Planting of files on Bhima Koregaon accused Surendra Gadling’s system follows a similar pattern as that on Rona Wilson’s system, new forensic report finds
The already weakened case against the 16 accused in the Bhima Koregaon case was dealt a final blow by a third digital forensic report released earlier this afternoon by NDTV and the Washington Post. The report by Arsenal Consulting, an internationally reputed digital forensic firm, establishes that 14 key files cited in the charge-sheets against Bhima Koregaon defendant Surendra Gadling were planted on his hard drive by an attacker using the NetWire malware infrastructure. This third report follows two earlier reports published in February and April 2021 where Arsenal Consulting examined the hard drive of Gadling’s co-defendant Rona Wilson. Reports I and II found that 34 key files used as evidence in the charge-sheets had been fabricated/planted. This new report finds the exact same malware infrastructure (customized NetWire Remote Access Trojan) on Gadling’s hard drive, and the identity of the attacker as common to both Wilson and Gadling. These findings point to an organized conspiracy of evidence tampering/planting in the Bhima Koregaon case[1]. The extent of the attack renders the Bhima Koregaon case hollow and opens new questions about the state’s prosecution and participation in the conspiracy.
The services of Arsenal Consulting were sought by the defense lawyers because of Arsenal’s forensic expertise, including in the Boston Marathon bombing case, the United States v. Mehanna and United States v. Tsarnaev cases, and the Turkish ODAT case.
In its latest report, Arsenal has called the planting of evidence on Gadling’s computer “one of the most serious cases involving evidence tampering that Arsenal has ever encountered, based on various metrics which include the vast timespan between the delivery of the first and last incriminating documents on multiple defendants’ computers.” In addition to showing the planting of 14 files on Gadling’s computer between February 29, 2016 when the computer was first infected via an email sent to Gadling and November 2, 2017, when the attacker lost access to Gadling’s computer because of a Windows reinstallation, the report also documents extensive surveillance of Mr. Gadling’s computer with over 30,000 files being copied from his devices to the attacker’s command and control (C2) server.
With the publication of Report III, the total number of files documented as having been planted on defendants’ hard drives now stands at 48. These 48 files represent the most significant portion of the alleged evidence that the prosecution has brought forward in their chargesheets. Report III also stands as a stellar example of high quality digital forensic work that establishes a clear case of highly organized evidence tampering and fabrication. The report documents in detail the full transcript of the attacker’s work across multiple computers on July 22, 2017 when the attacker first moved a set of files from their command and control server to Rona Wilson’s hard drive and 15 minutes later using the same malware infrastructure moved another set of files to Gadling’s computer. Moreover, the attacker appeared to realize that one of the files was common to the files planted on the two computers because three minutes after disconnecting from Gadling’s computer, s/he went back to Wilson’s computer to delete the common file. Such detailed and precise forensic work leaves no room for any doubt about the fabrication and planting of evidence in this case.
Leading up to the publication of Report III by Arsenal Consulting, several world renowned cyber security agencies and experts have attested to the veracity of Arsenal’s forensic work on this case. The Washington Post asked three experts on malware and digital forensics in North America to review Arsenal’s initial report, all of whom said its findings were valid. Kevin Ripa, president of the Grayson Group of Companies and an expert in digital forensics, stated that Arsenal’s “step-by-step” explanation of the document delivery is very clear and experts in the field “would draw all the same conclusions” based on that data. John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto said that Arsenal had produced a “serious and credible” analysis documenting how the laptop was infected with malware, and that its report raises “urgent questions about the reliability of evidence from that computer in a prosecution[2].”
After examining Arsenal’s digital forensic work, Professor and Head of Forensics at IIT Kanpur, Sundeep Shukla stated: “Other claims such as the possibility of the cloned hard drive being tampered with during transportation are reflective of a complete failure to understand the technical strength of good forensic analysis.” Similarly, a leading forensics expert at Arizona State University, Professor Jedadiah Crandall noted that Arsenals work “conclusively establishes that the malware was used for incriminating document delivery and there is no room for interpretation or doubt about this.” With an international community of digital forensic experts backing Arsenal’s methodology and findings there is no doubt left that the Bhima Koregaon case is constructed on fabricated evidence. Such a conclusion questions the very maintainability of the case and requires that a special investigation be ordered into how such illegal conduct and miscarriage of justice came to be.
Crucial questions now must be answered by the Pune police and the NIA. These include:
- Who planted the files?
- How did the police or the regional forensic lab locate hidden folders and files planted through the use of malware while at the same time claiming that they did not detect any malware on the said devices?
- Why are the NIA or police not interested in investigating this planting of evidence?
- With three reports published that establish without doubt that the incriminating evidence was planted by a hacker, is the case any longer maintainable?
Two writ petitions filed by co-defendants Rona Wilson and Shoma Sen that frame the planting of incriminating files on the defendants’ hard drives and seek the quashing of the case are currently being heard by the Bombay High Court. While the Bombay High Court proceeds on the writ petitions, Arsenal Consulting continues its investigation to provide further digital forensic support to the defense team.
The third digital forensic report from Arsenal consulting comes at a moment of great tragedy as Father Stan Swamy, one of the co-accused in the Bhima Koregaon case, passed away yesterday (July 5) while in custody in what is proving to be a fabricated case. That Father Stan, an 84 year-old lifelong Jesuit social worker should have spent even a single day in prison is itself tragic but the fact that he passed away while in custody forces us to recognize that justice delayed is indeed justice denied.
Mumbai Rises to Save Democracy is a coalition of more than 40 Civil society organisations, NGOs, grassroots organisations, activists and individuals who came together in the aftermath of the arrests of human rights activists, writers, poets, academicians made in Bhima Koregaon/ Elgar Parishad case. Contact – (Email): [email protected]
[1] In testimony at a US Congressional Briefing on April 22, Mark Spencer, head of Arsenal Consulting, described the uniqueness of this attack as follows: “the attacker’s efficiency was also somewhat unique here: the number of scripts that were in use to automate certain functions; the ways in which various campaigns are organized; they were well-organized. And there was a sense of determination in them that when the attacks failed, that wasn’t the end of it. The attacks would continue until a compromise was successful, and in some cases a single victim would be targeted by many versions of Netwire over time.”
[2] The experts also noted that the attack on Wilson’s computer is one piece of a larger malware campaign. Last year, Amnesty International revealed that nine people seeking to help the activists accused in the case were also targeted with emails containing malicious links that deployed NetWire. The fact that the same domain names and IP addresses appear both in the Arsenal and Amnesty reports is “not a coincidence,” said Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike, one of the experts who reviewed the report at The Post’s request.
GET COUNTERCURRENTS DAILY NEWSLETTER STRAIGHT TO YOUR INBOX