The Washington Post on February 10 published a report based on startling new evidence of a forensic analysis that establishes that the top 10 files used to implicate Rona Wilson with conspiracy to assassinate the Prime Minister Narendra Modi and several other charges were fabricated and had been planted on the hard drive of Wilson’s computer by a cyber-hacker using the NetWire malware. The forensic analysis was conducted by one of the world’s leading forensic analysis firms, Boston-based Arsenal Consulting and the story has since then created a stir in the Indian politics. The explosive announcement of a sinister planned conspiracy to implicate Mr. Wilson and other co-defendants in the Bhima Koregaon case has been marked by an almost complete silence from the National Investigation Agency (NIA) and the government, who have otherwise been relentlessly pursuing the case for over two years.

In a statement to The Washington Post the NIA had stated that it had found no malware on Wilson’s computer and other government spokespersons have attempted to label the forensic report as a “distortion.” Media outlets close to the government have attempted to cast aspersions on the report by suggesting that the cloned hard drive was tampered with as it was being transported from India to Boston.

Prof. Jedadiah Crandall from Arizona State University, who is one of the technical experts who has reviewed the Arsenal report in detail has said “to call the forensic report a distortion is unfortunate”. Prof Crandall emphatically added “The Arsenal report conclusively establishes that NetWire was the malware used for incriminating document delivery. There is no room for interpretation or doubt about this.”

To demystify all the technical details, Prof. Jedadiah Crandall has answered the frequently asked questions to help us understand the Bhima Koregaon Forensic Report.

The Bhima Koregaon Forensic Report: FAQs answered by Prof. Jedidiah Crandall

1. Is it possible to have a legitimate ‘electronic copy’ of a laptop? Can the cloned copy of the hard disk be tampered with? How can it be proved that the cloned copy of the hard disk was not tampered with?

Typically, the investigating agency makes an image of the digital evidence (laptop, USB drive, etc.) and records a cryptographic hash, which is used to verify the identity of all the data.  The image and the cryptographic hash are then shared with the legal defense team. The hash is cryptographically strong, so the only people who could modify the image in any way without detection are the investigators who originally created the image and hash. This modification can only happen before creating the image, since the hash is a digest of the image that can be easily checked and won’t allow for a single bit to be changed without changing the hash. In other words, the electronic copy of the digital evidence is legitimate, and it can easily be checked if it has been tampered with since handing over. The first page of the Arsenal report shows the MD5 hashes of the images used for analysis, which can easily be verified to match those legally provided to the defense team.

2. It is also plausible that the Microsoft Word files on Rona Wilson’s computer were created in a different computer, which he then transferred. This could explain the difference in the older version on his computer and the newer version in which the files were created. How can that be explained by Arsenal’s findings? Also, what is the connection between the incriminating PDF, RTF, ORG files on the computer and the emails sent?

Everything in a modern operating system follows a structure. There are two ways to create a process for giving commands to a Microsoft Windows laptop that are relevant to this case: one is to physically use the laptop using the screen, keyboard and mouse (this is how most people interact with a Windows machine); and the other is to remotely create a process to control the machine over the Internet with a RAT (“remote access trojan;” typically, only attackers interact with computers in this way). Every session to give commands to a computer starts as a process, and whichever commands they give the system become child processes of that original process. The Windows operating system, and softwares installed on it such as antivirus or the RAT itself, keep detailed records of all processes (including both their parents and children), and the activities they carry out on the file system. Because Arsenal Consulting combined many types of records from different points in time going back for almost 2 years, they have been able to piece together what’s called a “process tree.” Their report clearly demonstrates that the file system activity in question was carried out by the RAT. The records of this operation are well structured, and how to put them together is well defined and unambiguous. The records one would expect to see, if someone created a normal process for giving commands by physically using the computer (screen, mouse, and keyboard), do not exist on the image. So, we can conclusively say from the findings that the RAT that was installed when Mr. Wilson’s computer was compromised led to the introduction of the incriminating documents onto Mr. Wilson’s computer.

3. The NIA has said that the Pune regional Forensic Science Laboratory (FSL) did not find any malware. Why did the FSL, which conducted the earlier forensic analysis, not find the malware? Do the Arsenal findings mean that FSL detected the malware but failed to mention it in the report? Does Arsenal’s findings then directly contradict FSL’s findings? In conducting forensic analyses, is it possible to overlook such a prolonged hack?

