Unprecedented Tampering In Bhima Koregaon Case: Forensic Firm Chief

Mark Spencer is the president of Arsenal Consulting, a forensic firm that recently released a report that concluded that incriminating evidence was planted on the computer of Bhima-Koregaon accused and activist Rona Wilson.

Unprecedented Tampering In Bhima Koregaon Case: Forensic Firm Chief

A  recent report released by the US-based digital forensic firm Arsenal Consulting found that incriminating evidence was planted on the computer of Bhima-Koregaon accused and activist Rona Wilson and it was compromised for over 22 months.

In an email interview with Outlook, Arsenal Consulting’s President Mark Spencer elaborates on the process involved in analyzing the data and larger issues with regard to the case. Spencer also contests the National Investigation Agency’s (NIA) claim of no ‘planted evidence’. Excerpts from the interview:

 Q) The Arsenal report has cast serious doubts on the credibility of the data, which forms the base of the Bhima Koregaon probe. The case has huge political implications as it involves the incarceration of 16 activists and intellectuals for nearly three years. What are the reasons that led your firm to take up the case considering its sensitive nature?

Arsenal is a digital forensics company, so all of our cases are sensitive in the sense that they involve internal investigations or litigation. It is important for us that we have diversity in the types of cases we accept. For instance, we work not only on lucrative civil cases involving corporate issues (employment law, intellectual property, etc.) but on criminal cases as well. In some cases, we are retained on behalf of plaintiffs, in others on behalf of defendants, and occasionally we are retained by the parties on both sides of a case. In all of our cases, we base our work on electronic evidence, so our findings can be confirmed by other digital forensics practitioners. We decided to work on the Bhima Koregaon case (after taking a “quick look” initially) because we realized others before us, had failed to understand what happened to Rona Wilson and others.

Q) In the report, you have stated that this is one of the most serious cases involving evidence tampering that Arsenal has ever encountered, based on various metrics which include the vast timespan between the delivery of the first and last incriminating documents. Will you explain the magnitude of tampering in comparison with the other high-profile cases you have handled so far?

We have been asked this question repeatedly, and our response is the same… we have never seen or even heard of a case in which incriminating documents were delivered to electronic devices over such a long period of time and then used in a criminal case. So, this case is unprecedented from our perspective.

Q) The National Investigation Agency (NIA), which handles the Bhima Koregaon case has contested the Arsenal findings saying that the digital extracts were examined at RFSL (Regional Forensic Science Laboratory, Pune), which shows no evidence of any malware in any devices of the accused. How do you react to it?

We find this to be a strange statement. While some of our findings in Report I (for example, authoritatively determining where incriminating documents came from) require significant expertise in digital forensics and serious effort to reveal, others (for example, the existence of two of the five NetWire samples) require a bare minimum of expertise and effort to reveal. In addition, Report I does not just describe attacker activities narratively but includes screenshots of attacker activity.

Q) In another chilling revelation, Arsenal has connected the same attacker to a significant malware infrastructure that has been deployed over the course of four years to not only attack Wilson’s computer but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well. Can you elaborate and give a larger picture of this?

Unfortunately, at this time we cannot elaborate more on this beyond what is contained in Report I.

Q) Do you think that this case will raise larger issues of privacy, liberty as well as the admissibility of electronic evidence in a court of law?

We will let others comment on the issues of privacy and liberty, but in terms of the admissibility of electronic evidence in courts of law - yes, we think that our fellow digital forensics practitioners and lawyers should be paying careful attention to this case.

Q) Your report said that Wilson’s computer was compromised on June 13, 2016 after a series of suspicious emails with someone using Varavara Rao's email account.  Are you studying Rao’s and other accused’s clone copies as well? Is it expected to throw up more damning pieces of evidence?

We are working on the analysis of forensic images obtained from additional defendants.

Q) Is it a conscious decision on your part not to reveal the identity of the attacker? Are you open to reveal the attacker under compelling circumstances or if it strengthens the scope of the case?

We feel it is better for the Indian government to be involved in attribution.

Q) Some debunk the Arsenal report that there could be a possibility of the cloned hard drive being tampered with during transportation and it may not be a faithful copy. Your comments?

We are assuming that these arguments have come from people who are not familiar with digital forensics. It is common during the practice of digital forensics to exchange forensic images between organizations. The most important factor in determining the integrity of forensic images is verifying that the hash values which were calculated when they were obtained (and stored both inside and outside the forensic images) match the hash values that are calculated after the receiving organization calculates them again. Arsenal has confirmed that the hash values related to the forensic images on which Report I is based match.


Q) Since the NetWire used to infect Wilson’s laptop is easily available, there exists an argument that attackers lack cash and required expertise. What are your comments?

This is a very poor argument. We will let other experts expand on this, but using a nuclear weapon when a rock will accomplish the mission would not make sense.

Q) Defense lawyers argue that though there were five instances of NetWire malware present on Wilson’s computer, two would have been detectable by ordinary anti-virus software. Do you interpret it as incompetence on the part of the state investigative agencies?

Beyond what I stated earlier, I do not have a comment on this.


Q) Your report says that there were multiple attempts to hack Wilson’s computer. Do you think there was more than one team of attackers involved in this? What are your findings on this?

We do not understand the premise of this question. The attacker we are referring to in Report I was consistent not only in terms of command and control but in terms of techniques as well, from the day Rona Wilson’s computer was compromised through its seizure by the police.

Q) In 2019, WhatsApp has confirmed the Pegasus spyware attack targeting human rights defenders. Do you see a similar pattern in these two attacks?


We will hold off on commenting on this for now.