On 10 February, The Washington Post reported that a new forensic report found that key evidence against the Indian activists accused in the Bhima Koregaon case of plotting to overthrow the Narendra Modi government was planted on a laptop seized by the police. The forensic report by Arsenal Consulting, a United States digital forensics firm, concludes that a cyber-attacker used malware to infiltrate activist Rona Wilson’s laptop before his arrest, and deposited at least 10 incriminating letters.
On 16 February, a press conference was organised by friends and family members of the 16 Bhima Koregaon accused, imprisoned since June 2018. Several digital technical and legal experts spoke in the press conference to explain what exactly the forensic report says and the legal implications of this report in the case.
Those who spoke in the press conference include Jedidiah Crandall : Associate Professor, Biodesign Center for Biocomputing, Security and Society; Associate Professor, School of Computing, Informatics and Decision Systems Engineering, Arizona State University; Sandeep Shukla : Professor of Computer Science and Engineering, IIT Kanpur; Adv. Mihir Desai : Senior Advocate Bombay High Court Lawyer, PUCL; Father Solomon: Director, Bagaicha, Ranchi, Fr Stan Swamy’s colleague; Rama Ambedkar : Activist and Grand- Daughter of BR Ambedkar; Wife of Dr. Anand Teltumbde and Sagar Abraham Gonsalves : son of Vernon Gonsalves.
A report on the Press Conference by Susmitha, on behalf of, Mumbai Rises to Save Democracy.
Press conference video:
On February 10, 2021 the Bhima Koregaon defense team filed a petition in the Bombay High Court seeking the release of Rona Wilson and the quashing of all charges against him. The petition was filed in light of startling new evidence of a forensic analysis that establishes that the top 10 files used to implicate Mr. Wilson with conspiracy to assassinate the Prime Minister and several other charges were fabricated and had been planted on Mr. Wilson’s hard drive by a cyber-attacker using the NetWire malware. The forensic analysis was conducted by one of the world’s leading forensic analysis firms, Boston-based Arsenal Consulting and the story was first reported by The Washington Post on February 10.
The week that has followed since the explosive announcement of a criminal conspiracy to implicate Mr. Wilson and other co-defendants in the Bhima Koregaon case has been marked by an almost complete silence from the National Investigation Agency (NIA) and the government, who have otherwise been relentlessly pursuing the case for over two years.
In a statement to The Washington Post the NIA had stated that it had found no malware on Mr. Wilson’s computer and other government spokespersons have attempted to label the forensic report as a “distortion.” Other sources and media outlets close to the government have attempted to cast aspersions on the report by suggesting that the cloned hard drive was tampered with as it was being transported from India to Boston.
Mihir Desai, senior advocate who is part of the defense team, characterized such feeble and misinformed responses as clearly indicating that the government has nothing to say now that it has become evident that the cases are based on fabricated evidence.
“In all there were five instances of NetWire malware present on Mr. Wilson’s computer. Of these, two would have been detectable by ordinary antivirus software. So, for the highest intelligence agency of the country to claim that there was no malware detected points to either a complete inability to respond in the face of compelling evidence or share incompetence,” Mr. Desai, said.
“The Arsenal report conclusively establishes that NetWire was the malware used for incriminating document delivery. There is no room for interpretation or doubt about this” said Dr. Jedadiah Crandall of Arizona State University, who is one of the technical experts who has reviewed the Arsenal report in detail. “For an administration that admits to not even finding the instances of malware that are detectable by an ordinary virus scan software, leave alone the more sophisticated and custom installations of NetWire, to call the forensic report a distortion is unfortunate,” he said. Dr. Crandall stated that the methods used by the attackers are known tactics, what was exception was the time frame of the attack.
Sagar Abraham Gonsalves, a family member of one of the Bhima Koregaon accused, said that there are a lot of rules laid down under the Evidence Act pertaining to the collection of electronic evidence which have not been followed at all. “At the time of the raid, spare phones, laptops and even CDs that were lying in the house were confiscated. My father asked for a clone copy back then, he was refused,” Sagar said highlighting that the victim’s families have been questioning the evidence since the very beginning
The forensic report not only establishes the date and time stamp of when every single one of the top 10 files were placed but is also able to further point to the fact that Mr. Wilson never interacted in any way with these files and that these files were created using versions of software that were not present on Mr. Wilson’s computer. “What this means is that the evidence has been looked at from several different anglesto prove that these files files were fabricated and planted on Mr. Wilson’s computer” said Prof Sandeep Shukla of IIT Kanpur. He added that while phishing is common, in most cases they are not targeted. However, the current case seems to suggest targeted phishing where the attackers know the social circles of the victims and use it to conduct phishing. He also stated that he had not seen a case where documents were planted as most hackers were more interested in surveillance but it was possible since such capability exists.
