At 7:42 a.m. on a Tuesday in Kampala, the finance manager of a mid-sized logistics company received a WhatsApp message from the managing director. “Release the supplier balance before 10 a.m. We shall regularise the documents later.” The instruction looked normal, the profile photo was familiar, the tone was familiar, and the urgency was familiar. That was the problem. Fraud usually wears the clothes of routine.
By 9:18 a.m., UGX 86 million had moved from the company account to a supplier the finance team had dealt with twice before. By 11:30 a.m., the real managing director walked into the office and asked why the supplier had called him to thank him for a payment he had not approved.
The first person to panic was not the accountant who processed the payment, it was the IT officer. He ran to the finance manager’s laptop, opened WhatsApp Web, took screenshots, exported a chat, restarted the machine, checked the email inbox, and then proudly announced, “We have the evidence.”
No, they had the remains of evidence. That distinction ruins cases. The legal issue was not whether the screenshot showed the instruction, it did. The investigative issue was not whether the payment was suspicious. It was. The real issue was whether the organisation could prove, with defensible evidence, who sent the instruction, from what device, using what account, through what channel, at what time, received by whom, acted upon under what authority, and preserved in what condition. That is where many investigations die quietly.
Most practitioners confuse visibility with proof. A screenshot is visible. It may even be persuasive in a boardroom. But in a contested matter, visibility is not enough. A screenshot can be cropped, altered, misdated, staged, forwarded, retyped, or taken after the device state has changed. It may show content without source. It may show words without context. It may show a message but not the sender’s device, account session, IP trail, authentication event, deletion history, linked media, or companion records.
A screenshot is a witness with poor memory. Useful, but not enough. The evidence trail that matters is usually wider than the document everyone is staring at. In this case, the WhatsApp message was only one tile in the floor. The real trail sat across the finance manager’s phone, WhatsApp Web sessions, browser history, device notifications, operating system logs, bank portal access records, payment approval timestamps, email correspondence, supplier master file changes, user access rights, call records, mobile money activity, CCTV footage near the finance desk, and the supplier’s bank account movement after receipt.
If the company had preserved the finance manager’s phone properly, it might have captured the original message database, local timestamps, contact identifiers, attachments, deletion artefacts, and session details. If it had preserved the laptop properly, it might have captured browser session data, cache, clipboard artefacts, downloads, web tokens, synced devices, and recent access logs. If it had preserved the bank portal records, it might have shown whether the payment was made from the usual workstation, during normal hours, using a normal approval path, or under abnormal login behaviour.
Instead, the IT officer touched everything because he wanted to help. Helpful people are dangerous in the first hour of an investigation. They click, open, forward, export, rename, restart, call suspects, ask witnesses what happened in a group meeting, and create new facts while trying to preserve old ones.
Evidence can be technically present and legally weak. That is the uncomfortable truth. You may have the chat, but not the device state. You may have the email, but not the header. You may have the document, but not its metadata. You may have the file, but not the version history. You may have the approval, but not the access log. You may have the recording, but not proof of source. You may have a confession, but after an unfair process. You may have the truth, but in a form the other side can attack.
A lawyer thinks in admissibility, relevance, authenticity, completeness, proportionality, privilege, and prejudice. An investigator thinks in sequence, custody, source, alteration, corroboration, motive, access, and opportunity. A good digital evidence examiner thinks in systems. The record is not just the thing on screen. The record is the thing, the system that made it, the user who touched it, the device that stored it, the network that carried it, the account that authenticated it, and the process that preserved it.
That is why the first field method matters. When a suspicious instruction, transaction, deleted message or disputed document is discovered, do not start with interviews. Start with preservation. Interviews change stories. Preservation captures states.
Freeze the relevant accounts. Do not disable them blindly if doing so destroys session data or alerts suspects too early. Preserve the mailbox, not just selected emails. Preserve the phone, not just exported chats. Preserve the laptop, not just screenshots. Preserve logs before retention periods expire. Preserve bank portal records before they are overwritten. Preserve CCTV before the system loops over itself. Preserve supplier master data before someone edits the record to look clean.
Then document every action. Who touched the device? At what time? For what purpose? Was it powered on or off? Was it connected to the internet? Was it placed in airplane mode? Was it imaged? Was a hash value created? Was the original isolated? Was the working copy used for analysis? Who had access? Where was it stored? What tool was used? What was collected and what was excluded?
This sounds tedious, that is why it works. The investigator must also ask better questions. Not “Who sent the message?” That is too narrow. Ask, which channel carried the instruction? Which accounts were active? Which devices were linked? Which users had authority to approve? Was the supplier record recently changed? Was the payment consistent with prior dealings? Who benefited from urgency? Who knew the managing director was unavailable? Who had access to his photo, style, travel schedule, and approval habits? Who bypassed the normal control and who accepted the bypass as normal?
Fraud is not only an act, it is a path cleared by weak habits. The lawyer’s lens should enter early, not at the end when the file is already contaminated. If litigation, prosecution, disciplinary action, insurance recovery, regulator notification or civil recovery is possible, the evidence must be collected for challenge. The opposing side will not politely ask whether your conclusion feels right but rather whether your process was reliable.
They will challenge authenticity: “How do we know this screenshot was not edited?” completeness: “Where is the full conversation? “Custody: “Who handled the phone before extraction? “Relevance: “How does this prove my client sent the instruction?” proportionality: “Why did you seize personal data beyond the investigation scope?” privilege: “Why did investigators review legally protected communication?” expertise: “What qualifies your IT officer to conduct forensic preservation?” prejudice: “You suspended our client based on a screenshot and office gossip.” If you cannot answer these questions, you do not have a case file. You have a suspicion file.
What to do before the evidence goes cold
- Secure the suspected devices and accounts immediately, but avoid unnecessary clicking, forwarding, restarting or editing.
- Record the time, location, device condition, user, custodian and every person who handled the evidence.
- Capture screenshots only as quick visual references, not as substitutes for original records.
- Preserve original emails with headers, not just printed copies or forwarded messages.
- Preserve phones, laptops, cloud accounts, audit logs, payment records, CCTV and system exports in their native or most complete available form.
- Separate evidence preservation from investigation interviews. Documents first, people later.
- Restrict access to suspects without creating avoidable data loss or alerting wider accomplices prematurely.
- Engage qualified forensic support where device imaging, deleted data, malware, deepfake content or contested authorship is involved.
- Maintain a clean chain of custody from the first minute, not after the report is drafted.
Ask legal counsel early about privilege, employment procedure, regulator exposure, admissibility and recovery strategy. The hard lesson is that modern investigations are not won by collecting more data, but by preserving the right data, in the right state, with the right context, before people begin improving their memories. The screenshot may start the case, but it should never carry the case alone.


