Analysis

Explainer: Arsenal Report on Surendra Gadling

Nihalsing B Rathod

In light of the recent revelation that the documents on Surendra Gadling's computer, which has been used as evidence to arrest activists under the Unlawful Activities (Prevention) Act in the Bhima Koregaon case over the last three years were planted by hackers into the computer, NIHALSING RATHOD explains what the report containing the revelation states, and answers questions that may cross one's mind in light of this information.

——

RECENT forensic analysis has revealed that the computer of Advocate Surendra Gadling was hacked into for planting controversial documents prior to his arrest over three years ago under Unlawful Activities (Prevention) Act, 1967 charges in what has popularly come to be known as the Elgar Parishad or Bhima Koregaon case.

This revelation comes from forensic analysis conducted by Arsenal Consulting, a U.S.-based forensic analysis company with over 20 years of experience in the field. Arsenal examined the hard disc belonging to Gadling, which had been seized by the Pune Police, and has given its findings with detailed technical specifications.

Earlier it had conducted a similar analysis on hard discs belonging to another activist incarcerated in the Bhima Koregaon case Rona Wilson, and given its findings in two volumes.

What is the significance of this report?

The Bhima Koregaon case is hinged on certain letters, which the police alleged were retrieved primarily from the computers of Wilson and Gadling.

These letters, being in electronic form, require unconventional methods to ascertain their authenticity. While physical or hard format documents can be authenticated by such methods as handwriting examination, signature verification, or fingerprint detection, digital documents need forensic analysis as prescribed by relevant laws.

The Bhima Koregaon case is perhaps the first matter that has come up before the Indian judicial system where the prosecution's case absolutely rests on electronic evidence. The legality of the same will perhaps be tested in the times to come.

This also bears significance in view of overseas developments where most laws that allow electronic evidence to be accepted as sole proof in criminal trials have been scrapped. Several nations' governments have revisited such laws owing to factors such as technological developments, the vulnerability of such evidence to manipulation and planting. Their new laws regard such evidence in part with hearsay evidence.

Indian laws, unfortunately, as the Supreme Court too recently concluded, have not come to terms with technological developments in this arena.

The findings by Arsenal establish that the letters used against the activists in the Bhima Koregaon case were planted into their computer through the use of the malware 'NetWire'.

Even the Indian Evidence Act, 1872 requires that before such evidence is relied upon, a thorough forensic analysis must be conducted to rule out any malware in the system. What is known as "65B compliance" in common parlance, after the relevant provision of the Evidence Act is only one of the many requirements for such evidence to be believed or relied on. Minus that, the evidence is worthless.

However, in the Bhima Koregaon case, this condition has been given a go by. The pertinent charge sheet discloses that there has been no effort taken to rule out any malware. On the contrary, it shows that despite a particular query in this regard sent by the police department to its forensic analysts asking about the same, no reply thereon has been disclosed by police to the court.

How Did Arsenal Get Access To Hard Disc?

In a criminal prosecution, every accused person is entitled to know and have a copy of all the evidence that the prosecution will lead against them.

In this case, the police have relied on the hard discs of the computers which were seized from the homes of all the activists during raids in 2018. Although ordinarily, the accused could not have been kept in continued detention without copies of the evidence being furnished to them, courts of law continued their detention without this requirement being fulfilled, as they accepted flimsy excuses for the delay from the prosecution.

It took a protracted legal battle of over two years to even obtain what are called mirror copies or clone copies of these hard discs. The hard disc copies were ordered by the court to be drawn using special machines, to ensure that the originality of the hard discs do not get altered or affected in any manner.

To put it in technical language, every digital storage device has a unique own hash value, which is in the form of alphanumeric code running into 16 figures. This hash value changes with the slightest  alteration or modification in the device.

Therefore, it is mandatory that at the time when such devices are seized by police, its then hash value is recorded forthwith, and a copy of the same is given to the owner of the device. This process takes no more than ten minutes with the use of proper equipment.

It assumes significance because if any addition, deletion or change is made in the device after its seizure, it's hash value would change accordingly, indicating that there has been some unauthorized change. This is the only method by which the intactness of a the digital device can be ascertained.

In the Bhima Koregaon case, police officers, though accompanied by decorated forensic experts, did not draw and supply a copy of the hash value of the hard discs at the time of their seizure. This came to be disclosed by the police for the first time in the forensic analysis report obtained from Pune and Mumbai Forensic laboratories when the charge sheet was filed.

