The NIA’s ‘No Malware Found’ Response to New Forensic Report Points to Ineptitude
Bhima Koregaon Conspiracy Case Must be Quashed in Light of Explosive Forensic Evidence
On February 10, 2021 the Bhima Koregaon defense team filed a petition in the Bombay High Court seeking the release of Rona Wilson and the quashing of all charges against him. The petition was filed in light of startling new evidence of a forensic analysis that establishes that the top 10 files used to implicate Mr. Wilson with conspiracy to assassinate the Prime Minister and several other charges were fabricated and had been planted on Mr. Wilson’s hard drive by a cyber attacker using the NetWire malware. The forensic analysis was conducted by one of the world’s leading forensic analysis firms, Boston-based Arsenal Consulting and the story was first reported by The Washington Post on February 10.
The week that has followed since the explosive announcement of a criminal conspiracy to implicate Mr. Wilson and other co-defendants in the Bhima Koregaon case has been marked by an almost complete silence from the National Investigation Agency (NIA) and the government, who have otherwise been relentlessly pursuing the case for over two years.
In a statement to The Washington Post the NIA had stated that it had found no malware on Mr. Wilson’s computer and other government spokespersons have attempted to label the forensic report as a “distortion.” Other sources and media outlets close to the government have attempted to cast aspersions on the report by suggesting that the cloned hard drive was tampered with as it was being transported from India to Boston.
Mihir Desai, senior advocate who is part of the defense team, characterized such feeble and misinformed responses as clearly indicating that the government has nothing to say now that it has become evident that the cases are based on fabricated evidence.
“In all there were five instances of NetWire malware present on Mr. Wilson’s computer. Of these, two would have been detectable by ordinary antivirus software. So, for the highest intelligence agency of the country to claim that there was no malware detected points to either a complete inability to respond in the face of compelling evidence or share incompetence,” Mr. Desai, said.
“The Arsenal report conclusively establishes that NetWire was the malware used for incriminating document delivery. There is no room for interpretation or doubt about this” said Dr. Jedadiah Crandall of Arizona State University, who is one of the technical experts who has reviewed the Arsenal report in detail. “For an administration that admits to not even finding the instances of malware that are detectable by an ordinary virus scan software, leave alone the more sophisticated and custom installations of NetWire, to call the forensic report a distortion is unfortunate,” he said. Dr. Crandall stated that the methods used by the attackers are known tactics, what was exception was the time frame of the attack.
Sagar Abraham Gonsalves, a family member of one of the Bhima Koregaon accused, said that there are a lot of rules laid down under the Evidence Act pertaining to the collection of electronic evidence which have not been followed at all. “At the time of the raid, spare phones, laptops and even CDs that were lying in the house were confiscated. My father asked for a clone copy back then, he was refused,” Sagar said highlighting that the victim’s families have been questioning the evidence since the very beginning
The forensic report not only establishes the date and time stamp of when every single one of the top 10 files were placed but is also able to further point to the fact that Mr. Wilson never interacted in any way with these files and that these files were created using versions of software that were not present on Mr. Wilson’s computer. “What this means is that the evidence has been looked at from several different anglesto prove that these files files were fabricated and planted on Mr. Wilson’s computer” said Prof Sandeep Shukla of IIT Kanpur. He added that while phishing is common, in most cases they are not targeted. However, the current case seems to suggest targeted phishing where the attackers know the social circles of the victims and use it to conduct phishing. He also stated that he had not seen a case where documents were planted as most hackers were more interested in surveillance but it was possible since such capability exists.
“Other claims such as the possibility of the cloned hard drive being tampered with during transportation are reflective of a complete failure to understand the technical strength of good forensic analysis. No forensic expert begins work without checking the hash values as supplied by the prosecution and without checking the hash values at all stages of their investigation. The cryptographic strength of hash values ensures that no claim can ever be made that the electronic evidence investigated by Arsenal is not the exact same one that the forensic lab in Pune used,” Prof. Shukla said.
