Arsenal’s pro bono Investigation on Bhima Koregaon Case: Malware not in the computer but in the mind

Arsenal Forensic Report on Bhima Koregaon Violence: another attempt by Naxal Ecosystem to create false narrattive, discredit the State and project the accused as a victim

The Bombay High Court, on 22 February 2021 granted bail to Dr Varavara Rao, 82, one of the accused in the Bhima Koregaon violence that shook Maharashtra on
01 January 2018. Him getting bail is not the headline, but a bail granted to a person arrested under UAPA gathered all the attraction. Though court, while granting bail to Dr Rao on health conditions, imposed that those associated with him do not take undue advantage of this order. But, something else was cooking up on the other side of the globe to bring relief to one of the other accused in the case – Mr Rona Wilson. This time the question was on the health of the laptop that belonged to Mr Rona Wilson.

Mr Rona Wilson was arrested on 06 June 2018 from Munirka under UAPA for conspiring with others including Dr Rao to launch a Rajiv-Gandhi-type incident on PM Modi. Later, ADGP(Law & Order), Maharashtra quoted that incriminating evidences were acquired from the laptop of Mr Wilson that spoke of planning “some big action” which would attract attention. The Forensic Sciences Lab at Pune was instrumental in acquiring and decoding the evidences from the laptop of Mr Rona Wilson. The findings by the FSL has been questioned by a private digital forensics firm, Arsenal Consulting, based out of Massachusetts that was hired by Mr Rona Wilson.

The findings of the Arsenal Consulting claim that the accused Mr. Rona Wilson’s computer was compromised for just over 22 months from 13 June 2016 to 17 April 2018 by a Remote Access Trojan (RAT) malware called NetWire. This infection has happened from the mail sent by one of the co-accused Dr Varavara Rao. It captured all the activity of the infected computer of Mr.Rona Wilson and was under the Command and Control (C2) server of the hacker. The hacker synchronized with the infected computer to access the volume files and external storage media file like pen drive. With this alternation, the hacker deployed the top ten most important discriminating documents in Mr. Rona Wilson’s computer. This hypothesis submitted by Arsenal Consulting is based on the information collected from the email of Mr. Rona Wilson, recovery of deleted file, RAR file wrappers, NetWire Logs, Windows Object Identifiers, Hibernation file, discriminating documents, which are present in the forensic image of Mr. Rona Wilson’s computer hard drive and his thumb drive.The forensic report of the Arsenal Consulting quoted “It should be noted that this is one of the most serious cases involving evidence tampering that Arsenal has ever encountered”. The defence team of Rona Wilson, which hired Arsenal Consulting pro bono (sic), is quoting their report to seek dismissal of the case.

As hilarious as it may seem, still, there are certain gaps in the forensic report of the Arsenal Consulting as discussed below:

1. How did the Arsenal Consulting forensic team access the emails from Rona Wilson’s email account? Was it present in the forensic image of the hard drive or thumb drive? What kind of email – Client Email or Web server email? (As webserver email will not be stored in any hard drive). Were the emails already presented by the defense or prosecution submitted the said emails?
2. In the report, it was mentioned in para 5 of page 3 that “he (Rona Wilson) was opening a link to Dropbox in the email from the person using Varavara Rao’s email account, he was actually opening a link to a malicious command and control (“C2”) server. See Image 3.” By default,a warning will be provided to the user or email sent to spam, if an email contains any malicious attachment or a link to a malicious site. So, was there any warning message available in the email message or was it found and opened from the spam folder?
3. If the document containing the NetWire is still downloadable as shown in Image 2, then any malware analysis was done on it to know more about the handlers?
4. It was mentioned in the page 4 of the report that NetWire was found in two places that was within wrappers in Quick Heal’s quarantine folders. If, the computer is secured with a proper antivirus then how come the NetWire Trojan get installed in his computer? Whether the log file of the Quick Heal PC Tuner was examined or not?
5. Who was using the secure deletion tools such as CCleaner and SDelete? Was it Rona Wilson or the so called Hacker?
6. Why the logs on the activities carried out by NetWire in Rona Wilson’s computer not provided? This log may have the details about the copying, deploying, deleting of files as claimed by Arsenal.
7. A digital forensics report is the scientific investigation carried out on the suspect devices and unbiasedly bringing out the findings in a chronological order to help solve a crime / case. However, Arsenal Consulting resorted to referring to various articles by Amnesty International and The Caravan reducing their report to another such online article.
8. In page 6, it was mentioned that Mr. Wilson’s computer was installed with WinRAR v3.70 and the hacker deployed WinRAR v4.20. If a new version is installed then older version will be upgraded and the older version will not be available. Then how the older version (WinRAR v3.70) still exists in his computer?
9. Object Identifier in NTFS file system not only provide the information when a file in opened, but it also provided the information when a file in saved. Whether Arsenal forensic team also analyzed the Object Identifier to know when the ten discriminating file are saved?
10. In page 6, it was also mentioned that Arsenal had performed a thorough analysis of NetWire’s impact on a victim’s computer (both in memory and on disk). How did Arsenal get the memory dump of the so called victim’s (Mr. Wilson) computer? Did they mean hibernation file (hyberfil.sys) and pagefile.sys while referring to memory analysis?
11. Why the report is silent on the standard forensic artifacts that are found in the Registry, Event log, Shortcut file and Prefetch file? Are these artifacts not supporting their hypotheses or theory presented in their report? Or have they presented this report in a hurry before completing the analysis?
12. In Appendix A to the report, a list of tools is given which are used by Arsenal Consulting to carry out the forensic analysis. Are these tools properly validated and authenticated? Do the third-party tools and Arsenal’s own tools fulfill the admissibility rule of Daubert standard? Have they used these tools before and were they accepted in the US Court of Law?
13. The screenshot of the email given as “Image 1” looks suspicious. Please see the time format at two different locations. They are following different formats. This is not the format followed by Gmail. Why did Arsenal not mention this anamoly?
14. Arsenal claimed that they have recovered five Netwire malware samples and provided three tables (Table 2, 3 and 4) in their report. These five Netwire tools belong to only two categories viz., v1.6a Final and v1.6a Final R4. Now, the following questions emerge that doubts the credibility of their claim:

(i)           Malwares typically use mutex to avoid infecting the same device twice. This is a typical characteristic of any sophisticated malware. Then in this case, how multiple copies of the same versions of malware exist in the system. This may add validity to the claim the Netwire is not a malware but a remote administration tool that is installed with the knowledge of the computer owner (unlike a malware which is installed surreptitiously).

(ii)          How the Quick Heal Anti-Virus has quarantined two malware samples while other three samples are not detected and quarantined? Was that because the computer owner (in this case Rona Wilson) manually excluded them from quarantine? Arsenal Consulting should have clarified this.

(iii)         The date-time stamp of all the five samples are suspicious. They are either cooked up or need thorough investigation but Arsenal Consulting is silent on this.

15. The Caravan in their article claimed that certain crucial registry Keys viz., ShellBag, Run and RecentDocs were found missing in the accused’s computer. It is possible that these keys are deleted either by the accused or the LEA. But it is absurd to assume that the LEA deleted these keys which will lead to not only tampering of the evidence but will also render it non-admissible in the Court of Law and the LEA knows it better not to tamper and make the evidence invalid.
16. The World Wire Labs is marketing the NetWire as a “remote administration tool” to remotely monitor and administer the computer systems. There exists only a very thin line between the malware and such kind of tools. The capabilities of the malware that were mentioned are certainly not unique and are very typical of almost every malware used for surveillance or exfiltration. Is it that NetWire is installed by the accused and his team for remote operation and collaboration?If so, then it will answer most of the claims by Arsenal Consulting.
17. All the third parties viz., Arsenal, The Caravan and Amnesty assume that the malware was planted in the accused’s computer. But the big question is “Who planted them?”. It is preposterous for them to assume, without any valid proof, that the Indian Govt / LEA was behind all these. It could have been done by the accused themselves as a new modus operandi. Here, we are not dealing with some petty criminals involved in duping users to steal money; they are well organised, resourceful team of anti-nationals with probable support from across the borders. These “remote administration tools” could have been “planted” by the accused themselves for the following reasons:

(i)           To thwart the legal proceedings (in case they are caught),
(ii)          As an anti-forensics measure,
(iii)         As a means for deniability.

18. Amnesty International has brought out various domain names, IP addresses and email IDs as Indicators of Compromise (IoC) in these campaigns against the accused But they failed to mention, who these IoC belong to. Again, these infrastructures could have been used by the accused themselves.
19. The Caravan in their report claimed that the PDFs found in the accused’s computer were created with MS Word version 2010, but the version found installed on the seized computer was MS Word version 2007. They are showing it to assert their claim that the documents were planted. However, this could have been possibly done by the accused and the co-accused themselves if they were using NetWire to collaborate. The loopholes in Carvan Report were already pointed in media and were widely liked by readers.

Arsenal Consulting, Amnesty International or The Caravan should know it better that the Indian Judiciary is autonomous and has displayed highest sense of integrity in independent India. Allowing bail to Dr Rao, and in recent sedition charges against, Ms Disha Ravi, Ms Nikita and Mr Shantanu are testimony to the unbiased functioning of Indian judiciary. To bring out more and subtle facts about the case and also to investigate if the new MO is in fact being played out, the following may be carried out by the investigating agencies:

(a)          The identities of the people / team responsible for creating the email IDs, domain names, hiring the VPS etc may be investigated.
(b)          The forensic analysis in this case should involve the devices from all the accused. Discussing the devices of Mr Rony Wilson in isolation will be futile. Collaborating the evidences from all the devices would throw more crucial information about the investigation.
(c)          The theory on MO as discussed above needs to be ascertained. If it was indeed true, then it may add new challenges to the future digital forensic investigations.

To conclude, the Arsenal report is nothing but another effort by the naxal ecosystem reiterating their typical modus operandi of create false narrative, discredit the State and project accussed as victim.

S Raja Prabhu is a malware analyst and reverse engineer by passion presently pursuing research in cyber espionage and cyber terrorism. The views expressed are his own and do not reflect the views of any organisation where he worked earlier or working presently.

©️ The content of this Article is intellectual property of The 4th Estate and can not be used except with prior written consent of the Editor, The 4th Estate.