Two years later, when cloning copies of the hard the disc was supplied, it was urged that the same be given with the hash value drawn and mentioned in the records of the court.

With a clone copy tallying absolutely with the hash value drawn by the police itself, Arsenal Consulting was approached. Arsenal, on their part, also drew the hash value and tallied it with the hash value recorded in the charge sheet.

Therefore, the copy analyzed by Arsenal is an accurate replica of what came to be seized from the activists and was provided by the police on the orders of the court, with matching records of hash value. 

What Does The Report Say?

Arsenal's report states that the computer seized from Gadling's house was hacked into for the first time on February 29, 2016.  Through the spyware 'NetWire', complete remote control of the computer was established.

The computer was kept under surveillance till October 22, 2017, over a period of 20 months. During this time, the attacker collected and recorded the computer's internet browsing history, and keystrokes while entering passwords, composing emails, and editing documents.

The report further says that a hidden folder by the name of "Material" came to be created on the computer on December 4, 2016. This came to be moved into a subfolder named "Red Ant Dream", which was within the folder "local disk" which, in turn, was in a folder named "Pen Drive Backup 29-03-2015". Since the folder was in hidden mode and concealed three layers deep, it would have been very difficult for the user of the computer to know of its presence.

The report also claims that these documents were never opened by the user of the computer.

What Was Planted?

Given that Arsenal was commissioned to examine only 14 of the most important documents from among thousands of documents, we know that each of the 14 incriminating documents was planted on following dates:

In the hidden folder "Material", the attacker planted:

  1. "Please read.txt"                          on January 4, 2017
  2. "Dear Surendra.docx"                on January 20, 2017
  3. "Prakash_MZ.pdf"                       on February 20, 2017
  4. "Letter_MSZC.pdf"                       on February 20, 2017
  5. "Ltr_CC_2_P.pdf"                        on March 8, 2017
  6. "Ltr_2_SG.pdf"                             on March 14, 2017
  7. "Reply_2_VV.pdf"                        on March 21, 2017
  8. "MoM-Final.pdf"                          on April 16, 2017
  9. "Ltr_2704.pdf"                             on May 5, 2017
  10. "Dear Sudarshan Da.pdf"        on May 15, 2017
  11. "CC_letter-08Jun.pdf"              on July 10, 2017
  12. "Ltr_16July17.pdf"                   on July 22, 2017
  13. "Dear Sudarshan da.pdf"         on September 8, 2017
  14. "Ltr_2_SG-250917.pdf"            on September 30, 2017

 What do these planted documents say?

These documents are in nature of letters of correspondence, in which people are talking about attacking Prime Minister Narendra Modi in a Rajiv Gandhi-type incident during one of his rallies. The letters also speak about procuring weapons, negotiating their prices, taking money from Indian National Congress leaders, and taking help from judges in legal matters, among other things.

 None of these letters are handwritten or scanned images of handwritten letters. They are all in PDF or Word format.

How is this possible?

Popular remote access software such 'Team Viewer' and 'Any Desk' allow users to actively and consciously take or give access of one's computer by sharing certain credentials. With such software freely available on the internet, computer experts can, without visiting a computer physically, take remote control of it, and run the tasks they are requested to do.

Spyware like NetWire works the same way, except that they enter a computer secretly and give remote access of it to the attacker without requiring the user's permission or the user getting any hint of it.

The computer user does not notice this because the attackers use a Remote Access Trojan (RAT) offers complete access to the computer behind the curtain of the operation facility. When that happens, while the user is operating their computer, they will never find out that their computer is being used by someone else in the background. The hacker co-operates the computer through the use of command prompts, and never through the use of something obvious and visible on the surface like the mouse or the keyboard.

On What Basis Does The Report Say That These Documents Were Not Legitimately Opened?

One of the methods to ascertain if any document has been opened on a particular computer is to review the NTFS file system's object ID attributes. Object identifiers are normally assigned to documents when they are either created or first opened.

As per the report, none of the documents used as evidence have identifiers.

What Is The Meaning Of Footprint?

Footprints are the trail left behind by a hacker while performing his mischief. For instance, an attacker may forgot or not get time to uninstall some of the programs which he installed for temporary usage. Similarly, audit logs, which record activities, if not wiped out, make it easy to trace the hacker's activity.

What Is A Self-Extracting Archive (SFX)

SFX a self-executing file, which does not need any action. It simply works on its own, without having to be installed on the computer manually.

