A US-based forensic firm on December 7th has concluded that digital evidence used to arrest Jesuit priest Father Stan Swamy in the Bhima-Koregaon case was “planted” on his computer’s hard drive, similar to two other cases involving human rights defenders Rona Wilson and Surendra Gadling. Swamy, 84, who was an accused in the Elgar Parishad-Maoist links case, died in July 2021, while waiting for interim bail on medical grounds.
As per the new report from a US-based digital forensics company, a hacker planted 22 “incriminating” files in activist Rona Wilson’s computer, days after violence in the Maharashtra town of Bhima-Koregaon in January 2018.
These files have, since November 15, 2018, been cited, initially by the Pune Police and then by the National Investigation Agency, as key evidence. This evidence led to Wilson and 15 others – including lawyers, academics and artistes – being arrested and jailed without bail (except the poet Varavara Rao who is now on bail) or trial for more than two years on charges of conspiring against the Indian state.
The files were never created, opened or used by anyone who directly handled Wilson’s computer, but the hacker used a software to plant them, said the new report from Arsenal Consulting. They analyzed an electronic copy of Wilson’s computer on a request from his lawyers, who got it from the police in November 2019 after court orders.
The new report is a follow-up of Arsenal’s first report in February 2021. That report concluded the computer was hacked using malicious software to plant 10 files, mostly “incriminating” letters, and it faced sustained electronic spying.
The second report, yet to be made public, but reviewed by Article 14, states: “There is no evidence of legitimate interaction with the additional files of interest on Mr. Wilson’s computer, and that 22 of the 24 files are directly connected to the attacker identified in Report I.”
The additional 24 files largely contain purported correspondence between members of the banned Communist Party of India (Maoist), discussions on fund transfers, how to improve women’s representation in organisations, difficulties party members face in communicating with each other, concerns over state crackdown and some photographs of Maoist guerillas.
Article 14 emailed detailed queries to Jaya Roy, NIA spokesperson and Superintendent of Police. The queries included specific questions related to Arsenal’s findings and reports submitted by government’s forensic labs.
Roy did not reply to the email. She told Article 14 on the phone that, “We do not take cognisance of reports from private labs. There are notified labs for our forensic examination like RFSL [Regional Forensic Science Laboratory] and CFSL [Central Forensic Science Laboratory].”
While the case against the 16 is likely to drag for years, their lawyers’ focus is on getting the activists released on bail. Wilson’s lawyers are likely to use the second Arsenal report to buttress their contention that primary electronic evidence was fabricated and that the tampering of his computer makes all electronic evidence produced from it unusable.
The case against the 16 activists centers around Elgaar Parishad, an event held on December 31, 2017, in Bhima-Koregaon, a town of roughly 9,000 inhabitants, 28 km northeast of Pune, to commemorate the 200th anniversary of the victory of a largely Dalit-staffed British army over the upper-caste Peshwa army. Violence and arson followed the event, as Dalits clashed with Hindu right-wingers irked by the celebration of a valorous Dalit past.
Soon, a Pune police investigation into the violence changed tack to a Maoist conspiracy and focussed on “urban naxals”, a term popularised around the same time by right-wing supporters and leaders to deride urban intellectuals and activists.
Police raided activists and organisers of the event and seized laptops, hard disks and other devices. According to the charge sheet, the police raided the premises of Rona Wilson and advocate Surendra Gadling because of their alleged communication with Sudhir Dhawale, one of the main organisers of Bhima Koregaon event.
The chargesheet on why Ronal Wilson and why Surendra Gadling were arrested.
The files found on Wilson’s computer were among the evidence submitted against him, lawyer-activist Sudha Bharadwaj, poet Rao and others.
After the NIA took over the probe from the state police in January 2020, soon after the state saw a change in administration from a Bharatiya Janata Party-led government to the Maha Vikas Aghadi currently in power, they filed an additional charge sheet, naming Jesuit priest Stan Swany, Hanybabu Tarayil, a professor of linguistics at the Department of English at Delhi University, Anand Teltumbde, a professor of the Goa Institute of Management and journalist Gautam Navlakha.
