In its second report, Massachusetts-based digital forensics firm Arsenal Consulting found that a malicious software used by an attacker had planted an additional set of files on prison rights’ activist Rona Wilson’s computer. The firm said that there was no evidence that Wilson interacted with these files and documents, which are cited by the National Investigative Agency (NIA) in its charge-sheet against Wilson and others in the Bhima-Koregaon case.
The Washington Post and The Reporter’s Collective were the first to report on the findings of Arsenal Consulting. The second report by the forensics firm was submitted to the special NIA court on March 27, 2021. WaPo published a copy of the report, while the Reporter’s Collective published articles in 11 languages across multiple platforms.
In its first report submitted to the NIA court, Arsenal found that Wilson’s computer was compromised for 22 months prior to his arrest on April 17, 2018. The report said that the attacker had planted 10 incriminating letters based on which the NIA has charged Wilson and 15 other human-rights activists Sudha Bharadwaj, Varavara Rao, Arun Ferreira, Vernon Gonsalves for conspiring against the state. The NIA has charged the activists for also instigating violence three years ago during the Elgar Parishad convention which was celebrating the 200th anniversary of the Battle of Bhima Koregaon.
Arsenal’s first report was reported by the Washington Post, and confirmed an earlier report by The Caravan magazine in March 2019. An investigation by The Caravan found that a malware on Wilson’s computer had delivered the incriminating documents detailing a plot to overthrow the government. In its second report, Arsenal said that Wilson did not interact with additional files cited by the NIA as evidence in the case.
“Arsenal has found no evidence which would suggest that any of the additional files of interest were ever interacted with in any legitimate way on Mr. Wilson’s computer, and can confirm that 22 of the 24 files were delivered to a hidden folder on Mr. Wilson’s computer by NetWire and not by other means”—Arsenal Consulting
Second report findings
- The forensics firm identified the source of 24 additional files found on Wilson’s Computer
- Arsenal analysed if Wilson consciously interacted with these 24 files while using this computer or if these files were just dumped and hidden from Wilson’s view or knowledge
- 22 of the 24 files were delivered by the attacker to a hidden folder on Wilson’s computer through a NetWire trojan and not by any other means, the report said
- Between December 2017 and March 2018, the attacker used the NetWire trojan to dump files with names like: accounts, comrades, mohila meeting, letter, ltr from prakash, letter to GN, letter to G etc.
- The attacker also renamed files and even made a mistake in one case, and went on to correct it, Arsenal found
- The attacker remotely changed, added or deleted content and viewed Wilson’s computer activity, the report said
Arsenal analysed application execution data that it found from Wilson’s computer and created a “process tree”.
“Each process tree contains events (application executions and sometimes file creations) which rely on each other (as can be seen from process and parent process IDs, and even more uniquely from process descriptors) and flow in an orderly fashion from the first to the last. These process trees provide unique and very granular insight into particular events that have occurred on Mr. Wilson’s computer over time”—
In one filed called mohila meeting, purportedly in reference to a meeting on January 2, 2018, a list of Maoist party members, names of some Jawaharlal Nehru University ex-student leaders, and names of organizations, the report said. Through the process tree method Arsenal found:
- The attacker launched the NetWire trojan automatically 11 days after the Bhima-Koregaon violence on January 11, 2018 at 11:34 am.
- A script called “MTSMBlaze_v2.1.vbs” was placed in the computer’s startup folder. This would to ensure that the NetWire trojan is active across all Windows shutdowns and restarts, the report said
- The computer then opened a command prompt and dumped three files between 11:40 and 11:42 am, one of which contained “mohila meeting jan.pdf”, Arsenal said
- These files were then unpacked to a hidden folder and through the use of a file utility software similar to WinZip called UnRAR, the attacker renamed the folder as “Adobe.exe”
- But the attacker made a mistake while doing this task and corrected it, an error that Arsenal says is irrefutable evidence of the use of the NetWire trojan on Wilson’s computer
NIA does not accept Arsenal’s report
The case against the 16 activists, under the Unlawful Activities (Prevention) Act (UAPA), 1967, has been been dragging in courts for years now. After Arsenals’ first report was submitted to the court, Wilson moved the Bombay High Court to quash the charges against him and has sought the court’s direction to appoint a Special Investigation Team (SIT), consisting of experts in digital forensic analysis to independently verify Arsenals’ findings probe the alleged the planting of documents on his computer by using malware.
But the NIA has not accepted the findings by Arsenal Consulting. “The forensics reports that are cited in the charge sheet filed in the court are from an accredited lab, accepted by the Indian courts. In this case, it was done by the Regional Forensic Science Laboratory, Pune. According to their report no such malware was found. Rest all is distortion of facts,” NIA spokesperson Jaya Roy said at the time, according to the Print.In.
- Central Monitoring System not being used to obtain call records ‘at present’: Govt in Parliament
- Interview: How Amnesty investigated the spying campaign against Bhima Koregaon activists
- Delhi HC issues notice in plea challenging govt’s mass surveillance systems NATGRID, Netra, CMS