In Bhima-Koregaon case, new forensic report shows how hacker planted key files on accused’s computer | #computerhacking | #hacking


A new report from a US-based digital forensics company has said a hacker planted 22 “incriminating” files in activist Rona Wilson’s computer, days after violence in the Maharashtra town of Bhima-Koregaon in January 2018.

These files have, since November 15, 2018, been cited, initially by the Pune Police and then by the National Investigation Agency, as key evidence. This evidence led to Wilson and 15 others – including lawyers, academics and artistes – being arrested and jailed without bail (except the poet Varavara Rao who is now on bail) or trial for more than two years on charges of conspiring against the Indian state.

The files were never created, opened or used by anyone who directly handled Wilson’s computer, but the hacker used a software to plant them, said the new report from Arsenal Consulting. They analysed an electronic copy of Wilson’s computer on a request from his lawyers, who got it from the police in November 2019 after court orders.

The new report is a follow-up of Arsenal’s first report in February 2021. That report concluded the computer was hacked using malicious software to plant 10 files, mostly “incriminating” letters, and it faced sustained electronic spying.

The second report, yet to be made public, but reviewed by Article 14, states: “There is no evidence of legitimate interaction with the additional files of interest on Mr. Wilson’s computer, and that 22 of the 24 files are directly connected to the attacker identified in Report I.”

Seeking bail

The additional 24 files largely contain purported correspondence between members of the banned Communist Party of India (Maoist), discussions on fund transfers, how to improve women’s representation in organisations, difficulties party members face in communicating with each other, concerns over state crackdown and some photographs of Maoist guerillas.

Article 14 emailed detailed queries to Jaya Roy, NIA spokesperson and Superintendent of Police. The queries included specific questions related to Arsenal’s findings and reports submitted by government’s forensic labs.

Roy did not reply to the email. She told Article 14 on the phone that, “We do not take cognisance of reports from private labs. There are notified labs for our forensic examination like RFSL [Regional Forensic Science Laboratory] and CFSL [Central Forensic Science Laboratory].”

While the case against the 16 is likely to drag for years, their lawyers’ focus is on getting the activists released on bail. Wilson’s lawyers are likely to use the second Arsenal report to buttress their contention that primary electronic evidence was fabricated and that the tampering of his computer makes all electronic evidence produced from it unusable.

Electronic evidence

The case against the 16 activists centres around Elgaar Parishad, an event held on December 31, 2017, in Bhima-Koregaon, a town of roughly 9,000 inhabitants, 28 km northeast of Pune, to commemorate the 200th anniversary of the victory of a largely Dalit-staffed British army over the upper-caste Peshwa army. Violence and arson followed the event, as Dalits clashed with Hindu right-wingers irked by the celebration of a valorous Dalit past.

Soon, a Pune police investigation into the violence changed tack to a Maoist conspiracy and focussed on “urban naxals”, a term popularised around the same time by right-wing supporters and leaders to deride urban intellectuals and activists.

Police raided activists and organisers of the event and seized laptops, hard disks and other devices. According to the charge sheet, the police raided the premises of Rona Wilson and advocate Surendra Gadling because of their alleged communication with Sudhir Dhawale, one of the main organisers of Bhima Koregaon event.

The chargesheet on why Ronal Wilson and why Surendra Gadling were arrested.

The files found on Wilson’s computer were among the evidence submitted against him, lawyer-activist Sudha Bharadwaj, poet Rao and others.

A note on the electronic evidence.

After the NIA took over the probe from the state police in January 2020, soon after the state saw a change in administration from a Bharatiya Janata Party-led government to the Maha Vikas Aghadi currently in power, they filed an additional charge sheet, naming Jesuit priest Stan Swany, Hanybabu Tarayil, a professor of linguistics at the Department of English at Delhi University, Anand Teltumbde, a professor of the Goa Institute of Management and journalist Gautam Navlakha.

