On December 13, Washington Post published a report claiming that urban Naxal Stan Swamy was framed in the Bhima Koregaon case. The report cites a ‘forensic examination’ of Swamy’s laptop by a US-based digital forensics company named Arsenal Consulting, which claims that a hacker infiltrated his device and planted evidence.
Stan Lourduswamy, commonly known as Stan Swamy passed away on July 4th at the age of 84 years. He was an undertrial prisoner in the Bhima Koregaon violence case at the time of his death, and was undergoing treatment at the Holy Family Hospital in Mumbai.
Arsenal Consulting had made similar claims last year regarding two other accused in the case, Rona Wilson and Sirendra Gadling. Washington Post published two reports in February and July 2021 based on the claims by the firm, saying that their computers were hacked and incriminating letters were planted in the devices. The company had made these claims based on an ‘electronic copy’ of the devices which was seized by police.
The Washington Post says that the “analysis is more proof that Swamy and his co-defendants were framed in a case that exemplifies the Indian government’s crackdown against civil society and prominent critics”, citing the firm. Arsenal Consulting claims that Swamy was “the target of an extensive malware campaign for nearly five years, the longest known for any defendant, right up until his device was seized by police in June 2019.”
According to them, the ‘hacker’ had full access and complete control over the computer, and was able to drop dozens of files in a hidden folder in his computer without his knowledge. Arsenal says Swamy’s laptop was infected with NetWire, “a commercially available malware that can upload and download files from a target’s computer, log keystrokes and access emails and passwords”.
The firm had earlier claimed that the laptops of Rona Wilson and Sirendra Gadling were also infected with the same malware NetWire. It also claims that the hacker who had hacked the devices of Rona Wilson and Sirendra Gadling also hacked Swamy’s laptop.
According to Arsenal, the hacker used “WinSCP, a free and open-source file transfer tool for Windows, to copy more than 24,000 files and folders from Swamy’s computer and removable storage devices onto the hacker’s own server.” It also claims that hours before Swamy’s computer was seized by police, the hacker cleaned his activities, removing the malware and surveillance data. Washington Post claims that Arsenal shared “screenshots of the raw data recovered from Swamy’s computer revealing the hacker’s activities, including the command used to delete the folder where tens of thousands of files from Swamy’s computer were stored before they were transferred to the server.”
However, the report didn’t include any such evidence provided by the company. The claims made by Arsenal in regard to Swamy’s computer are same as its claims regarding Rona Wilson and Sirendra Gadling, and several anomalies were spotted in those reports earlier. The major issue is that the firm relied on offline Word and PDF files found on the devices to claim that those were planted, and there is no reference to any forged email or other similar communications.
The Rona Wilson report by Arsenal Consulting mentioned several PDF, RTF (rich text), ORG (Lotus organiser) files, none of them related to emails. The report did not mention any known email database files like PST and OST files, and did not mention any forged email. Therefore, while the charge sheet said Rona had exchanged emails with Comrade Prakash, the ‘forensic report’ only recovered offline document files. The report had nothing that can claim that the emails were forged.
The firm had also claimed that Wilson’s laptop had a different version of MS Word than the version used to create the files found on the device. But this can’t be conclusive prove that the files were ‘planted’, the files could have been created on a different device and then copied to the laptop by Wilson himself.
In the current report on Stan Swamy also, Arsenal claims hundreds of files were copied onto his laptop by the hacker without his knowledge. But again, these are offline files and not communication with others which are the main evidence against Swamy used by the police.
In a hearing at NIA court, the court had mentioned that there were 140 email exchanges between Swamy and others accused in the case. The court had concluded even without going through the contents of the emails, the presence of the emails prove that he was in touch with others accused of violence in the case. The charge sheet had also stated that the Urban Naxals were using encrypted communication channels, including end-to-end encryption for text messages.
In fact, the defence had tried to cite the Arsenal report in the court during a bail plea, but the court had rejected it. The court said “such extraneous material is not required to be considered while deciding the application for bail.”
Therefore, the company and Washington Post are trying to mislead the people to prove that the Urban Naxals facing trial in India are innocent. While the charges against Swamy and others refer to emails and encrypted messages, the ‘digital forensic examination’ by Arsenal does not allege any forged emails of other kinds of communication. The firm is relying on purportedly ‘planted’ offline files to claims that Swamy and others were framed using hacking of their devices.