Addressing the new developments in the case, Rama Ambedkar was emphatic in her demand for bail for all accused and an independent investigation. In a statement that was read out, she said, “This has gone on for too long. Arsenal has done the work that the responsible government agency should have done. We must immediately put this evidence at the center of the case and not only release all accused on bail but also institute a Special Investigation Team charged with the task of getting to the bottom of how such a conspiracy was created.”
In the petition filed before the High Court on February 10, 2021, Mr. Wilson has asked for anindependent investigation into this criminal attempt to build fake evidence against him and co-accused in the Bhima Koregaon case. In the interest or truth and justice, an investigation into who did this and why the police were not aware of it is urgently required.
This case raises pertinent questions:
– Why did the government’s forensic lab ignore evidence of hacking?
– Why did the police or NIA not verify whether these files were genuine or not?
– Will those responsible be held to account for this?
Mr. Wilson has also called on the High Court to quash the FIR against him and the other co-accused and to release them immediately in light of this shocking evidence.
The 16 individuals accused in the Bhima Koregaon case are among India’s most illustrious and committed human rights defenders with long histories of working for India’s poorest and most oppressed people: Dalits, Adivasis, minorities and women. Eight of the 16 accused are themselves Dalit-Bahujans, while four are from minority communities.
The forensic report is authored by Boston-based Mark Spencer, CEO of Arsenal Consulting, one of the foremost digital forensic analysts in the world. Mr. Spencer and his team of forensic experts have a stellar reputation of high-quality forensic work, including a similar case of fake evidence in a journalist’s computer in Turkey, who was later freed on the basis of Arsenal’s report that proved the malware attack. Arsenal’s forensic analysis of Rona Wilson’s laptop and thumb drive revealed that an attacker with extensive resources was able to attack and compromise Mr. Wilson’s computer over a period of 22 months, from June 13, 2016 to April 17, 2018. Arsenal’s report has been examined and attested by three independent experts at the request of The Washington Post which broke the story last week.
Arsenal’s report shows that the attacker planted a number of incriminating files in Mr. Wilson’s hard drive, including the 10 documents that are listed in the charge sheet of Mr. Wilson and his co-defendants. The report shows that the documents were buried in a hidden system folder so that Mr. Wilson himself would not chance upon them. The forensic analysis also shows that neither the documents, nor the folder they were hidden in, had ever been openedby the accused. In the report, Mr. Spencer characterizes the attack as “one of the most serious cases of evidence tampering” ever encountered by his team. The report presents unimpeachable evidence that the files planted on Mr. Wilson’s computer and thumb drive were a result of a deliberate and planned attack by a well-resourced agent.
In this case, Arsenal was able to identify the specific falsified email that was used to get Mr. Wilson to open a decoy document that led to the installation of a customized NetWire Remote Access Trojan (RAT) on Mr. Wilson’s hard drive. The attacker was then able to use this entry mode to both monitor Mr. Wilson’s computer and begin the process of introducing incriminating documents into his hard drive, and an associated USB drive, both of which were analyzed by Arsenal.
Apart from revealing key technical details of the delivery mechanisms used by the attacker, the report also points out an important discrepancy that proves beyond doubt that the evidence was planted by hacking into Mr. Wilson’s computer. The incriminating files were created on software versions that are more recent and newer than the one on Mr. Wilson’s computer. In other words, it establishes beyond doubt that the incriminating files were created and deposited by an attacker and not by Mr. Wilson. Cumulatively, these findings prove that Mr. Wilson had nothing at all to do with the documents on his laptop for which he has been charged and imprisoned for over two years.