They were accused of conspiring with a banned Maoist group against the Indian government and face charges under the Unlawful Activities (Prevention) Act, 1967, an anti-terrorism law that overwhelmingly puts the onus of proving innocence on the accused.

Hacker’s handiwork

Arsenal found instances where the hacker renamed files and, in one case, even made a mistake that was later corrected.

Arsenal’s president Mark Spencer explained to Article 14 the significance of the new report: “The process tree involving “mohila meeting jan.pdf” is the most compelling finding in Report II. While there are many “smoking guns” related to the attacker’s activity in Reports I and II, this process tree is one of the most significant”.

The mohila meeting file that Spencer referred to contains the minutes of a purported mohila (women’s) meeting on January 2, 2018. It lists other co-accused activists – Bharadwaj, Shoma Sen and others – as members of MOs or mass organisations.

The process tree that Spencer referred to tracks how and when the attacker hacked and planted files on a victim’s computer. The report said these 22 files were planted using NetWire, malicious software that opens the door to the device for hackers.

The hacker then remotely changed, added or deleted contents and viewed computer activity. The second report detailed how this remote-access electronic Trojan horse was used to deliver multiple files to Wilson’s laptop, in addition to those mentioned in the first report, later used by investigators to incriminate him and others.

Trojan horse

The process tree for the “mohila meeting document” showed NetWire being launched automatically on January 11, 2018, 11 days after the Bhima-Koregaon violence, at 5.04 pm after a login.

The attacker opened a command prompt and unpacked three files between 5.10 pm and 5.12 pm – one of which contained “mohila meeting jan.pdf”. These files were then unpacked into a hidden folder using a temporarily deployed UnRAR, a file archiver like WinZip, renamed to “Adobe.exe”.

The report explained how the attacker erred while writing the command to plant a file, and subsequently corrected it.

“It is rare to see an attacker make mistakes, so any mistake is very interesting to us,” said Spencer.

Arsenal offered many bits of what it claimed to be “irrefutable evidence of NetWire running on Rona Wilson’s computer”, including the screen grab below.

Netwire communications within PCAP extracted from Rona Wilson’s active Windows hibernation.

“It shows NetWire’s communication with the attacker’s command-and-control server that we recovered from the active Windows hibernation on Rona Wilson’s computer,” said Spencer. “The hibernation occurred on January 14, 2018. The IP address is associated with one of the hostnames that we already released in Report I, but now people can see an example of how we know so many details”.

Besides laptops, files in hard disks and pen drives too, were helpful in tightening the screws on Wilson and others. The attacker ensured that files were automatically transferred from Wilson’s computer to the external hard drive when hooked up.

“Please keep in mind that ultimately you do not need to take our word for anything we have shared in Reports I or II, as our findings can be replicated by competent digital forensics practitioners with access to the same electronic evidence,” said Spencer.

“The process tree has effectively caught the attacker red-handed,” said Spencer. “It very clearly demonstrates how the attacker delivered incriminating files to Rona Wilson’s computer.”

“It’s the kind of finding that should make technical people lean back in their chairs and say, whoa,” said Spencer, who has examined computers related to the 2013 bombing of the Boston Marathon and a Turkish journalist falsely framed for terrorism in 2014.

‘Not authenticated’

The NIA, in a special court, in response to a bail plea moved by Anand Teltumbde’s lawyers based on the first report by Arsenal said that the findings cannot be relied upon since it is “not authenticated”. Several charge sheets filed by the state police and NIA running into hundreds of pages hinge on the evidence recovered from the electronic devices of Wilson and others, the credibility of which has now been debunked by the independent forensic expert.

In a statement on February 10, the NIA had indirectly discredited Arsenal’s first report.

“The forensics reports that are cited in the charge sheet filed in the court are from an accredited lab, accepted by the Indian courts,” NIA spokesperson Roy said. “In this case, it was done by the Regional Forensic Science Laboratory in Pune. According to their report no such malware was found,”“Rest all (sic) is distortion of facts.

