On February 10, left-leaning American newspaper Washington Post published a report alleging that the Bhima Koregaon case accused were falsely implicated in the case by planting fake evidence on their computers. Following up on an earlier report by Caravan making the same claims, the Washington Post report quoted an alleged forensic study of the ‘electronic copy’ of a laptop belonging to one accused Rona Wilson by an American company to claim that incriminating letters were planted in the laptop by a hacker.
Quoting a report from Arsenal Consulting, a Massachusetts-based digital forensics firm, the report claims that Wilson’s laptop was hacked using malicious emails. Arsenal claims to have recovered PDF files in a hidden folder in the laptop, which contained the letters that became part of the charge sheet against Wilson. According to police, the email letters show that Wilson was in contact with a top Maoist leader named Comrade Prakash, and he had sought guns and ammunition from the banned left-wing terror group, and had also urged them to assassinate PM Modi. However, now the alleged forensic study by Arsenal Consulting claims that Rona didn’t write these letters, and these were planted by hackers during a course of 22 months between 2016 and 2018.
The Washington Post report was subsequently carried by several Indian media houses, and it was shared widely by left-liberals in India, claiming that it proves how the entire case against urban naxals is baseless.
While the left-liberals want everyone to believe that the Arsenal Consulting is absolute truth, there are several problems with the report. The main point made by Arsenal supporting the hacking claim is that the PDF files in the hidden folder were made using MS Word versions 2010 and 2013, while the version of MS Word installed on the laptop was 2007. Therefore, those files must be planted by a hacker, the report claims.
This is a highly questionable claim, because the Maharashtra police had stated that they had recovered email correspondence between Rona Wilson and the Maoist leader, and the MS Word is not an email application. Emails will be stored in the server of the email provider, and their local copy will be stored in the computer if the user was using an email application, like Microsoft Office Outlook or Mozilla Thunderbird. There is no way to claim the emails were fake based on PDF files created by MS Word, they are completely unrelated computer applications.
The report by Arsenal Consulting mentions several PDF, RTF (rich text), ORG (Lotus organiser) files, none of them related to emails. The report has not recovered any known email database files like PST and OST files, and does not mention any forged email. Therefore, while the charge sheet said Rona had exchanged emails with Comrade Prakash, the ‘forensic report’ only recovered offline document files. Therefore, the report has nothing that can claim that the emails were forged.
Moreover, the fact that Wilson’s laptop had a different version of MS Word can’t be conclusive proof that he didn’t create the PDF files. He may have simply used a different computer to create them, and later copied them to his laptop. A US based IT company can’t be competent enough to claim that the accused didn’t had another computer, or had not access to any other computer, that is almost an impossible claim make based solely on a copy of a computer.
The Washington Post report also claims that the Arsenal Consulting report was based on a forensic study of the ‘electronic copy’ of the laptop, which is a curious and confusing nomenclature. It is notable that the laptop is in the possession of police as it was seized by them, and the US based company can’t have access to it. However, the Arsenal report states that it had received a hard disk containing ‘forensic images’ and ‘police work product’ related to Wilson and other accused in the Bhima Koregaon case. It can be assumed that they were referring to a clone copy of the hard disk from the laptop, which was reportedly handed over to the defendants on a court order. Arsenal further stated that they received copies of a Toshiba hard disk installed in the HP laptop and a SanDisk thumb drive attached to the same.
Although clone copies of hard drives are exact replica of the original, it is not impossible to tamper with them. To prove that the cloned disk has not been tampered with, the hash values of the disk have to be matched with the original, and unless that is done, it can’t be determined that the copy is actually a clone of the original disk.
A forensic expert working in a Pune based cyber security company, who refused to be named, said that forensic analysis done on clones is not unheard of and they are employed in situations when original hardware is not in possession. However, he said that he can’t comment on the accuracy of the report without seeing the details, but agreed that a forensic analysis on clone may not be the same as a forensic analysis on the original, as there are chances of tampering with data in the cloned disk after it has left the custody of the police.
In view of this, it can be concluded that the alleged forensic study by the American firm can’t be proof that the evidence was planted in the laptop.