In the light of Pegasus leaks, suggesting that Indian government used a spyware to snoop on politicians, constitutional appointees, journalists, and activists, the Bhima Koregaon case deserves fresh and sharp attention.
The Bhima Koregaon case (BKC) is a unique case in many aspects, but one aspect stands out - the planting of evidence through the use of malware as detailed by the Arsenal reports (Report , , ). While some expertise on computer forensics and malware analysis is required to understand these reports, the analysis can still be understood by following investigative first principles approach.
Let's start with digital forensics.
Basics of Digital Forensics
Forensics is generally defined as using scientific methods to investigate crimes and evidence that may be used in a court of law. In the BKC matter, the most important bit of evidence that the prosecution had produced was the presence of documents in the hard disks and computers of the activists who were arrested. The underlying implication here is clear: these documents originated from those who were arrested and were circulated to others through digital mediums (Email).
The Question of Origin
What the Arsenal study has focused on, is to understand where these documents came from by applying a digital forensics approach. To explain the report, some explanation about how computers store and process information is essential.
All digital devices (mobiles, desktops, laptops, smart phones) store files in a hierarchical fashion, similar to how large public libraries manage books, as described in the table below:
What this system allows is reconstruction of the past and examining what happened and why. Forensic labs use specialised tools that examine these 'artifacts' (Index and Logs) on a digital medium received from a crime scene and can even recover deleted files using a tool such as .
How Did Arsenal Assess that a Malware Planted Files?
The primary difference between computer malware and other types of software is that malwares do things that are not known to the user of the digital device. They are typically implanted in the owner’s digital device without their knowledge and mostly take data out. This is called exfiltration in technical parlance.
The Arsenal report says that a commonly known malware called NetWire which has been in existence since 2012, was used to plant documents in the activists’ computers. A natural question to ask is, how did they detect this on a hard disk, which is not connected to any computer, through forensic analysis alone?
The answer to this seemingly impossible conundrum is the “Log book”. Since the log book records every activity in the digital device, it can present a detailed view of the activists’ computers including how the malware installed itself on their devices. It came through an internet source (via email), masquerading itself as an attachment, and then embedded itself into their computers.
Netwire Logs and Log Book Establish Planting of 'Evidence'
Typically malware is used for espionage to take data out from the devices and hence it needs a back end to send the data to. To avoid detection, they don’t send data out continuously and hence accumulate it in the file system, and send it out at random intervals. This offers further means to detect malware in forensic analysis by examining the log book. The arsenal report calls these accumulated data packets as “NetWire Logs”.
The “Netwire Logs” also provide a clue to the server to which the data is sent (called Command and Control Server). This is equivalent to a spying device capturing all the conversations in your house and sending it to a recording device across the street, except that in this case, the recording device is a server named “xxxx.zapto.org”, which can be located anywhere in the world.
Examination of “Netwire Logs” and the “Log book” further reveals that not only the malware was sending out data in their devices to the “xxx.zapto.org” server, it was also planting files in hidden places, the basis on which the arrests were made. Further, the report reveals that the implanter made a crucial mistake - The implanted files were created in Word 2010, but the activists’ only had Word 2007, a much older version, which hence can’t be used to create these documents.
The final puzzle about the origin of these documents also comes from the “Log book”. It shows that these files were never opened by any of the activists at all. All the information put out by Arsenal is credible and matches with what is publicly known about the Netwire malware, which has been documented in depth for close to a decade by malware researchers.
How Arsenal Report Dismantles the Bhima Koregaon Case
At this point, the case against the activists has fully collapsed because the Arsenal report has proved that
Documents were not created in their devices.
They were never even opened once in their devices.
It was planted by the Netwire malware which got these files from a Command and control server “xxxx.zapto.org”.
This is equivalent to proving that a narcotics substance found on a person’s house, was:
Not created by them.
Not procured by them.
Not consumed by them.
Put on their house by a drug peddler who had access to their house, by cloning their house keys, without their knowledge.
Government Can Easily Find Out Who Planted Malware
The Arsenal report does not describe or speculate on who planted the malware as it is beyond their remit, but as Professor Sandeep Shukla, Professor of Computer Science and Engineering at IIT Kanpur, out, the government can easily find out the actor who did it, by tracing the ownership of the domain “xxx.zapto.org” which was used for commandeering the malware.
A quick scan of the threat intelligence databases, reveal that, around the time the activists’ devices were planted (13 June, 2016), a new actor code named “Dropping Elephant” was observed, (8 July, 2016), and was planting malware which reports data back to “xxx.zapto.org”.
The actor was targeting multiple diplomatic and government entities with a particular focus on Chinese affairs, using similar methods as was detailed in the Arsenal report.
Another public by Trend Micro (9 December, 2020) points out that the same domain name was used (xxx.zapto.org) by a threat actor, who was targeting Pakistan, China, Bangladesh and Nepal.
All this indicates that a significant amount of money, resources, and time were spent on planting the evidence and framing the activists, and was perhaps carried out by a mercenary operator, who also works with the espionage agencies of nation states.
Can Arsenal Report Findings Right the Wrongs of Watali Judgment?
As lawyers like Colin , and have noted elsewhere, the Watali judgement—cited to deny bail to Sudha Bhardwaj—is deeply problematic, because it rules that bail can be denied by relying upon prosecution documents even though they would be inadmissible in evidence during the trial.
Espionage tools such as malwares, further worsen this problem because of the following reasons:
Malware research requires deep pockets and is dominated by nation states and it’s private affiliates. This makes it very difficult for courts to engage with it even during the trial period, within the context of adversarial litigation, as there are larger geo-political implications.
Mercenary operators backed by nation states, have far more sophisticated tools to create customized malwares which can implant documents, even on secured military devices. The cost of malware making and distribution has come down over time, while the cost of defending against them has gone up.
This, then, was the true tragedy of the Watali judgement. It allows a technologically superior State to plant materials on digital devices used by citizens, and then use these materials to invoke terror laws, with no hope of bail and also a very difficult trial process, where they will struggle to prove that they are innocent, and will most likely be convicted, thus according even a judicial sanction to its manifestly illegal actions.
Perhaps the BKC matter, when it is finally heard and goes to trial and the inevitable appeals after, will force the Supreme Court to consider abandoning the Watali judgment.
(Anand Venkatnarayanan is one of India's leading cybersecurity researchers and and privacy experts. This is an opinion piece and the views expressed are the author's own. The Quint neither endorses nor is responsible for them.)