Evidence planted, says activist Rona Wilson after forensic firm’s analysis
- Denying the claims of the report, NIA spokesperson Jaya Roy said: “The digital extracts which we have submitted in the court along with the chargesheet were examined at RFSL (Regional Forensic Science Laboratory, Pune), which shows no evidence of any malware in any laptop/device.”
Activist Rona Wilson, accused of fomenting violence in Bhima Koregaon in 2018, moved the Bombay high court on Wednesday seeking the quashing of criminal proceedings against him after an American digital forensics consulting company concluded that fabricated evidence was planted in the electronic evidence, including a laptop and thumb drive, which was seized from his residence in April 2018 and on the basis of which he was arrested two months later.
Denying the claims of the report, National Investigation Agency (NIA) spokesperson Jaya Roy said: “The digital extracts which we have submitted in the court along with the chargesheet were examined at RFSL (Regional Forensic Science Laboratory, Pune), which shows no evidence of any malware in any laptop/device.”
The petition, filed by Wilson’s lawyer Sudeep Pasbola, attached a copy of a digital forensic report from Arsenal Consulting, whose contents were first reported by the Washington Post. It also sought the constitution of a special investigation team to analyse the electronic evidence and compensation for wrongful detention.
Arsenal Consulting, a Massachusetts-based digital forensics firm, surmised that Wilson’s computer was compromised by the same attacker for 22 months between 2016 and April 17, 2018, when electronic evidence was seized by the Pune Police on suspicion of his alleged links with the violence that erupted in Bhima Koregaon village in Maharashtra on January 1, 2018, during the bicentennial celebrations of a British-era war commemorated by Dalits.
The firm found that malware had been installed in Wilson’s computer on June 13, 2016, after someone using the email account of Varavara Rao — who is one of the accused in this case — sent a phishing mail to Wilson. A NetWire remote access trojan (RAT) was installed on Wilson’s Hewlett Packard Pavilion notebook once he clicked on what he thought was a mere Dropbox link. This allowed the attacker to conduct surveillance and plant incriminating documents, its report stated.
“The report of Arsenal Consulting is an attempt to tarnish the investigation and the evidence collected therein,” an official close to the investigation and who did not wish to be named said.
The forensics report suggested the attackers deployed a commonly used strategy known as spear phishing. The attackers send an email that appears to be from a trustworthy source, convincing the target to click on attachments that deliver what is known as the exploit, or the piece of code that opens a backdoor and ultimately allows for malware to be installed.
Analysing the forensic images obtained from the Toshiba hard drive inside Wilson’s computer as well as a SanDisk Cruzer Blade thumb drive that was attached to it, the report stated that the attacker copied documents into the thumb drive on March 14, 2018, and later created a warren of dummy folders containing dummy data “so that the victim would not stumble upon them”.
These incriminating documents were delivered to Wilson’s computer by NetWire and no other means, the report stated.
“The essential evidence in the case is electronic evidence. There is no mention of arms or ammunition. The Arsenal report examined 10 of the letters and found that they were planted. Wilson was not aware of these documents, nor did he open them. In our opinion, this punches a hole in the prosecution’s case,” said Mihir Desai, one of the lawyers in the Bhima Koregaon case.
“The report of Arsenal Consulting is sufficient grounds for quashing of the FIR and chargesheet against Wilson and his co-accused,” a senior counsel who represented Wilson said.
Other documents that Wilson reportedly authored were saved to a PDF format using either Microsoft Word 2010 or 2013, neither of which versions were installed in his computer, the report added. It also found that the same attacker had also launched a similar malware attack against other co-defendants of this case over a period of four years.
“Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Mr Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high profile Indian cases as well,” the report stated.
Wilson’s petition argued that in light of the Arsenal report, any prosecution against him or the other co-accused — there are 15 other prominent activists, academics and lawyers, among others — would be a “travesty of justice”.
“In view of this, any further prolonging of the case against the petitioner and the co-accused will be an absolute and continued travesty of justice, apart from sanctifying the abuse of process of law and will lead to further violation of the petitioners and co-accused fundamental rights,” the petition read.
Investigating officials said that videos were taken of all the evidence seized by the Pune Police from Wilson’s residence, which included hard disk, CDs, laptop, mobile phones, memory cards, etc. These were enumerated in a seizure memo following due procedure following which a strict “chain of custody” was maintained. The evidence was sent to Regional FSL Pune for further examination. The report did not indicate any instance of tampering with the digital devices.
Forensic images of digital devices along with final reports are provided to accused persons as mandated by the Code of Criminal Procedure.
Arsenal used tools to decrypt and parse NetWire logs and Quickheal database fragments. The report claimed that the firm was able to reconstruct the events of how Wilson’s computer was compromised, which also included synchronising files between Wilson’s computer and another server.
NetWire logs are files that contain keystrokes and other information such as browsing history, saved passwords, composed emails and editing documents.
The hack was technically not sophisticated and appears to be inspired by Soviet-era espionage, cyber security experts said.
“Going by Arsenal Consulting’s findings, the technical methods of compromise seem crude. However, the overall mechanism is strangely reminiscent of the methods used by unrelenting and aggressive Russian intelligence agencies. They are known to place kompromat (compromising material like child pornography) inside the computers of unwitting activists, dissenters and opponents,” said Pukhraj Singh, a cyber threat intelligence analyst.