The report raises very serious questions about the veracity of the Pune Police and the NIA’s own forensic investigations. How were they able to uncover the (well-hidden) incriminating documents but not uncover the evidence that the documents had been planted? At best the NIA’s inclusion of these planted files in the charge-sheets points to gross incompetence on their part or at worst lends support to the warnings issued by Google and Yahoo of cyber-attacks by state-backed actors. The NIA, the Government of Maharashtra and the Government of India must explain to the public how this could have happened and immediately release Rona Wilson and the 15 co-accused in the fabricated Bhima Koregaon case.
The Bhima Koregaon Forensic Report: FAQs answered by Prof.Crandall
- Is it possible to have a legitimate ‘electronic copy’ of a laptop? Can the cloned copy of the hard disk be tampered with? How can it be proved that the cloned copy of the hard disk was not tampered with?
Typically, the investigating agency makes an image of the digital evidence (laptop, USB drive, etc) and records a cryptographic hash, which is used to verify the identity of all the data. The image and the cryptographic hash are then shared with the legal defense team. The hash is cryptographically strong, so the only people who could modify the image in any way without detection are the investigators who originally created the image and hash. This modification can only happen before creating the image, since the hash is a digest of the image that can be easily checked and won’t allow for a single bit to be changed without changing the hash. In other words, the electronic copy of the digital evidence is legitimate, and it can easily be checked if it has been tampered with since handing over. The first page of the Arsenal report shows the MD5 hashes of the images used for analysis, which can easily be verified to match those legally provided to the defense team.
- It is also plausible that the Microsoft Word files on Rona Wilson’s computer were created in a different computer, which he then transferred. This could explain the difference in the older version on his computer and the newer version in which the files were created. How can that be explained by Arsenal’s findings? Also, what is the connection between the incriminating PDF, RTF, ORG files on the computer and the emails sent?
Everything in a modern operating system follows a structure. There are two ways to create a process for giving commands to a Microsoft Windows laptop that are relevant to this case: one is to physically use the laptop using the screen, keyboard and mouse (this is how most people interact with a Windows machine); and the other is to remotely create a process to control the machine over the Internet with a RAT (“remote access trojan;” typically, only attackers interact with computers in this way). Every session to give commands to a computer starts as a process, and whichever commands they give the system become child processes of that original process. The Windows operating system, and softwares installed on it such as antivirus or the RAT itself, keep detailed records of all processes (including both their parents and children), and the activities they carry out on the file system. Because Arsenal Consulting combined many types of records from different points in time going back for almost 2 years, they have been able to piece together what’s called a “process tree.” Their report clearly demonstrates that the file system activity in question was carried out by the RAT. The records of this operation are well structured, and how to put them together is well defined and unambiguous. The records one would expect to see, if someone created a normal process for giving commands by physically using the computer (screen, mouse, and keyboard), do not exist on the image. So, we can conclusively say from the findings that the RAT that was installed when Mr. Wilson’s computer was compromised led to the introduction of the incriminating documents onto Mr. Wilson’s computer.
- The NIA has said that the Pune regional Forensic Science Laboratory (FSL) did not find any malware. Why did the FSL, which conducted the earlier forensic analysis, not find the malware? Do the Arsenal findings mean that FSL detected the malware but failed to mention it in the report? Does Arsenal’s findings then directly contradict FSL’s findings? In conducting forensic analyses, is it possible to overlook such a prolonged hack?
Some of the records used to reveal the facts in this forensics analysis are the kind that typically only persist for shorter periods of time, so copies of those records need to be found in other places. As a matter of fact, an earlier investigation by The Caravan already highlighted the presence of malware on the digital evidence. Of the 5 NetWire malwares found by Arsenal, 2 could have been easily found by a regular virus detection software. Any claim by the FSL that they did not find malware on Wilson’s computer is either suspicious or grossly incompetent. The FSL, being a competent authority, should have found all five instances of the malware, and conducted a full analysis, as such a responsible public agency is charged with doing. The mentioned record copies can be preserved in random places all over the hard drive or any USB drives, because of the ways that volatile memory (RAM) and non-volatile memory (hard drives and USB sticks) are mixed. This is a very time-consuming process, but is necessary for a thorough analysis.
