Bhima Koregaon case: Prison-rights activist Rona Wilson’s hard disk contained malware that allowed remote access

Sukruti Anah Staneley for The Caravan

On 17 April 2018, the Pune Police raided the Delhi home of Rona Wilson, a noted prison-rights activist, and arrested him for his alleged role in the violence at the Bhima Koregaon memorial in January that year. A few months later, the police claimed that it had found a letter on the hard disk of Wilson’s computer that contained details of a “naxal” plot to assassinate Prime Minister Narendra Modi and “overthrow the government.” The Caravan conducted a cyber-forensic examination of the contents of Wilson’s hard disk, a copy of the disk that was presented in court by the Pune Police and supplied to all the accused. Our investigation revealed that the disk contained malware that can be used to remotely access the computer and plant files. We also found several other discrepancies, pointing towards manipulation of evidence in the case. 

The Pune Police used letters it found on the disk, as well as on a hard disk seized from the human-rights lawyer Surendra Gadling, who was arrested in June, as its primary evidence in the charge sheet it filed in the Bhima Koregaon case. It has arrested nine prominent activists and scholars so far, including Wilson and Gadling, who are alleged to have either written these letters or been mentioned in them. On 14 December 2019, we reported several discrepancies found during a similar examination of Gadling’s disk, which also indicated that the letters could have been planted. While in the case of Wilson, the police provided the court with a true clone of his hard disk, in Gadling’s case, it only submitted the incriminating files found on his disk. Until the police provides a clone of Gadling’s hard disk, it is impossible to tell whether it had also been compromised by a malware.

While examining the contents of Wilson’s disk, we found an executable file infected with Win32:Trojan-Gen, malware that can allow stealing of information such as usernames and passwords and, more importantly, allow remote access to the computer, which can then be used to plant files on a system. The executable file, we found, launches itself as soon as the computer is switched on, leaving no room to doubt that the malware was functioning on Wilson’s computer before the Pune Police seized it. There are several ways the malware can be planted, including if the recipient clicks on malicious links sent through emails or instant messages.

In December last year, The Wire reported that several lawyers and activists involved with the Bhima Koregaon case—including the Dalit-rights activist Degree Prasad Chouhan and the human-rights lawyer Nihalsing Rathod—have received such emails and messages, containing malware that can be used to spy on their computers. The report stated that Amnesty Tech, the human-rights group Amnesty International’s digital-security team, had analysed the emails and found that the malware was sent through a link that the recipient had to open. “These emails were specifically crafted to bait journalists or activists,” the report said. For instance, on 6 October, Rathod received an email from one Muskaan Sinha. The email’s subject was “Case No 1621/ 18 SUMMONS IN ARSON CASE JAGDALPUR.” According to The Wire’s report, Amnesty Tech noted, “Once the malware is installed on your device, the attacker has full visibility and control of your computer: access to all your files, your camera, it can take screenshots, and record everything you type on your keyboard.”

Other cyber-forensic checks by The Caravan on Wilson’s disk also revealed serious anomalies. An important indicator to establish the integrity of an internal hard disk is ShellBag information, which is automatically recorded by a computer and tracks any action performed while visiting a folder on Windows Explorer. This information could have been used to see when Wilson accessed the folder with the incriminating files relied on by the Pune Police, and how frequently it was visited. This information had been deleted from the disk. It is unlikely that Wilson would have deleted this information himself, given that he did not delete the files that incriminate him. The missing information would have helped ascertain when Wilson might have visited the folders with incriminating files, and thus help confirm whether the files were created by Wilson himself, or planted by an external party.

We found that many such kinds of information that could expose possible mischief by an investigative agency had been cleaned up. For instance, the Run command in a Windows system allows a user to run any program by typing its name along with the necessary commands. The log of all Run commands entered in a particular system is stored in the computer registry. However, this information had also been deleted. This information could be useful in tracking the usage of the computer and potentially identifying if malicious programmes were run on it.

This information cannot get deleted on its own. It has to be done consciously by a user, and only tech-savvy and experienced users can safely remove such information. The registry, from where the Run log could be deleted, also stores other entries that affect the computer system. As a result, if any important entries get altered while deleting any information from the registry, it could compromise the system. The fact that this information has disappeared from the system indicates a possible covering of tracks.

