WHEN “WE HAVE ALWAYS DONE IT THAT WAY” BECOMES A DIGITAL FORENSICS RISK

A recent Magnet Forensics article titled “The Scariest Sentence You’ll Ever Hear in a Digital Forensics Lab” raises an important warning for every digital forensic examiner, investigator, attorney, business owner and cybercrime victim.

The sentence is simple:

“We’ve always done it that way.”

At first, it may sound like experience. In reality, it can be a serious risk.

In digital forensics, a method is not reliable simply because it has been used for years. It is reliable because it can be explained, tested, documented, repeated and defended. This is especially important in South Africa, where digital evidence is increasingly used in cybercrime complaints, fraud investigations, civil disputes, disciplinary hearings and court proceedings.

DIGITAL EVIDENCE MUST BE MORE THAN CONVINCING:

South African law recognises electronic evidence. The Electronic Communications and Transactions Act 25 of 2002 makes it clear that electronic evidence should not be rejected simply because it is in digital form.

However, that does not mean all digital evidence carries the same weight.

A court, attorney, prosecutor or disciplinary chairperson may still ask:

• Was the evidence preserved properly?

• Can the source be identified?

• Was the data altered?

• Is the screenshot complete?

• Can the original email, device, account, video or message be verified?

• Was there a proper chain of custody?

This is where many weak investigations fall apart.

A screenshot may look convincing, but it may not show the full context. A WhatsApp message may appear important, but the full chat, timestamps, contact details and device source may still matter. A bank account may have received stolen funds, but that does not automatically prove who controlled the scam.

In digital investigations, evidence must be handled carefully from the beginning.

WHY OLD HABITS ARE DANGEROUS:

Cybercrime changes constantly. Criminals adapt. Apps update. Devices change. Cloud platforms alter how data is stored. Fraud syndicates use fake profiles, mule bank accounts, cloned WhatsApp numbers, phishing links, spoofed emails and artificial intelligence to mislead victims.

A process that worked years ago may not be good enough today.

For example, in a business email compromise matter, it may not be enough to print the fraudulent email. Investigators may need full email headers, login records, mailbox rules, domain information, payment trails and a proper timeline.

In a sextortion matter, deleting the messages may destroy the very evidence needed to prove the threat.

In a fake vehicle sale or investment scam, the name on a profile may be fake, the cellphone number may be temporary, and the bank account may belong to a mule. A professional investigator must separate confirmed facts from assumptions.

DIGITAL FORENSICS IS NOT JUST SOFTWARE:

Another common mistake is believing that digital forensics is only about using tools.

Forensic software can assist with extraction, searching, recovery and reporting. But software does not replace investigative judgment.

A tool may show that a file existed, a message was deleted, a login occurred or a timestamp was recorded. The investigator must still understand what that means, whether it can be verified, and what limitations apply.

In South African matters, this distinction is critical. A report should not exaggerate what the evidence proves. It should clearly separate:

• confirmed facts;

• technical indicators;

• client allegations;

• unverified leads

• limitations; and

• recommended next steps.

This protects the client, the attorney, the investigator and the case.

CHAIN OF CUSTODY MATTERS

Chain of custody is one of the most important parts of digital evidence handling. It records who handled the evidence, when it was handled, what was done with it, and how it was protected.

This may apply to a cellphone, laptop, CCTV footage, email file, USB drive, screenshot set, forensic image or extracted data.

Without proper handling, digital evidence can be challenged. A phone may have been used after the incident. A file may have been changed. A video may have been cut. An email may have been forwarded without its original headers. A screenshot may have been cropped.

The stronger the chain of custody, the harder it becomes to attack the evidence.

THE SA-DFI APPROACH

At SA Digital Forensics & Investigations (SA-DFI) (Pty) Ltd, our approach is evidence-led, not assumption-led.

• We do not believe that a screenshot alone tells the full story.

• We do not believe that a bank account automatically identifies the mastermind.

• We do not believe that a name on a profile proves identity.

• We do not believe that a method is acceptable merely because it is familiar.

A PROPER DIGITAL INVESTIGATION SHOULD ASK:

1. What is confirmed?

2. What is only alleged?

3. What can be verified?

4. What still requires legal process?

5. What evidence must be preserved urgently?

6. What limitations must be clearly stated?

This is how digital evidence becomes useful, reliable and defensible.

FINAL THOUGHT

Magnet Forensics’ warning is an important one: the scariest sentence in a digital forensics lab is not always about deleted data, damaged devices or missing passwords.

Sometimes, the scariest sentence is:

“We have always done it that way.”

In South Africa, where digital evidence now plays a major role in fraud, cybercrime, extortion, harassment, business email compromise and internal investigations, that mindset is dangerous.

The standard must be higher than habit.

Digital evidence must be preserved properly, analysed carefully, reported honestly and defended confidently. Because in digital forensics, the truth is not only found in the data. It is found in the way the data was handled.

This SA-DFI (Pty) Ltd article was inspired by Magnet Forensics’ article “The Scariest Sentence You’ll Ever Hear in a Digital Forensics Lab” by Brandon Epstein. The South African context has been added to highlight the importance of evidence preservation, chain of custody and defensible digital forensic methods in local legal and investigative matters.

Follow the official SA-DFI WhatsApp Channel for expert insights, case updates, and security awareness:

👉 https://whatsapp.com/channel/0029Vb7UGiSFy72BprmXF61k

Click Follow and tap the bell icon 🔔 to stay updated.

Contact SA Digital Forensics and Investigations:

Phone: +27 77 480 3161

Email: info@sa-dfi.co.za

Website: www.sa-dfi.co.za

Follow us on social media:

• https://www.facebook.com/sadfi.investigators

• https://www.instagram.com/sadfi.investigators

• https://www.youtube.com/@sadfi.investigators

• https://www.tiktok.com/@sadfi.investigators

• https://www.linkedin.com/company/sadfi.investigators/

• https://x.com/SA_DFI

Copyright © 2026 | SA Digital Forensics and Investigations | All rights reserved.