Some of the records used to reveal the facts in this forensics analysis are the kind that typically only persist for shorter periods of time, so copies of those records need to be found in other places. As a matter of fact, an earlier investigation by The Caravan^[1] already highlighted the presence of malware on the digital evidence. Of the 5 NetWire malwares found by Arsenal, 2 could have been easily found by a regular virus detection software. Any claim by the FSL that they did not find malware on Wilson’s computer is either suspicious or grossly incompetent. The FSL, being a competent authority, should have found all five instances of the malware, and conducted a full analysis, as such a responsible public agency is charged with doing. The mentioned record copies can be preserved in random places all over the hard drive or any USB drives, because of the ways that volatile memory (RAM) and non-volatile memory (hard drives and USB sticks) are mixed. This is a very time-consuming process, but is necessary for a thorough analysis.

4. Why is Arsenal Consulting a credible agency? Why should their report be found more competent than the regional FSL’s report?

The lead in this investigation, Mark Spencer has a strong track record that speaks to his credibility: He has more than 20 years of law-enforcement and private-sector digital forensics experience. Mark has developed and delivered digital forensics training to students from a vast array of international corporations and governments. He has led the Arsenal team on many high-profile and high-stakes cases, from allegations of intellectual-property theft and evidence spoliation to those of the support of terrorist organizations and military coup plotting. Mark has testified in cases which include United States v. Mehanna and United States v. Tsarnaev. Well-known cases that Arsenal Consulting carried out forensic investigation for includes the Sledgehammer (Balyoz) and Ergenekon in Turkey, and the Boston Marathon bombing in the United States.

From their vast experience and knowledge in this area, there is no reason to doubt the credibility of Arsenal Consulting’s investigation. Their findings have since been confirmed by various international digital forensic experts as well.

That being said, it is healthy to be skeptical about electronic evidence. In this case, Arsenal Consulting has provided a very detailed roadmap that competent digital forensics practitioners anywhere can use to confirm all of their findings. It is not difficult to check that all analyses would be working with identical evidence (Rona Wilson’s hard drive, and the attached USB stick). Moreover, Arsenal Consulting’s findings are not only accurate but replicable with access to the mentioned evidence.

5. Did Rona Wilson write the concerned documents?

The Arsenal Consulting report shows that:

1.The documents were placed on Mr. Wilson’s computer’s hard drive and on the USB stick by the NetWire RAT.

2. Users who physically used the computer didn’t interact with the documents, not even opening them.

3. It is irrelevant which external computer the document was authored on. What is clear from these analyses is that the documents were completely sourced from the NetWire RAT.

6. How was the computer hacked?

Rona Wilson’s computer was compromised on June 13, 2016 after a series of suspicious emails sent by someone using Varavara Rao’s email account were opened. A document attached to the emails was set up as a decoy within a RAR archive file. Once the document was opened, it led to the installation of the NetWire remote access trojan (RAT) on Rona Wilson’s computer.

Hacking people’s email accounts and compromising the computers of their friends by sending emails pretending to be them is a common form of attack against NGOs, civil society targets, etc. Netwire is a popular multi-system platform remote access trojan (RAT) system which can be obtained in a variety of ways, including through a quick online purchase (https://www.worldwiredlabs.com/).

7. What kind of access did the hacker have to the computer?

They had full access to the computer. They could do with it anything they wanted, as it typical of RATs.

8. How were the files planted? How did Rona Wilson not know when the files were being planted?

When opening the document in the email, Rona Wilson thought he was opening a link to a Dropbox file, but he was effectively opening a link to a malicious server (command and control, “C2” server). The evidence shows that the incriminating documents were transferred into a hidden folder on the laptop through the NetWire RAT alone. RAT processes run as what is basically a “background shell”, so there will be no indication on the screen that a RAT is running or about any of its activities. The attacker took various steps to hide the files so that someone using the computer physically would not stumble upon them.

9. How did Rona Wilson not know about the hack for 22 months?

The files were being added to a folder that he did not know existed and was not visible in his list of folders. The NetWire RAT was well hidden in the laptop. It was used remotely to perform surveillance, deliver files, and synchronize files on Rona Wilson’s laptop.

10. What kind of resources does someone need to conduct such a hack?

The technical abilities of the attacker were not exceptional compared to other targeted attacks on NGOs and civil society, but the amount of time over which their activity was carried out (over four years) and the general level of persistence was exceptionally high. Since the evidence is of a political nature, the hacker could not have done it for their own fun or to gain access to banking or financial information. As the Arsenal report notes, “it is obvious that their primary goals were surveillance and document delivery.”

^[1] https://caravanmagazine.in/law/did-pune-police-tamper-evidence-against-bhima-koregaon-accused