New Delhi: Key evidence against Rona Wilson, an accused in the Bhima Koregaon case that is being investigated by the NIA, was planted on a laptop seized by police, a report by Arsenal Consulting, a Massachusetts-based digital forensics firm, has claimed.
According to the firm’s forensic assessment, first reported by The Washington Post Wednesday, an attacker used malware to infiltrate a laptop belonging to Wilson and deposited at least 10 incriminating letters on it.
Malware — short for malicious software — refers to any among a bouquet of software used by cyber criminals to damage a system or gain unauthorised access to it.
The NIA had provided the defence team with forensic images of the digital devices seized from Wilson, which were then sent by the latter to the US firm for examination.
Reached for comment, NIA spokesperson Jaya Roy dismissed the Arsenal report as a “distortion of facts”.
On the basis of the Arsenal report, which claims Wilson’s computer was compromised for nearly two years between 2016 and 2018, the activist has filed a petition in the Bombay High Court, urging judges to dismiss the case against him.
“A petition has been filed in the Bombay High Court to quash these proceedings. This forensics report has been attached for reference. It is enough to clear the suspicion about Wilson’s involvement,” Wilson’s lawyer Mihir Desai said.
Desai said the documents are part of the evidence cited by the NIA to build their case against Wilson, as well as others accused in the case.
“We got the main documents that are evidence in the case examined and have found this,” he said, referring to emails, among other things. “We hope the court takes note of it. The matter should be up for hearing in a few days.”
In its report, accessed by ThePrint, the US firm has described the alleged malware attack on Wilson’s computer as one of the “most serious cases involving evidence tampering that Arsenal has ever encountered”. The National Investigation Agency (NIA), however, dismissed the findings.
“The forensics reports that are cited in the charge sheet filed in the court are from an accredited lab, accepted by the Indian courts. In this case, it was done by the Regional Forensic Science Laboratory, Pune. According to their report no such malware was found. Rest all is distortion of facts,” NIA spokesperson Jaya Roy said.
In a statement issued Wednesday evening, the NIA sought to raise many questions about the Arsenal findings. Referring to letters the report claims were planted on Wilson’s computer, the NIA said “the context and incidents mentioned are very much corroborated in the charge sheet by other oral, documentary & technical evidence”.
‘Incriminating documents delivered to hidden folders’
The Bhima Koregaon case centres on a gathering in Pune, Maharashtra, on New Year’s Eve 2018 that sought to mark 200 years of a battle between the Peshwas and a British army comprising Dalits that was won by the latter. In the light of violence that erupted the next day, people who participated in the event have been accused of making provocative speeches.
The investigation in the matter was first handled by Pune Police before being taken over by the NIA. The investigators have since alleged a larger plot at play to wage a war against the nation.
Wilson is one of 16 people under arrest in the case. Others include lawyer Sudha Bharadwaj, tribal rights activist and priest Stan Swamy, and activist Varavara Rao.
According to the NIA, incriminating letters have been recovered from electronic devices of the Bhima Koregaon accused. In its charge sheet, the NIA has cited a document allegedly seized from Wilson that mentions the “purpose of formation of anti-fascist front” on the direction of the outlawed CPI Maoist.
Arsenal claims in its report that Wilson’s computer was compromised for over 22 months.
“The attacker responsible for compromising Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery,” the report claims.
It also claims that Arsenal connected the same attacker to significant malware infrastructure that has allegedly been deployed over the course of approximately four years to not only attack Wilson’s computer but also those of his co-defendants in the Bhima Koregaon case and defendants in other “high-profile Indian cases”.
The Arsenal report alleges that incriminating documents found in Wilson’s computer were delivered to a hidden folder through malware.
“The incriminating documents were delivered to a hidden folder on Mr Wilson’s computer by NetWire (a malware) and not by other means,” the report claims.
Wilson’s computer, the report claims, was compromised on 13 June 2016, after a series of “suspicious emails” by someone purportedly using Varavara Rao’s email account.
“During the course of email conversation, the person using Varavara Rao’s email account made multiple attempts to get Mr Wilson to open a particular document. By 6:18 pm, Mr Wislon replied that he had successfully opened the document. Opening the document (a decoy within an RAR archive file named ‘another victory.rar’ was part of a chain of events which led to the installation of the NetWire remote access trojan (‘RAT’) on Mr Wilson’s computer,” the report claims.
RAR is a data compression application, while RAT is a form of malware used to gain access to someone’s computer, usually installed by getting the target user to click on a link or download something, like an email attachment.
The report claims there is “no evidence which would suggest that the top ten most important documents used in the prosecution against Mr Wilson were ever interacted with in any legitimate way on Mr Wilson’s computer”.
“More particularly, there is no evidence which would suggest any of the top ten documents, or hidden folders they were contained in, were ever opened,” the report further claims.
“Object identifiers are normally assigned to documents when they are either created or first opened. In this case, none of the top ten documents have object identifiers.”
NIA rejects report
In a statement issued Wednesday evening, the NIA said the Pune Police conducted a search at Wilson’s Delhi house on 17 April 2018 and seized “incriminating material including hard disk, CDs, laptop, mobile phones, memory cards”. The digital devices, it added, were sent to the “Regional FSL Pune for further examination”.
Following the analysis, the Regional FSL Pune “provided a forensic report including image, clone copy of the electronic devices and also a report that did not indicate any instance of tampering with the digital devices”, it said.
After the charge sheets were filed, the NIA “provided the defence with the forensic images of digital devices along with final reports, which were then sent by them to the US firm for examination”.
The NIA also seemed to question the Arsenal finding that Wilson’s computer had been compromised since 13 June 2016, or a year and a half before the incident at Bhima Koregaon.
“It is pointed out here that, as per the Arsenal Consulting report, the device of Rona Wilson was compromised for the period of 22 months, prior to his arrest while the very case was registered on 8 January 2018, which is six months prior to his arrest, arising out of an incident on 1 January 2018 which is hard to comprehend,” the NIA said.