities, and that is how misery is born.
After years in this arena, I have learned the following:
- First, test what you trust. Policies are stories you tell yourself. Logs, simulations, and independent audits are a reality. If you have never commissioned a true penetration test, you are not secure. You are hopeful.
- Second, build your case before you need it. Forensic readiness, synchronized clocks, clear Chain of Custody protocols, and documented system reliability must exist before the breach. In court, you do not get to rewind time.
- Third, watch the small cracks. In homes, it is the unexplained purchase. In companies, it is a minor reconciliation anomaly. In systems, it is the unmatched hash. The largest floods begin where we were too proud to look closely.
Security is not a product; it is a habit. And habits, good or bad, compound. “Engeso embi zikuletera obunaku.” Bad manners bring you misery.
I say this not as a pessimist, but as a man who has seen enough leaking jerrycans to know that water always finds the crack. Your duty, in business, in law, in life, is to seal it before the pot runs dry.
