Mumbai: A key accused in the Bhima Koregaon case has moved the Bombay High Court after a US firm revealed that a hacker had planted incriminating evidence on his computer.

A report by Arsenal Consulting, a digital forensic analyst from Chelsea, US, has debunked the electronic evidence gathered by India’s National Investigation Agency to arrest Rona Wilson and 15 others in the Bhima Koregaon violence case.

Among the arrested is 83-year-old Jesuit Father Stan Swamy, who has been working among tribal communities in the eastern Indian state of Jharkhand.

They were arrest for their alleged ties with Maoist and for inciting riots during a celebratory gathering organized to mark the 200 years of the Koregaon-Bhima battle. On January 1, 2018, the violence at Bhima Koregaon village in Pune district left one dead and injured several others, including 10 policemen. Violence erupted after some people, reportedly with saffron flags, pelted stones at cars heading towards the village for the commemoration of the 200 years of Bhima-Koregaon war on New Year’s Day.

The US digital forensics firm, which analyzed an electronic copy of the Wilson’s laptop, concluded that an attacker used malware to infiltrate the laptop and planted documents on it.

According to a report by the Washington Post, Arsenal Consulting found that the letter — along with at least nine others — had been planted in a hidden folder on Wilson’s computer by an unidentified attacker who used NetWire, a malware, to control and spy on the laptop.

According to Arsenal Consulting’s findings, Wilson received emails that appeared to be from a fellow activist, urging him to click on a link to download an innocuous statement from a civil liberties group. But this link actually deployed NetWire, a malicious software that allowed a hacker to access Wilson’s computer.

The report shows how the attacker had retained access to Wilson’s computer for over 22 months, starting June 13, 2016, and used a remote access facility for planting the incriminating letters, while conducting the surveillance on his activities without Wilson getting a hint of it.

Arsenal found that the malware logged Wilson’s keystrokes, passwords and browsing activity. The attacker created the hidden folder to which at least 10 incriminating letters were delivered, and then tried to conceal those steps. The letters were created using a newer version of Microsoft Word that did not exist on Wilson’s computer, discovered Arsenal. Moreover, Arsenal found no evidence that the documents or the hidden folder were ever opened.

The NIA arrested Wilson based on a letter he allegedly wrote to a Maoist group leader, discussing the need for guns and ammunition, and asking the group to assassinate Prime Minister Narendra Modi.

Wilson on February 10 urged the court to order an inquiry by a Special Investigation Team (SIT) into the possible planting of evidence on his laptop. The 42-year-old activist has sought the quashing of the First Information Report and chargesheet against him.

Arsenal Consulting’s report demonstrates that Wilson’s computer was compromised through a mail sent to his email account, which carried an attachment in the form of a document (“another victory.rar”). Since it appeared to be innocuous, Wilson tried opening it but did not succeed in opening it. But because he had clicked on the attachment, it helped the attacker install the malware in his laptop. It is stated in the report that the attachment was enveloped in a decoy file, namely “another victory.rar,” and clicking the same resulted in a chain of events that led to the installation of the malware on his device.

The report also explains that the hacker created a folder namely “kbackup” on November 3, 2016, at 00:10:07, which then was renamed as “Rbackup” and was set to hidden mode. The folder was last modified on April 16, 2018 @16:50:41, that is, a day prior to the raid, search and seizure at Wilson’s residence on April 17, 2018, weeks before he was arrested on June 6, 2018.

It was in this way that incriminating documents were planted and certain genuine documents also copied in the folder, the report says.

It is clear that the hacker used the “Windows volume” on Wilson’s computer as a “staging area to synchronize data with the computer and the external memory equipment/pen drives,” and stored the same in the “System Volume Information folder” of such memory. Although the pen drive/thumb drive is not kept connected to the computer, as and when they are so connected, material gets synchronized due to the malware, the report says.

Wilson’s writ petition alleges that though it was necessary for the prosecution to provide a clone copy of the hard disc seized from him and his co-accused along with chargesheet itself, the same was purposefully avoided. Instead, the Investigating Officer submitted one disc in which he had stored selected incriminating data and termed it the “Annexure Hard Disc,” the petition says.

(With input from thehindu.com)