Evidence fabricated in Bhima Koregaon case? What prompted Rona Wilson’s plea

Activist Rona Wilson moved the Bombay high court on Wednesday seeking the quashing of criminal proceedings against him for allegedly fomenting violence in Bhima Koregaon near Pune in 2018. It came after an American digital forensics consulting company concluded that fabricated evidence was planted including in a laptop and thumb drive seized from Wilson’s residence in April 2018. Here is all you need to know about the matter:

• In his petition, Wilson’s lawyer has attached a copy of a digital forensic report from Arsenal Consulting, whose contents were first reported by the Washington Post.

• The firm found that malware had been installed in Wilson’s computer on June 13, 2016, after someone using the email account of Varavara Rao, who is one of the accused in the case, sent a phishing mail to Wilson.

• National Investigation Agency spokesperson Jaya Roy said the digital extracts they have submitted in court along with the charge sheet were examined at Regional Forensic Science Laboratory, Pune, which shows no evidence of any malware in any laptop/device.

Also Read | Bhima Koregaon case: Bombay HC rejects Gautam Navlakha’s default bail plea

• The hack was technically not sophisticated and appears to be inspired by Soviet-era espionage, cyber-security experts said.

• Arsenal used tools to decrypt and parse NetWire logs and Quickheal database fragments. The report claimed that the firm was able to reconstruct the events of how Wilson’s computer was compromised, which also included synchronising files between Wilson’s computer and another server.

• NetWire logs are files that contain keystrokes and other information such as browsing history, saved passwords, composed emails, and editing documents.

• Forensic images of digital devices along with final reports are provided to accused persons as mandated by the Code of Criminal Procedure.

• Investigating officials said that videos were taken of all the evidence seized by the Pune Police from Wilson’s residence, which included hard disk, CDs, laptop, mobile phones, memory cards, etc.

• These were enumerated in a seizure memo following due procedure following which a strict “chain of custody” was maintained. The evidence was sent to Regional FSL Pune for further examination. The report did not indicate any instance of tampering with the digital devices.

• Wilson’s petition argued that in light of the Arsenal report, any prosecution against him or the other co-accused (15 other prominent activists, academics and lawyers) would be a “travesty of justice”.

• Analysing the forensic images obtained from the Toshiba hard drive inside Wilson’s computer as well as a SanDisk Cruzer Blade thumb drive that was attached to it, the report stated that the attacker copied documents into the thumb drive on March 14, 2018, and later created a warren of dummy folders containing dummy data “so that the victim would not stumble upon them”.

• The forensics report suggested the attackers deployed a commonly used strategy known as spear phishing. The attackers send an email that appears to be from a trustworthy source, convincing the target to click on attachments that deliver what is known as the exploit or the piece of code that opens a backdoor and ultimately allows for malware to be installed.

• A NetWire remote access trojan was installed on Wilson’s Hewlett Packard Pavilion notebook once he clicked on what he thought was a mere Dropbox link. This allowed the attacker to conduct surveillance and plant incriminating documents, the report said.

• Arsenal Consulting, a Massachusetts-based digital forensics firm, surmised that Wilson’s computer was compromised by the same attacker for 22 months between 2016 and April 17, 2018, when electronic evidence was seized by the Pune Police on suspicion of his alleged links with the violence that erupted in Bhima Koregaon village in Maharashtra on January 1, 2018, during the bicentennial celebrations of a British-era war commemorated by Dalits.