Other useful information that has gone missing includes the recent documents opened using the search feature accessible from the Start button and the files last searched on the operating system. This information, too, would have been useful to trace Wilson’s use of his computer in order to identify when—if at all—he had searched for, and accessed, the incriminating files. Once again, given that Wilson did not delete the files that incriminate him, it would be highly illogical for him to delete only the information that could be used to exonerate him and others accused in the case.

Many of the letters found on Wilson’s disc were PDFs. The Adobe Acrobat Reader, which reads PDF documents, can also be used to trace the original software in which they were created. Analysing the incriminating files revealed that the letters, some of which were allegedly written by Wilson, were composed on the 2010 version of Microsoft Word. Wilson’s computer, the only one he owned, has the 2007 version of the software. The computer’s history does not indicate that the 2010 version was ever installed on it.

In our December report, we wrote that the police did not follow protocol while seizing Wilson and Gadling’s devices. The Information Technology Act, 2000 mandates that all digital evidence must be confiscated in a secure and transparent way—to rule out any possibility of evidence being tampered with. For this, the police has been provided equipment that allows cloning of electronic devices at the site of seizure. At the time of seizure, the police have to provide the accused individuals a “hash value” of the seized device. A hash value is a numeric value that uniquely identifies data, which acts as an electronic seal on digital devices. If the device is used or tampered with in any way after seizure, the hash value will change and will not match with the one provided to the accused. Identifying the hash value is a process that requires less than an hour, and according to a video provided to the accused, the police raided Wilson’s house from 6 am to 2.02 pm on 17 April. Yet, the police did not provide Wilson the hash values on that day. They were provided only in October, five months after the police confiscated the hard disk.

The hash value was disclosed in a report on the disk by the Regional Forensic Science Laboratory, Pune. The report did not mention the malware discovered by The Caravan, nor did it mention the deleted information, which, once again, could indicate a covering of tracks. The Caravan sent questions to top officials of the Pune Police and the Regional Forensic Science Laboratory, but has not received a response.

At the time of the Bhima Koregaon arrests, the Bharatiya Janata Party held power in Maharashtra and at the centre. Many activists and politicians alleged that the BJP governments had framed these activists to shield the Hindutva leaders Milind Ekbote and Sambhaji Bhide, who had both been named in cases registered after the January 2018 violence. Ekbote and Bhide, both powerful leaders in Maharashtra, were accused of sending mobs to attack the attendees of the Bhima Koregaon memorial event, which attracts large Dalit crowds on 1 January every year.

In October 2019, Maharashtra held assembly elections in which no party could emerge as a clear winner. After multiple efforts by the BJP to form a government failed, the party was ultimately dislodged from power in the state, and a new coalition of the Shiv Sena, the Nationalist Congress Party and the Congress came to power. As a result, the BJP lost control of the Pune Police. On 21 December, six days after The Caravan published the report on the possible tampering with Gadling’s disk, the NCP chief, Sharad Pawar, termed the Bhima Koregaon arrests “wrong” and “vengeful.” Pawar sought the constitution of a special investigation team to “probe the police action.”

However, a little over a month later, on 24 January, the BJP-led central government transferred the case to the National Investigation Agency, which is governed by the Amit Shah-led union home ministry. Soon after, Anil Deshmukh, the Maharashtra home minister and a member of the NCP, accused the centre of taking the decision unilaterally. “The Bhima Koregaon violence case was handed over to the NIA without taking the state’s consent,” Deshmukh told the media. But subsequent media reports have indicated a difference of opinion between the Shiv Sena and the NCP on the issue, with the chief minister, the Shiv Sena’s Uddhav Thackeray, approving the transfer of the case. On 14 February, a Pune sessions court, which was hearing the Bhima Koregaon case, passed an order formally transferring it to a special NIA court in Mumbai. The same day, Pawar reiterated his opposition to the centre’s decision to transfer the case and the Maharashtra government’s support of the decision.

Meanwhile, Pawar has remained firm on his demand for an SIT. Three days after the Pune court transferred the case, the NCP chief held a meeting with the ministers from the party, and emphasised that an SIT must be set up, noting that the NIA Act permits a state government to conduct a parallel probe. After the meeting, Deshmukh told the media that the party would approach Thackeray with a legal opinion by the state’s advocate general. “Once we have the A-G’s opinion, we will once again speak to the chief minister and get approval for this SIT,” he said. “We are committed to setting up the SIT, and most of our leaders agree this should be done.”