Evidence planted in Bhima Koregaon accused Rona Wilson's computer: US firm
New Delhi, February 11
Activist Rona Wilson’s computer was compromised for over 22 months before the Pune Police raided his home in New Delhi and arrested him as co-accused in Bhima Koregaon violence, claimed the Massachusetts-based digital forensics firm Arsenal Digital.
These are NetWire communications between Rona Wilson’s computer and the attacker’s command & control server, recovered from Windows hibernation slack (January 6, 2018 – January 7, 2018 timeframe) using @ArsenalRecon‘s Hibernation Recon and @xchatty‘s bulk_extractor. #DFIR pic.twitter.com/REbkhiqkhF
— Arsenal Consulting (@ArsenalArmed) February 10, 2021
The firm in its report said that the 10 letters used first by Pune Police and later the National Investigation Agency (NIA) as the base of their evidence against the activists accused in the case were planted in Wilson’s by hackers via malicious software or Malware. Attaching the digital forensic report of Arsenal, Rona Wilson’s lawyer Sudeep Pasbola on Wednesday filed a petition in the Bombay High Court seeking dismissal of the case against his client in the 2018 Bhima Koregaon violence.
Arsenal has been retained by the defense team for Rona Jacob Wilson to analyze electronic evidence seized from his home by the Pune police department on April 17, 2018.
A brief statement from Arsenal President Mark Spencer regarding Report I in the Bhima Koregaon case. #DFIR pic.twitter.com/UHiSK2YYXm
— Arsenal Consulting (@ArsenalArmed) February 10, 2021
“Arsenal received a hard drive on July 31, 2020, which contained forensic images and police work product related to Wilson and other defendants in the Bhima Koregaon case. Arsenal’s analysis has been based largely on a forensic image obtained from the Toshiba hard drive within Wilson’s computer and a thumb drive which had been attached to the computer,” the digital firms’ report said.
Arsenal said that its analysis has revealed that Wilson’s computer was compromised for just over 22 months, and the attacker responsible for compromising his computer “had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”
The firm said it connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well.
“It should be noted that this is one of the most serious cases involving evidence tampering that Arsenal has ever encountered, based on various metrics which include the vast timespan between the delivery of the first and last incriminating documents. Wilson’s computer was compromised on June 13, 2016, after a series of suspicious emails with someone using Varavara Rao’s email account,” the report said.
Varavara Rao is one of Wilson’s co-defendants in the Bhima Koregaon case.
“Arsenal has found no evidence which would suggest that the top ten most important documents used in the prosecution against Wilson (“the top ten documents”15) were ever interacted with in any legitimate way on Wilson’s computer. More particularly, there is no evidence that would suggest any of the top ten documents, or the hidden folder they were contained in, were ever opened,” the report added.
Earlier, the Pune Police had mentioned in the court that the contents of these letters claim that the arrested accused were planning Prime Minister Narendra Modi’s assassination and were hatching a conspiracy.
This is one of many “process trees” Arsenal built from recovered application execution data on Rona Wilson’s computer in the Bhima Koregaon case. You can see a NetWire RAT launch, delivery of a crucial document into a hidden folder, & creation of a new “Key Logger” file. #DFIR pic.twitter.com/vAG4IGz9wA
— Arsenal Consulting (@ArsenalArmed) February 10, 2021
Wilson was among those who were arrested in June 2018 for their alleged ties with Naxals and for inciting riots during a celebratory gathering organised to mark the 200 years of the Koregaon-Bhima battle.
On January 1, 2018, the violence at Bhima Koregaon village in Pune district left one dead and injured several others, including 10 policemen.
Violence erupted after some people, reportedly with saffron flags, pelted stones at cars heading towards the village for the commemoration of the 200 years of Bhima-Koregaon war on New Year’s Day. (ANI)