They were accused of conspiring with a banned Maoist group against the Indian government and face charges under the Unlawful Activities (Prevention) Act, 1967, an anti-terrorism law that overwhelmingly puts the onus of proving innocence on the accused. Arsenal found instances where the hacker renamed files and, in one case, even made a mistake that was later corrected.
Arsenal’s president Mark Spencer explained to Article 14 the significance of the new report: “The process tree involving “mohila meeting jan.pdf” is the most compelling finding in Report II. While there are many “smoking guns” related to the attacker’s activity in Reports I and II, this process tree is one of the most significant”.
The mohila meeting file that Spencer referred to contains the minutes of a purported mohila (women’s) meeting on January 2, 2018. It lists other co-accused activists – Bharadwaj, Shoma Sen and others – as members of MOs or mass organisations.
The process tree that Spencer referred to tracks how and when the attacker hacked and planted files on a victim’s computer. The report said these 22 files were planted using NetWire, malicious software that opens the door to the device for hackers.
The hacker then remotely changed, added or deleted contents and viewed computer activity. The second report detailed how this remote-access electronic Trojan horse was used to deliver multiple files to Wilson’s laptop, in addition to those mentioned in the first report, later used by investigators to incriminate him and others.
The process tree for the “mohila meeting document” showed NetWire being launched automatically on January 11, 2018, 11 days after the Bhima-Koregaon violence, at 5.04 pm after a login.
The attacker opened a command prompt and unpacked three files between 5.10 pm and 5.12 pm – one of which contained “mohila meeting jan.pdf”. These files were then unpacked into a hidden folder using a temporarily deployed UnRAR, a file archiver like WinZip, renamed to “Adobe.exe”.
“It shows NetWire’s communication with the attacker’s command-and-control server that we recovered from the active Windows hibernation on Rona Wilson’s computer,” said Spencer. “The hibernation occurred on January 14, 2018. The IP address is associated with one of the hostnames that we already released in Report I, but now people can see an example of how we know so many details”.
Besides laptops, files in hard disks and pen drives too, were helpful in tightening the screws on Wilson and others. The attacker ensured that files were automatically transferred from Wilson’s computer to the external hard drive when hooked up.
“Please keep in mind that ultimately you do not need to take our word for anything we have shared in Reports I or II, as our findings can be replicated by competent digital forensics practitioners with access to the same electronic evidence,” said Spencer.
“The process tree has effectively caught the attacker red-handed,” said Spencer. “It very clearly demonstrates how the attacker delivered incriminating files to Rona Wilson’s computer.”
“It’s the kind of finding that should make technical people lean back in their chairs and say, whoa,” said Spencer, who has examined computers related to the 2013 bombing of the Boston Marathon and a Turkish journalist falsely framed for terrorism in 2014.
The NIA, in a special court, in response to a bail plea moved by Anand Teltumbde’s lawyers based on the first report by Arsenal said that the findings cannot be relied upon since it is “not authenticated”. Several charge sheets filed by the state police and NIA running into hundreds of pages hinge on the evidence recovered from the electronic devices of Wilson and others, the credibility of which has now been debunked by the independent forensic expert.
In a statement on February 10, the NIA had indirectly discredited Arsenal’s first report. “The forensics reports that are cited in the charge sheet filed in the court are from an accredited lab, accepted by the Indian courts,” NIA spokesperson Roy said. “In this case, it was done by the Regional Forensic Science Laboratory in Pune. According to their report no such malware was found,”“Rest all (sic) is distortion of facts.
“We reviewed the documents submitted by the prosecution in the court. They show the investigating officer in the case did ask the government forensic lab on October 13, 2018 to state that the electronic devices of the accused were not tampered with. The government lab made no comment. The prosecution then stated that more forensic reports were awaited, noting in a NIA report, part of the chargesheet, “certain FSL (Forensic Science Laboratory) reports are yet to be received.”
Asked for comment by Article 14, NIA spokesperson Roy said: “NIA has already filed chargesheet in the case and the case is currently sub judice. I would not be commenting on any of the court matters.” Article 14 had raised a specific query about the fact that Regional Forensic Science Laboratory did not respond to questions of evidence tam