What Is A Decoy Document?

decoy is a document in which the attacker would have saved files necessary for his activities, including the malware itself. It looks like an innocuous document containing either incoherent or irrelevant text, so a person ignores it to be some font problem. However, it will be disproportionately big in its size.

For instance, a normal document containing 100 pages in word without any image may run into a few hundred-kilo bites, but such a decoy document would be of a few mega bytes.

 Did This Affect Other Devices Connected To Gadling's Computer?

Yes. Arsenal's report shows that as many as 15 removable thumb drives/pen drives which were connected over the 20-month period with the computer also came under surveillance. Through this, more than 30,000 documents were seen by the hacker.

 How Did The Attacker Plant The Documents?

The planting of the documents was done through something called a C2 server, which stands for command-and-control server. It refers to the person having remote control of an attacked system.

Once a RAT is installed into a computer, the person operating the C2 server gets remote access to it. Using this technology, not just planting, but even erasing, editing, and creating documents in the computer is possible. It also gives access to install or uninstall any program on the computer.

Is The Report Verifiable? Can Similar Analysis Be Done?

Arsenal's report is verifiable. All it requires is a competent digital forensic expert knowing reverse engineering well. One could conduct a similar analysis using advanced digital forensic tools, most of which are available online for purchase.

The tools used by the arsenal are available for purchase on the Arsenal Recon website. Arsenal Recon is a subsidiary of Arsenal Consulting.

What Is NetWire?

NetWire is a RAT that enables remote access of a computer system. It is a decoy or simply a virus in disguise that enters the system and installs itself. It then provides control to the command server, which is the attacker's server.

NetWire can be purchased online, and comes with customer support service.

Why did the hacking stop on October 29, 2017?

Gadling's computer was checked by a local technician for some software problem, who suggested reinstalling the whole operating system. The technician took a backup of the system and formatted the computer.

With the formatting, the NetWire got knocked off. That is why there seems to have been no interference by the attacker in the computer thereafter.

What Is The Credibility Of Arsenal?

Arsenal is a digital forensic consulting company based in Massachusetts formed in 2009, since when it has amassed a prestigious client base. It is often consulted in high-profile matters from across the globe, including by various law enforcement agencies, and has successfully conducted examinations of multiple types. Their reports have formed the basis for many court verdicts.

Its subsidiary Arsenal Recon develops digital forensic tools. Its tools are used by several cyber-crime investigators, including the U.S. Army and the U.S. Department of Defence

Can the opinion of foreign experts be useful in India?

It is the tool used which matters the most, not who created it or where it was created.

Indian forensic analysts too procure digital forensic tools from foreign-based private companies. For instance, the 'EnCase' software used by government forensic labs in India is product of OpenText Corporation, which is a Canadian company.

Does It Mean The Documents Used As Evidence Are Fake?

The Supreme Court, while examining these documents, found many discrepancies, such as the use of Marathi words in a letter transcribed in Hindi, supposedly written by a Hindi speaking person. It said that believing such letters would amount to taking liberties with truth.

Sadly, this was part of a minority opinion and a majority of the judges chose not to venture into that part.

 Does The Report Have Any Legal Value? Can Arsenal Be Called Expert In Indian Legal Parlance?

Indian Law does not distinguish between Indian experts and foreign ones. No law in our country accepts someone to be an expert by merely holding a qualification alone or just because they are appointed by the government.

Rather, courts have from time to time held that an expert is a person who has devoted time and study to a special branch of learning.

The country of origin of the expert is immaterial. What matters is how much knowledge that expert has, and their expertise based on how much work they have done and the soundness of reasoning given in their opinion, supported with a technical explanation. The same standard applies to experts of forensic examination of the government.

Is There Any Instance When Indian Courts Accepted Any Foreigner As An Expert?

Experts, including foreign ones, are routinely examined as witnesses in Indian courts. For instance, in the case of Malay Kumar Ganguly vs. Dr. Sukumar Mukherjee & Ors. (AIR 2010 SC 1162), the Supreme Court had directed the examination of foreign medical experts through video conferencing.

Who Is The Attacker?

We can speculate on the identity of the attacker but cannot say anything with certainty unless certain software service providers, whose software were used for planting these documents, agree to divulge the information of their clients.

The power to call for such information is with the government under our Criminal Procedure Code, without which no private service provider will give out names of their clients.

(Nihalsing B Rathod is a lawyer based in Nagpur. He has been associated with the Bhima Koregaon case as a lawyer. The views expressed are personal.)