Digital forensics reveal evidence tampering to implicate activists: Bhima Koregaon case

Digital forensics reveal evidence tampering to implicate activists: Bhima Koregaon case 2

The Washington Post has published an explosive story about the forensic analysis of Rona Wilson’s laptop that has found that the laptop had been compromised and key evidence in the form of 10 letters implicating the activists was planed in a hidden folder on it a week before the arrests.

The letters, widely publicised at that time as secret letters, particularly one alluding to purchase of weapons, were used as justification for the arrests of prominent and respected activists fighting for the rights of marginalized communities in India. Citing threat to the Prime Minister’s life, the activists have been repeatedly denied bail.

Rona Wilson’s lawyer, Sudeep Pasbola had requested Arsenal Consulting to examine the laptop and the findings are damning.

Key findings of examination of Rona Wilson’s laptop by Arsenal Computings

  • Wilson was sent emails that appeared to be sent by Varavara Rao containing a link that appeared to be about a statement for civil rights.
  • Clicking a link in the email caused it to be exploited by NetWire
  • The exploit remained in use on Wilson’s computer for two years providing the hacker access into the laptop, including installing a keylogger collecting information about his computer use, passwords and browsing activity.
  • Almost two years after the initial exploit, the attacker uploaded documents containing letters to a hidden folder on Wilson’s computer. Forensics found no evidence that Wilson had even opened the folder.
  • The version of Word used to create the documents was higher than the version installed on Wilson’s computer.
  • These letters were used as evidence to arrest prominent activists alleging a conspiracy to assassinate Prime Minister Narendra Modi.
  • The full copy of Aresnal Consulting’s submission may be found here.

The Washington post had the findings of Arsenal Consulting verified by independent digital forensics experts and they concur. The article in the Washington Post is comprehensive and no doubt this will be covered extensively on other news sites, so I am going to not get into further details of the hacking and instead focus on the more alarming implication of the findings.

Has the government framed the activists in the Bhima Koregaon case

Some of the details released in the past as well as the new revelations point to possible government involvement. Or at least someone with government blessing.

The files were placed on Wilson’s laptop less than two weeks before his home was raided and his laptop seized. This brings up the question of whether the hacker planting them was aware of raids planned or were the raids planned after they were planted to be found. What was the connection between the hacker and NIA in terms of either the information about the raid or the connections to call for a raid.

Some of the servers and IP addresses used to compromise Wilson’s server were used to target the other co-defendents in the Bhima Koregaon case as well. This goes beyond “oh, what a coincidence!”

Further more, some of the same servers and IP addresses were involved in the hacking attempt on the people working Amnesty International who were aiding the accused. Three out of those were also targeted using Pegasus – which is available only to governments.

Someone seems to have gone through a lot of effort to ensure that activists fighting for the rights of the marginalized were taken out of the public domain and it is hard to believe that the attacker is an independent lone wolf, as such a person would not have the ability to know or control the actions of the NIA. Nor would it make sense to frame activists with no access to the Prime Minister for conspiring to assassinate him. Far more plausible stories would be possible – a terror attack, for instance. However, this is not the first time the Prime Minister’s life has been claimed to be under threat by the ruling party.

NIA had confiscated the devices of the accused for forensic examination. They found the letters but claim to not have found any evidence tampering.

Further, the planted evidence appears to have been successful in preventing bail for the accused. A lone wolf anonymous hacker would have no influence on the judicial system. This is not just a one off hack, but part of a relentless series of events that has served to keep the activists imprisoned. This kind of relentlessness and cunning in acts is not unfamiliar to anyone following the news today.

It echoes patterns of arrests of activists under fictional charges in the government’s ongoing pattern of repression of civil rights and those who speak up for them.

This is hardly an isolated incident. Similar widespread arrests were carried out during the protests against the Citizenship Amendment Act. They are still happening with the farmers protests. Hundreds of farmers have been locked up. The Twitter account of The Caravan, which reported extensively on the protests was asked to be blocked among others reporting from the protests. When Twitter initially complied but restored the accounts, the government provided another list of over a thousand addresses and threatened to arrest Twitter employees if they didn’t comply.

Journalist Mandeep Punia was arrested. Nodeep Kaur, a dalit right activist and trade unionist, arrested as recently as last month is in jail facing abuse and assault with no bail or release in sight. The office of NewsClick were raided as well as the homes of the owners and editors.

As George Orwell wrote in Reflections on Gandhi:

It is difficult to see how Gandhi’s methods could be applied in a country where opponents of the regime disappear in the middle of the night and are never heard of again. Without a free press and the right of assembly, it is impossible not merely to appeal to outside opinion, but to bring a mass movement into being, or even to make your intentions known to your adversary.

George Orwell, Reflections on Gandhi

While this government remains in power, the writing is on the wall.

(Visited 71 times, 1 visits today)