“Other claims such as the possibility of the cloned hard drive being tampered with during transportation are reflective of a complete failure to understand the technical strength of good forensic analysis. No forensic expert begins work without checking the hash values as supplied by the prosecution and without checking the hash values at all stages of their investigation. The cryptographic strength of hash values ensures that no claim can ever be made that the electronic evidence investigated by Arsenal is not the exact same one that the forensic lab in Pune used,” Prof. Shukla said.
Addressing the new developments in the case, Rama Ambedkar was emphatic in her demand for bail for all accused and an independent investigation. In a statement that was read out, she said, “This has gone on for too long. Arsenal has done the work that the responsible government agency should have done. We must immediately put this evidence at the center of the case and not only release all accused on bail but also institute a Special Investigation Team charged with the task of getting to the bottom of how such a conspiracy was created.”
In the petition filed before the High Court on February 10, 2021, Mr. Wilson has asked for an independent investigation into this criminal attempt to build fake evidence against him and co-accused in the Bhima Koregaon case. In the interest or truth and justice, an investigation into who did this and why the police were not aware of it is urgently required.
This case raises pertinent questions:
- Why did the government’s forensic lab ignore evidence of hacking?
- Why did the police or NIA not verify whether these files were genuine or not?
- Will those responsible be held to account for this?
Mr. Wilson has also called on the High Court to quash the FIR against him and the other co-accused and to release them immediately in light of this shocking evidence.
The 16 individuals accused in the Bhima Koregaon case are among India’s most illustrious and committed human rights defenders with long histories of working for India’s poorest and most oppressed people: Dalits, Adivasis, minorities and women. Eight of the 16 accused are themselves Dalit-Bahujans, while four are from minority communities.
The forensic report is authored by Boston-based Mark Spencer, CEO of Arsenal Consulting, one of the foremost digital forensic analysts in the world. Mr. Spencer and his team of forensic experts have a stellar reputation of high-quality forensic work, including a similar case of fake evidence in a journalist’s computer in Turkey, who was later freed on the basis of Arsenal’s report that proved the malware attack. Arsenal’s forensic analysis of Rona Wilson’s laptop and thumb drive revealed that an attacker with extensive resources was able to attack and compromise Mr. Wilson’s computer over a period of 22 months, from June 13, 2016 to April 17, 2018. Arsenal’s report has been examined and attested by three independent experts at the request of The Washington Post which broke the story last week.
Arsenal’s report shows that the attacker planted a number of incriminating files in Mr. Wilson’s hard drive, including the 10 documents that are listed in the charge sheet of Mr. Wilson and his co-defendants. The report shows that the documents were buried in a hidden system folder so that Mr. Wilson himself would not chance upon them. The forensic analysis also shows that neither the documents, nor the folder they were hidden in, had ever been opened by the accused. In the report, Mr. Spencer characterizes the attack as “one of the most serious cases of evidence tampering” ever encountered by his team. The report presents unimpeachable evidence that the files planted on Mr. Wilson’s computer and thumb drive were a result of a deliberate and planned attack by a well-resourced agent.
In this case, Arsenal was able to identify the specific falsified email that was used to get Mr. Wilson to open a decoy document that led to the installation of a customized NetWire Remote Access Trojan (RAT) on Mr. Wilson’s hard drive. The attacker was then able to use this entry mode to both monitor Mr. Wilson’s computer and begin the process of introducing incriminating documents into his hard drive, and an associated USB drive, both of which were analyzed by Arsenal.
Apart from revealing key technical details of the delivery mechanisms used by the attacker, the report also points out an important discrepancy that proves beyond doubt that the evidence was planted by hacking into Mr. Wilson’s computer. The incriminating files were created on software versions that are more recent and newer than the one on Mr. Wilson’s computer. In other words, it establishes beyond doubt that the incriminating files were created and deposited by an attacker and not by Mr. Wilson. Cumulatively, these findings prove that Mr. Wilson had nothing at all to do with the documents on his laptop for which he has been charged and imprisoned for over two years.
The report raises very serious questions about the veracity of the Pune Police and the NIA’s own forensic investigations. How were they able to uncover the (well-hidden) incriminating documents but not uncover the evidence that the documents had been planted? At best the NIA’s inclusion of these planted files in the charge-sheets points to gross incompetence on their part or at worst lends support to the warnings issued by Google and Yahoo of cyber-attacks by state-backed actors. The NIA, the Government of Maharashtra and the Government of India must explain to the public how this could have happened and immediately release Rona Wilson and the 15 co-accused in the fabricated Bhima Koregaon case.