A digital forensic expert has told a Nairobi court that he was unable to directly connect a fourth-year Moi University student to a false and widely shared social media post that had false publication on President William Ruto.

While testifying before Milimani Senior Principal Magistrate Ben Mark Ekhubi, Boniface Machibi, a cybercrime and forensic analyst, said the misleading message that circulated on X (formerly Twitter) originated from a mobile phone. The post in question allegedly came from David Mokaya Ooga.

According to Machibi, the post, which was published on November 13, 2024, read: “Ruto’s body leaves Lee Funeral Home.” The message quickly gained attention and sparked public confusion.

During cross-examination by defence lawyers Danstan Omari and Ian Mutiso, Machibi stood by his analysis and findings but admitted that he could not tie the post to Ooga as an individual.

He told the court that although the post was retrieved from a phone, he did not interact with the device's owner.

“I did not interact with the owner of the devices. I can only link the data to the gadgets, not to a specific individual,” he said.

Omari and Mutiso questioned whether the post could have been generated by artificial intelligence or a bot. Omari asked, “Are you aware that robots also generate and circulate content?”

Machibi replied, “Yes, I am, but the information in this criminal case was authored by the accused and shared on X.”

The analyst said he received two exhibits from the Directorate of Criminal Investigations (DCI) on November 28, 2024—a Samsung Galaxy A23 smartphone and a laptop—and was tasked with extracting digital evidence related to the incident.

He explained that he used a forensic tool called Cellebrite UFED to retrieve data from both devices. From the smartphone, he found three user profiles: Boz Gabi (linked to the handle Landlord Ke), Urban Trend Ke, and Masillas. The device also contained a screenshot of the controversial post.

On the laptop, he retrieved files from a folder labelled “DVR,” which he said showed timestamps that matched the date the post was published online.

Despite these findings, Machibi maintained that he could not verify whether the devices belonged to Ooga or whether he was the one who created and posted the message.