Forensics Controversy in Bhima Koregaon

It was clear from the beginning that Bhima Koregaon was a high level international conspiracy much like the present Twitter campaign. It was not surprising that the activists who faced criminal charges would have the resources to invoke international support. One such support has now come from a Forensic report given out by a US firm and promptly propagated by “Washington Post” which was also in the fore front of the Information War unleashed by Twitter on India.

According to a report being widely discussed in the media, key evidence against the  activists were planted using a malware, as per a report put out by a firm called “Arsenal Forensics”

Rona Wilson, one of the accused has claimed that the incriminating documents found in his laptop could have been inserted by the investigating agencies  and his laptop remained compromised for over 22 months without his knowledge.

The accused claims that 10 incriminating word documents were inserted in his laptop through a malware named “Netwire”. The virus itself could have been inserted by a phishing mail from another compromised computer of his contact Mr Varavara Rao’s email account. It is important to note that Varavara Rao is also a co-accused in this case and hence the defense is producing an evidence from another co-accused source.

It is indicated that the Forensic agency has found the presence of “Netwire” in the forensic image of the laptop storage device and has also claimed that the version of the word was dated later than the date of creation of the document.

At this time we are not aware if the original hard disk was cloned using the standard process and the observation of the forensics firm was based on a properly cloned hard disc.

It is also not clear if the original hard disc can be checked once again by an independent forensic investigator to confirm if Netwire was present in the laptop prior to the date on which the incriminating documents were first created on the subject laptop.

Also it is possible that the incriminating documents might have been found in Rona Wilson computer and may also be there on Varavara Rao’s computer or it could have been wiped out of Varavara Rao’s computer. Forensic investigation of Varavara Rao’s computer that there was no such document there and that there was a phishing attempt from his computer (some evidence of this needs to be traced in the Varavara Rao’s computer) also needs to be presented by Rona Wilson.

It must be understood that the party challenging the evidence needs to produce irrefutable proof that the evidence has been tampered with. Otherwise the accused in partnership with other co-accused can make any charge on the investigating agencies to create confusion.

Indian Courts have not always been clear about understanding digital evidence and appreciating the possibility that there is always a set of  Anti-Forensics groups which consist of all criminal elements who are the backbone of the Deep Web and make money out of their crimes. They are technically well informed and have access to all sort of tools. For a team of Urban Naxalites like the Bhima Koregaon accused to take the assistance of such elements comes natural.

The Court should therefore be careful in providing any credibility to such evidence. Even if Washington Post or Rihaana or Greta Thunberg supports such counter views, there is a need to view it with suspicion. The onus of proving it is entirely on the accused and a mere prima facie evidence which itself could be a planted evidence cannot be considered good enough to acquit the accused.

The questions which the Arsenal team has to make public is

a) What is the verification they have done to ensure that the evidence disc with the Court and the analyzed disc are exact bit replicas?

b) What is the justification for the malware to be present for 22 months from 2016 to 2018 and was not detected?

c) What were the anti virus software used by Mr Rona Wilson and is there an evidence that the virus “Netwire” is undetectable?

d) Is Rona Wilson negligent deliberately or otherwise in not cleaning his laptop with an appropriate anti virus installation?

e) Was Varavara Rao’s computer was also simultaneously examined to see if there was any virus which was used to plant Netwire into Rona Wilson’s computer?

f) Is it possible for Rona Wilson to have implanted a newer version of the documents to vitiate the evidence?

g) What are the relevant dates … Creation of the incriminating documents, Original device in which it was created, original author, Original software, date of its entry into Rona Wilson computer, date of detection of “Netwire” etc.

It is possible that this is a new “Information War” that the Bhima Koregaon team has unleashed. The Court has to now act responsibly to ensure that this is not used as an excuse by the accused to avoid being punished for an anti-national activity.

One option available to the Court is to call a “Digital Evidence Examiner” to examine the forensic report submitted by Arsenal, allow for cross examination of Arsenal and if there is insufficient evidence to accept the counter evidence of Arsenal, reject it as “Unreliable”. All this will inevitably delay the trial and perhaps it is the price we have to pay for having a fair trial even for the enemies of the nation.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to Forensics Controversy in Bhima Koregaon

  1. This raises some more questions-
    1. What is the role and interests of Americans in this – American Bar Association, Arsenal and more people in between?
    2. Who are the people, who have involved ABA and Arsenal.
    3. What is Arsenal’s credibility and how to establish their independence and unbiasness, given left-leaning of many Americans?
    4. Whether Arsenal tempered with evidence?
    5. Who spend the money on this and why?
    6. Why Rona Wilson has not used any Anti-malware, which should have detected Netwire?
    7. Was the hard-disk image/copy officially given?

    8. Will Arsenal will testify under Indian law and open to cross examination at the court?
    9. Can the same forensic exercise be repeated with another image of original hard-disk in CFSL?
    10. If it proved that Arsenal or someone played dirty games, will arsenal owners be open to prosecution in India?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.