March 2025, Western Uganda. An accountant at a private university sat nervously across from our team at Summit Consulting Ltd. He had just been suspended after UGX 320 million “disappeared” from the student bursary fund. No break-ins. No armed robbery. Just clean transactions.
The accounting software showed no anomalies. Emails looked legit. Bank instructions were well-formatted.
Until we imaged his hard drive.
And found one folder, hidden, encrypted, but not invisible.
Inside? Fraudulent payment templates, fake approval emails, and a WhatsApp backup of voice notes planning the heist.
Because in modern investigations, every byte tells a story. And we? We know how to read them.
The digital battlefield. Where lies try to hide
Let us stop pretending fraud only happens on paper.
Today, most crimes start, pass through, or end on a digital device.
Whether it is:
- An email pretending to be the CFO authorizing payment,
- A staff phone used to send screenshots of cheque approvals, or
- A USB drive transferring procurement files after hours,
There is one truth: data does not lie. People do.
Digital forensics is not about hacking. It is about truth retrieval.
We do not crack systems, we unearth intent.
The ghost laptops of Ntungamo
In late 2023, a district local government procured 150 laptops “for schools.” All documentation seemed clean. Payments cleared. Supplier paid.
Except, none of the schools received a single machine.
Where were the laptops?
We were called in.
Here is what digital forensics exposed:
- Suspicious network history. We requested the supplier’s network logs (they hosted a “track & deliver” portal). There was no record of any delivery schedule after the invoice was paid.
- Staff call and text metadata. Suspect 1 (procurement officer) had regular late-night chats with Suspect 2 (supplier) during the week the laptops were “received.”
- Deleted Excel inventory logs. We recovered an old version of the inventory file from the finance officer’s laptop showing only 25 laptops, with handwritten edits attempting to inflate figures.
- Mobile money analysis. A UGX 30 million Mobile Money transfer traced back to a school bursar’s side-line Airtel line. Purpose? Silence.
Laptops were real. Delivery was fake. The data told the story.
And that is the power of bytes, they testify even when people lie.
Why digital forensics matters today
- Crimes are going digital. Over 80% of fraud in Uganda today involves digital touchpoints: bank transfers, emails, mobile money, and messaging apps.
- Evidence is fragile. One reset button on a phone can wipe chat logs. But with forensic imaging, we can retrieve even deleted or encrypted files, legally and accurately.
- Investigators must evolve. Old-school interviews and ledgers no longer cut it. Today’s investigator needs tools like Cellebrite, FTK Imager, and AI-driven anomaly detection.
Tools of the digital investigator
| Tool | Purpose | Example |
| FTK Imager | Disk imaging | Clones staff laptops without altering evidence |
| Cellebrite | Mobile extraction | Recovers deleted WhatsApp messages, call logs |
| Autopsy | File carving | Rebuilds deleted documents, photos, PDFs |
| X-Ways | Registry analysis | Tracks USB history, program installations |
| SummitAI Patterns | Behavioural fraud detection | Maps unusual activity across staff and vendors |
At Summit Consulting Ltd, we combine these tools with local fraud context.
Why? Because fraud in Uganda does not follow textbook rules, it follows culture, silence, and shortcuts.
Key wins from recent investigations
- School fees manipulation. Traced a bursar who rerouted UGX 94m in “student overpayments” into her brother’s number using disguised Airtel float agents.
- Procurement collusion. Recovered Dropbox logs showing that three staff shared pricing templates before a sealed bid opening.
- Email tampering. Found backdated CEO approvals using Microsoft Outlook metadata and mail server logs.
Each of these wins did not start with a confession.
They started with bytes, suspicious Excel macros, odd file save times, and pattern breaks in normal digital behavior.
Why most companies miss the signs
- Lack of digital audit trails. No monitoring of flash drive usage, downloads, print logs, or unauthorized installations.
- Weak mobile policy. Staff transact major approvals via WhatsApp with no formal backup. Fraud thrives here.
- No incident response protocol. When fraud is suspected, devices are wiped or reused before forensic imaging.
- Reactive, not proactive. Investigations begin after the money is gone. Forensics should be running before, not after.
What your organization must do, now
- Deploy digital forensics readiness plans. Your IT and audit teams must know how to respond to digital red flags without contaminating evidence.
- Back up with forensic retention. Daily snapshots of key staff computers and phones allow time-machine-style recovery during probes.
- Train your internal auditors in digital evidence. Most auditors miss fraud because they don’t check browser history, metadata trails, or shadow volumes.
- Integrate AI anomaly detection tools. SummitAI Patterns learns your staff’s baseline behavior, so it knows when someone suddenly becomes a thief.
Data is the new witness. It remembers every keystroke, every click, every WhatsApp reply, every “deleted” file.It does not lie. It does not forget. It does not panic.
You can fire a staff member.
You can erase an email.
You can even throw away the device.
But the story has already been written, in bytes.
And when we come in, we don’t guess.
We read the story your data told behind your back.
Byte by byte. Truth by truth.
Suspect digital fraud in your institution? Freeze the device. Call Summit Consulting Ltd. Because every byte tells a story. And we’re the ones trained to read it.
