On 17 April 2018, the Pune Police raided the Delhi home of Rona Wilson, a noted prison-rights activist, and arrested him for his alleged role in the violence at the Bhima Koregaon memorial in January that year. A few months later, the police claimed that it had found a letter on the hard disk of Wilson’s computer that contained details of a “naxal” plot to assassinate Prime Minister Narendra Modi and “overthrow the government.” The Caravan conducted a cyber-forensic examination of the contents of Wilson’s hard disk, a copy of the disk that was presented in court by the Pune Police and supplied to all the accused. Our investigation revealed that the disk contained malware that can be used to remotely access the computer and plant files. We also found several other discrepancies, pointing towards manipulation of evidence in the case.
The Pune Police used letters it found on the disk, as well as on a hard disk seized from the human-rights lawyer Surendra Gadling, who was arrested in June, as its primary evidence in the charge sheet it filed in the Bhima Koregaon case. It has arrested nine prominent activists and scholars so far, including Wilson and Gadling, who are alleged to have either written these letters or been mentioned in them. On 14 December 2019, we reported several discrepancies found during a similar examination of Gadling’s disk, which also indicated that the letters could have been planted. While in the case of Wilson, the police provided the court with a true clone of his hard disk, in Gadling’s case, it only submitted the incriminating files found on his disk. Until the police provides a clone of Gadling’s hard disk, it is impossible to tell whether it had also been compromised by a malware.
While examining the contents of Wilson’s disk, we found an executable file infected with Win32:Trojan-Gen, malware that can allow stealing of information such as usernames and passwords and, more importantly, allow remote access to the computer, which can then be used to plant files on a system. The executable file, we found, launches itself as soon as the computer is switched on, leaving no room to doubt that the malware was functioning on Wilson’s computer before the Pune Police seized it. There are several ways the malware can be planted, including if the recipient clicks on malicious links sent through emails or instant messages.
In December last year, The Wire reported that several lawyers and activists involved with the Bhima Koregaon case—including the Dalit-rights activist Degree Prasad Chouhan and the human-rights lawyer Nihalsing Rathod—have received such emails and messages, containing malware that can be used to spy on their computers. The report stated that Amnesty Tech, the human-rights group Amnesty International’s digital-security team, had analysed the emails and found that the malware was sent through a link that the recipient had to open. “These emails were specifically crafted to bait journalists or activists,” the report said. For instance, on 6 October, Rathod received an email from one Muskaan Sinha. The email’s subject was “Case No 1621/ 18 SUMMONS IN ARSON CASE JAGDALPUR.” According to The Wire’s report, Amnesty Tech noted, “Once the malware is installed on your device, the attacker has full visibility and control of your computer: access to all your files, your camera, it can take screenshots, and record everything you type on your keyboard.”
Other cyber-forensic checks by The Caravan on Wilson’s disk also revealed serious anomalies. An important indicator to establish the integrity of an internal hard disk is ShellBag information, which is automatically recorded by a computer and tracks any action performed while visiting a folder on Windows Explorer. This information could have been used to see when Wilson accessed the folder with the incriminating files relied on by the Pune Police, and how frequently it was visited. This information had been deleted from the disk. It is unlikely that Wilson would have deleted this information himself, given that he did not delete the files that incriminate him. The missing information would have helped ascertain when Wilson might have visited the folders with incriminating files, and thus help confirm whether the files were created by Wilson himself, or planted by an external party.