Empowering HRDs : Strengthening Digital Resilience at the Tatua HRDs Forensic Technical Workshop

On May 25, 2026, the Huawei Technologies Centre hosted the Tatua HRD Forensic Technical Workshop – an intensive one-day training organised by the Tatua Digital Resilience Centre at KICTANet, in collaboration with Huawei and the Forum of Incident Response and Security Teams (FIRST). The goal: equip Kenyan Human Rights Defenders (HRDs) and Social Justice Organisations (SJOs) with the specialised skills to triage and escalate sophisticated spyware attacks.

Why This Workshop Had to Happen

Human rights work has increasingly moved online. Advocacy is coordinated over encrypted apps, and entire campaigns are often run from a single smartphone. Yet for every new tool HRDs adopt, adversaries – including state actors and sophisticated criminal networks  develop ways to exploit them.

The problem is not only the sophistication of the attacks but the gap in organisational response. Survey evidence underpinning Tatua’s work reveals a sobering picture: 51% of defenders lack access to legal counsel, 82% rely on informal channels like WhatsApp for incident reporting, and only 21% of Kenyan HRD organisations have a written Incident Management Policy. At the same time, 100% of surveyed defenders depend on mobile devices for their day-to-day work ; yet technical forensic capacity remains critically underdeveloped across the community.

Most rapid response efforts in Kenya’s civil society sector have historically relied on informal communication channels. This leads to fragmented, undocumented, and legally inadmissible responses that leave defenders more vulnerable, not less.

The Threat Landscape in East Africa

Jones Baraza from FIRST reframed how participants should think about cyber threats. Rather than categorising malware by type, he introduced a classification based on attacker intent:

• Proactive Surveillance: State-grade spyware like Pegasus requires zero clicks and no user interaction. It silently exploits vulnerabilities in messaging apps such as WhatsApp and iMessage, giving attackers real-time access to microphones, cameras, and encrypted conversations – before defenders even act.
• Behavioural Prediction: Metadata collected over time reveals activists’ routines, partnerships, and movements. Adversaries use this intelligence to time harassment or disrupt protests at the most damaging moments.
• Artifact Analysis: When a device is seized at a border crossing, checkpoint, or raid, tools like Cellebrite can extract deleted messages, archived files, and GPS history. This data is often misrepresented to build criminal cases against defenders.

The message was clear: digital threats facing HRDs in Kenya are targeted, strategic, and designed to silence.

The Human Cost of Digital Attacks – Why Psychosocial Safety Matters

A critical and often overlooked dimension of digital security is its psychological impact. Unlike a physical break-in, a digital compromise can feel permanent. Defenders often do not know what was accessed, by whom, for how long, or what will be done with the information. This uncertainty generates lasting anxiety, and can cause a defender to self-censor, withdraw from advocacy, or abandon digital tools entirely — outcomes that serve the adversary’s goals as effectively as any technical attack.

The workshop emphasised that effective incident response always includes acknowledging and addressing this emotional dimension alongside the technical response. Responders were guided to listen before diagnosing, to never blame the victim, and to prioritise emotional safety before asking technical questions. A person who feels heard and believed will provide far more accurate information than one who feels rushed or judged.

From Passive Tracking to Active Defence

A key highlight of the workshop was the shift from reactive habits to professionalized, structured investigations.

Nelly Nyadzua led a session on Passive Investigations, teaching participants how to examine threat infrastructure without alerting adversaries. This included:

• Defanging Indicators of Compromise: Safely altering malicious links, URLs, or attachments to prevent accidental execution.
• Email Header Analysis: Extracting raw headers to verify sender identity via SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) – critical DNS records that reveal whether an email truly came from the claimed sender, or is a spoofing attempt.
• OSINT Tools: Leveraging open-source intelligence platforms to gather data on real-world threat scenarios safely, from a participant’s own device.

Participants also learned a practical threat taxonomy covering: account compromise, phishing, spyware, device seizure, DDoS attacks, and social engineering.