- Why is Arsenal Consulting a credible agency? Why should their report be found more competent than the regional FSL’s report?
The lead in this investigation, Mark Spencer has a strong track record that speaks to his credibility: He has more than 20 years of law-enforcement and private-sector digital forensics experience. Mark has developed and delivered digital forensics training to students from a vast array of international corporations and governments. He has led the Arsenal team on many high-profile and high-stakes cases, from allegations of intellectual-property theft and evidence spoliation to those of the support of terrorist organizations and military coup plotting. Mark has testified in cases which include United States v. Mehanna and United States v. Tsarnaev. Well-known cases that Arsenal Consulting carried out forensic investigation for includes the Sledgehammer (Balyoz) and Ergenekon in Turkey, and the Boston Marathon bombing in the United States.
From their vast experience and knowledge in this area, there is no reason to doubt the credibility of Arsenal Consulting’s investigation. Their findings have since been confirmed by various international digital forensic experts as well.
That being said, it is healthy to be skeptical about electronic evidence. In this case, Arsenal Consulting has provided a very detailed roadmap that competent digital forensics practitioners anywhere can use to confirm all of their findings. It is not difficult to check that all analyses would be working with identical evidence (Rona Wilson’s hard drive, and the attached USB stick). Moreover, Arsenal Consulting’s findings are not only accurate but replicable with access to the mentioned evidence.
- 5. Did Rona Wilson write the concerned documents?
The Arsenal Consulting report shows that:
1.The documents were placed on Mr. Wilson’s computer’s hard drive and on the USB stick by the NetWire RAT.
2. Users who physically used the computer didn’t interact with the documents, not even opening them.
3. It is irrelevant which external computer the document was authored on. What is clear from these analyses is that the documents were completely sourced from the NetWire RAT.
- How was the computer hacked?
Rona Wilson’s computer was compromised on June 13, 2016 after a series of suspicious emails sent by someone using Varavara Rao’s email account were opened. A document attached to the emails was set up as a decoy within a RAR archive file. Once the document was opened, it led to the installation of the NetWire remote access trojan (RAT) on Rona Wilson’s computer.
Hacking people’s email accounts and compromising the computers of their friends by sending emails pretending to be them is a common form of attack against NGOs, civil society targets, etc. Netwire is a popular multi-system platform remote access trojan (RAT) system which can be obtained in a variety of ways, including through a quick online purchase (https://www.worldwiredlabs.com/).
- What kind of access did the hacker have to the computer?
They had full access to the computer. They could do with it anything they wanted, as it typical of RATs.
- How were the files planted? How did Rona Wilson not know when the files were being planted?
When opening the document in the email, Rona Wilson thought he was opening a link to a Dropbox file, but he was effectively opening a link to a malicious server (command and control, “C2” server). The evidence shows that the incriminating documents were transferred into a hidden folder on the laptop through the NetWire RAT alone. RAT processes run as what is basically a “background shell”, so there will be no indication on the screen that a RAT is running or about any of its activities. The attacker took various steps to hide the files so that someone using the computer physically would not stumble upon them.
- How did Rona Wilson not know about the hack for 22 months?
The files were being added to a folder that he did not know existed and was not visible in his list of folders. The NetWire RAT was well hidden in the laptop. It was used remotely to perform surveillance, deliver files, and synchronize files on Rona Wilson’s laptop.
- What kind of resources does someone need to conduct such a hack?
The technical abilities of the attacker were not exceptional compared to other targeted attacks on NGOs and civil society, but the amount of time over which their activity was carried out (over four years) and the general level of persistence was exceptionally high. Since the evidence is of a political nature, the hacker could not have done it for their own fun or to gain access to banking or financial information. As the Arsenal report notes, “it is obvious that their primary goals were surveillance and document delivery.”