We reviewed the documents submitted by the prosecution in the court. They show the investigating officer in the case did ask the government forensic lab on October 13, 2018 to state that the electronic devices of the accused were not tampered with. The government lab made no comment. The prosecution then stated that more forensic reports were awaited, noting in a NIA report, part of the chargesheet, “certain FSL (Forensic Science Laboratory) reports are yet to be received.”

Asked for comment by Article 14, NIA spokesperson Roy said: “NIA has already filed chargesheet in the case and the case is currently sub judice. I would not be commenting on any of the court matters.” Article 14 had raised a specific query about the fact that Regional Forensic Science Laboratory did not respond to questions of evidence tampering on record.

The police initially and the NIA later, in their submissions, contended they have more than electronic evidence against the accused. Human rights activists and lawyers alleged the government has concocted evidence to target activists it perceives to be against its ideology.

“The modus operandi appears to have been set in motion post 2014, to target and trap human rights defenders in such a way that they would remain incarcerated for a long time,” said senior advocate Mihir Desai, Wilson’s lawyer.

“One of the electronic documents that the authorities presented as evidence is called ‘Strategy and Tactics of Indian Revolution’,” he said. “It is not a secret document. It’s available in the public domain.” A Google search threw up the document.

‘Irritant’ Songs,

To bolster its case against the 16, besides electronic records, eye-witness accounts, the Pune Police also cited the performance of “irritant” songs at the Elgar Parishad, the dissemination of “misleading history” and an attempt to “spread Maoist ideology” among “backward community”. These purported pieces of evidence in the chargesheet continue to be used by the NIA against the 16 accused in the court.

All these activities are equated with sedition and an attempt to destabilise India.

“Irritant to whom?” asked Desai, responding to the reference of songs of protests that were sung at the event and cited in the chargesheet as evidence of a conspiracy.

“Protest and anti-caste songs are a tradition in Maharashtra. Annabhau Sathe, Shahir Amar Shaikh, D N Gavankar and balladeers like Vilas Ghogre and Sambhaji Bhagat are a part of cultural milieu of the state,” he said, referring to a pantheon of social reformers and revolutionary poets.

The case files against the 16 accused listed performances of Kabir Kala Manch – one of the cultural outfits that was part of the Elgar Parishad – as attempts to “create hatred against the government” in the minds of people.

The chargesheet lists the lyrics of a song the group allegedly performed as an example:

Jab zulm ho to baghawat honi chahiye shahar men, agar baghawat na ho to, behtar ho ke, yeh raat dhalne se pahle shahar jal kar raakh ho jaye.”

(When there is oppression, rebellion should break out in city;if there is none, it’s better the city burn to ashes before dawn.)

The charge sheet says documents show the 16 accused people, including Wilson, had concluded that Dalits had turned against BJP and Rashtriya Swayamsevak Sangh because they perceived the two to be Brahmin-centric. The charge-sheet extrapolated this to conclude that the accused were going to use this Dalit assertion against BJP and RSS to create “chaos”.

The authorities took a further leap of faith based on this supposed evidence to claim that the 16 activists, poets and academicians were therefore working against the integrity and sovereignty of the country.

The specific paragraph from the police charge sheet noted: “From the seized correspondence it is found mentioned that the backward class thinking has now gone against the Brahmin-centred agenda of BJP and RSS. It is their attempt that this type of unrest in their minds is to be used as capital they should be organised at large scale and taking its advantage chaotic situation is created at large scale.”

Shreegireesh Jalihal is a member of The Reporters’ Collective, a journalism collaborative that publishes in multiple languages and media.

This report first appeared on Article-14.com, a project that tracks misuse of the law and the hope it offers





Original Source link




Leave a Reply

Your email address will not be published. Required fields are marked *

+ fourteen = twenty