Neno Newa then guided participants through Active Threat Analysis, including a live phishing simulation. Teams identified and deconstructed malicious emails and web pages in a sandboxed environment. They practised the “Hash-First” workflow: computing SHA-256 cryptographic hashes with CyberChef to verify the integrity of files before any other action, then checking MalwareBazaar to determine whether the file is already a known threat. This sequence is critical it preserves the evidence before any analysis can alter it.

Why this matters: A SHA-256 hash is a mathematical fingerprint generated at the moment of evidence collection. Under Section 106B of the Kenya Evidence Act, it is one of the primary mechanisms for proving in court that not a single byte of digital evidence has been altered since collection.

Knowing When to Stop and Escalate

One of the most important lessons from the workshop was recognising the limits of internal triage. For suspected spyware infections – particularly zero-click attacks like Pegasus – participants were explicitly instructed: do not attempt further internal investigation. Premature remediation destroys forensic evidence and alerts the attacker that they have been detected.

The correct response when sophisticated spyware is suspected is to:

1. Preserve the device state – do not factory reset, reimage, or remove apps
2. Document all anomalies (battery drain, overheating, unusual data usage, camera or microphone indicators activating without user action)
3. Immediately contact Tatua Digital Resilience Centre  for specialist digital forensic analysis

This applies equally to device seizures. If a device is confiscated by authorities and you intend to use that seizure as evidence of unlawful state action, do not remotely wipe the device -the seizure itself, and what was done to the device, is the evidence.

Navigating the Legal Framework

Neno Newa facilitated this session on documenting incidents for legal admissibility. Under Section 106B of the Kenya Evidence Act, digital evidence must satisfy two conditions: the device was operating normally at the time of collection, and the record has not been altered.

This requires:

• Documenting the chain of custody with names, timestamps, and reasons for every handling of the evidence
• Using a physical camera to photograph screens – not just screenshots – to prove device state at the time of collection
• Recognising that informal WhatsApp screenshots without metadata are highly likely to be ruled inadmissible in Kenyan courts

Participants also reviewed Kenya’s mandatory reporting obligations:

• Personal data breaches must be reported to the ODPC within 72 hours under the Data Protection Act (2019)
• Significant cyber incidents must be escalated to KE-CIRT within 24 hours under the Computer Misuse and Cybercrimes Act (2018)

These are legal deadlines – not guidelines. Missing the notification window creates regulatory liability regardless of whether the breach was the organisation’s fault.

Malicious Infrastructure Takedown and Device Hardening

The final technical session, led by Nelly Nyadzua, focused on removing threats and hardening devices against future compromise. Strategies included:

• Enabling Lockdown Mode on iPhones (specifically designed to block the attack vectors used by commercial spyware and forensic extraction tools)
• Using reputable VPNs(Tunnelbear,Tor) on public or untrusted networks
• Auditing app permissions – particularly microphone, camera, and location access
• Moving sensitive communications to encrypted platforms like Signal and ProtonMail

Participants left with a concrete organisational security checklist:

• Unique passwords/passphrases of 12+ characters managed via Bitwarden, lastpass or keepass.
• 2FA on all critical accounts – hardware keys preferred, authenticator apps as minimum
• OS and app updates patched within 48 hours of security releases
• Encrypted off-site backups to protect against ransomware and device seizure

Looking Forward

As the day closed, Tatua emphasised that the workshop’s goal was not just to train individuals  it was to build a community of incident responders. Kenya’s HRDs and SJOs need structured coordination mechanisms, shared playbooks, secure communication channels, and a network of trained rapid responders ready to act when digital threats arise.

The work doesn’t end with the workshop. If your organisation has not yet developed an Incident Management Policy, a BYOD policy, or a formal data retention and deletion schedule, the time is now.

The Tatua Digital Resilience Centre at KICTANet provides 24/7 rapid response support for Kenyan civil society organisations facing digital security incidents. For pre-incident ,during-incident and Post-incident support, Kindly reach us by visiting tatua.digital ,or  email:info@tatua.digital or create a ticket at help@tatua.digital