The scariest sentence you’ll ever hear in a digital forensics lab
By Brandon Epstein
Originally published in the May 2026 issue of Magnet Unlocked. Want to be the first to see new content? Sign up for our monthly newsletter, Magnet Unlocked.
Key insights
- “We’ve always done it that way” is not a justification for your process. It’s a liability in modern digital forensics.
- In digital forensics, validated methods are what survive courtroom scrutiny. Simply relying on historical use isn’t sufficient.
- You don’t need to explain every internal mechanism of a tool to defend its use. What matters is documented, repeatable validation of outputs against reality, applied equally to humans and machines.
It isn’t “the drive is unreadable.”
It isn’t “they never got the discovery.”
It isn’t even “is that phone ringing inside the faraday box?”
Those phrases will make your stomach drop, sure, but they’re problems you can work. You can triage, escalate, pivot.
No — the sentence that should genuinely alarm you, the one that stops me cold every single time I hear it in a lab, a briefing room, a courtroom, or a conference hallway, is:
“We’ve always done it that way.”
I think we’ve all said it. I know I’ve been in rooms where it’s been said with real confidence, not as an admission of ignorance, but as a justification. As though the age of a practice is itself evidence of its soundness. As though doing something for twenty years without catastrophe is the same as doing it right.
It isn’t. And in our field specifically, that conflation can get a case thrown out.
A phrase that carries no weight
I was once present in a courtroom when a defense attorney levelled exactly this critique at the state. The prosecution had been describing how a particular piece of evidence had been handled, and when pressed on the underlying rationale, the argument that emerged was essentially: this is the established practice, we’ve always done it this way.
The defense attorney’s counter was quiet and devastating; if the only justification for a procedure is that it has always been the procedure, that isn’t a justification at all. The judge didn’t disagree.
That moment stuck with me not because it was dramatic but because the attorney was right. “We’ve always done it this way” is a description of continuity, not an argument for correctness. It tells you nothing about whether the method is defensible, validated, or even still fit for purpose given how much the landscape has changed.
The digital forensics landscape changes faster than almost anywhere else. It’s crucial for the practices to update to withstand any scrutiny.
The comfort of the familiar
I understand the instinct. Examiners carry enormous professional and legal weight with every report they sign. There’s a real and reasonable desire to stick to the known, the tested, the court-accepted. Nobody wants to be the first person in the jurisdiction to try something new and have it explode in a suppression hearing.
But there’s a difference between validated caution and reflexive inertia, and I think we sometimes mistake one for the other.
When I started paying closer attention to how AI-assisted tooling was approaching case data, it didn’t surprise me that it found answers.
I would have gone straight to the obvious artifacts: Wi-Fi connection logs, cell tower data, GPS coordinates. The system didn’t think like that. It pulled a receipt from a photograph, cross-referenced it against chat content that mentioned a hardware store, and produced a location correlation I never would have constructed manually, not because I couldn’t have, but because I wouldn’t have started there.
That’s not magic, it’s a different cognitive path to the same evidentiary destination. And it made me realise how many paths I’ve been not taking, simply because the path I already know works well enough.
The wristwatch you don’t have to build
One of the persistent objections I hear to AI-assisted tooling — and I’ve heard it from prosecutors, defense attorneys, and examiners — is some version of: I can’t trust what I can’t explain. If I don’t understand the model, if I can’t describe the training data, if I can’t account for every inference the system made, how do I stand behind it in court?
It’s a legitimate concern. But I heard an analogy recently that I think reframes it usefully.
You wear a wristwatch. You probably can’t explain how the escapement mechanism works, how the balance wheel maintains frequency, how the gear train translates rotary motion into the position of the hands. You certainly weren’t there for the watchmaker’s training. But if it says 2:00PM and the sun is high in the sky, you can validate that output against observable reality. You build confidence in the instrument through demonstrated accuracy, not through mechanical literacy.
That’s how forensic practitioners and courts can come to terms with AI in digital forensics. Not through deep technical transparency about model architecture, but through rigorous, documented output validation. Same test, human and AI. Compared results. Explainable methodology.
The race you didn’t know you entered
Here’s the thing that doesn’t get said enough; the people on the other side of our cases are not standing still.
There’s a tendency, when the job-displacement conversation comes up, to imagine AI as a static addition to a static world, as though we import it into an otherwise unchanged environment and recalibrate from there. That’s not what’s happening. The tool environment is changing for everyone, including actors whose interests are opposed to ours. If we’re suspicious of AI, if we’re circling the wagons around our established workflows, we’re not holding a steady position. We’re falling behind relative to a field that is actively moving.
We’re already seeing this with crypto. Agencies that have trained up and started paying attention, are seizing amounts that would have seemed improbable a few years. Not by having better instincts than everyone else, by actually looking with the right tools at artifacts and adjacencies they previously didn’t know to examine. That’s not happening everywhere. In a lot of labs, crypto is invisible on a device not because it isn’t there, but because nobody asked the right question.
“We don’t typically look for crypto” is just a quieter version of “we’ve always done it that way.”
What the phrase should trigger
I want to be clear; I’m not arguing for novelty as a value in itself. New is not automatically better. Tooling should be validated, methodology should be defensible, and courts have every right to expect us to demonstrate reliability our work. But the explanation has to be substantive. It has to be grounded in something other than precedent.
When I hear “we’ve always done it that way,” what I hear is a gap and a place where someone stopped asking why. And in a discipline where the answer to why might eventually be read aloud in a courtroom where it could affect someone’s liberty, that gap matters.
The red flag isn’t that someone is defending an established practice. The red flag is that “established” is the whole defence.
If you can say: we use this method because it’s been validated against these benchmarks, produces these outputs, and has held up under this scrutiny — great. That’s a reason. But if the room goes quiet when you push past the “we’ve always done it” part, that silence is worth paying attention to.
The field is moving. Our cases are getting harder, the artifacts are getting more obscure, the tools are getting more capable…for all parties involved. The best thing we can do for the integrity of our work is to stay curious about whether the way we’ve always done it is still the way we should.
And to notice, immediately and without embarrassment, when we catch ourselves reaching for that phrase.