wordpress blog stats
Connect with us

Hi, what are you looking for?

Forensics firm finds more proof of planted evidence on Rona Wilson’s computer: Report

In its second report, Massachusetts-based digital forensics firm Arsenal Consulting found that a malicious software used by an attacker had planted an additional set of files on prison rights’ activist Rona Wilson’s computer. The firm said that there was no evidence that Wilson interacted with these files and documents, which are cited by the National Investigative Agency (NIA) in its charge-sheet against Wilson and others in the Bhima-Koregaon case.

The Washington Post and The Reporter’s Collective were the first to report on the findings of Arsenal Consulting. The second report by the forensics firm was submitted to the special NIA court on March 27, 2021. WaPo published a copy of the report, while the Reporter’s Collective published articles in 11 languages across multiple platforms.

In its first report submitted to the NIA court, Arsenal found that Wilson’s computer was compromised for 22 months prior to his arrest on April 17, 2018. The report said that the attacker had planted 10 incriminating letters based on which the NIA has charged Wilson and 15 other human-rights activists Sudha Bharadwaj, Varavara Rao, Arun Ferreira, Vernon Gonsalves for conspiring against the state. The NIA has charged the activists for also instigating violence three years ago during the Elgar Parishad convention which was celebrating the 200th anniversary of the Battle of Bhima Koregaon.

Arsenal’s first report was reported by the Washington Post, and confirmed an earlier report by The Caravan magazine in March 2019. An investigation by The Caravan found that a malware on Wilson’s computer had delivered the incriminating documents detailing a plot to overthrow the government. In its second report, Arsenal said that Wilson did not interact with additional files cited by the NIA as evidence in the case.

“Arsenal has found no evidence which would suggest that any of the additional files of interest were ever interacted with in any legitimate way on Mr. Wilson’s computer, and can confirm  that 22 of the 24 files were delivered to a hidden folder on Mr. Wilson’s computer by NetWire and not by other means”—Arsenal Consulting

Advertisement. Scroll to continue reading.

Second report findings

  • The forensics firm identified the source of 24 additional files found on Wilson’s Computer
  • Arsenal analysed if Wilson consciously interacted with these 24 files while using this computer or if these files were just dumped and hidden from Wilson’s view or knowledge
  • 22 of the 24 files were delivered by the attacker to a hidden folder on Wilson’s computer through a NetWire trojan and not by any other means, the report said
  • Between December 2017 and March 2018, the attacker used the NetWire trojan to dump files with names like: accounts, comrades, mohila meeting, letter, ltr from prakash, letter to GN, letter to G etc.
  • The attacker also renamed files and even made a mistake in one case, and went on to correct it, Arsenal found
  • The attacker remotely changed, added or deleted content and viewed Wilson’s computer activity, the report said

Arsenal analysed application execution data that it found from Wilson’s computer and created a “process tree”.

“Each process tree contains events (application executions and sometimes file creations) which rely on each other (as can be seen from process and parent process IDs, and even more uniquely from process descriptors) and flow in an orderly fashion from the first to the last. These process trees provide unique and very granular insight into particular events that have occurred on Mr. Wilson’s computer over time”—

In one filed called mohila meeting, purportedly in reference to a meeting on January 2, 2018, a list of Maoist party members, names of some Jawaharlal Nehru University ex-student leaders, and names of organizations, the report said. Through the process tree method Arsenal found:

  • The attacker launched the NetWire trojan automatically 11 days after the Bhima-Koregaon violence on January 11, 2018 at 11:34 am.
  • A script called “MTSMBlaze_v2.1.vbs” was placed in the computer’s startup folder. This would to ensure that the NetWire trojan is active across all Windows shutdowns and restarts, the report said
  • The computer then opened a command prompt and dumped three files between 11:40 and 11:42 am, one of which contained “mohila meeting jan.pdf”, Arsenal said
  • These files were then unpacked to a hidden folder and through the use of a file utility software similar to WinZip called UnRAR, the attacker renamed the folder as “Adobe.exe”
  • But the attacker made a mistake while doing this task and corrected it, an error that Arsenal says is irrefutable evidence of the use of the NetWire trojan on Wilson’s computer

NIA does not accept Arsenal’s report

The case against the 16 activists, under the Unlawful Activities (Prevention) Act (UAPA), 1967, has been been dragging in courts for years now. After Arsenals’ first report was submitted to the court, Wilson moved the Bombay High Court to quash the charges against him and has sought the court’s direction to appoint a Special Investigation Team (SIT), consisting of experts in digital forensic analysis to independently verify Arsenals’ findings probe the alleged the planting of documents on his computer by using malware.

But the NIA has not accepted the findings by Arsenal Consulting. “The forensics reports that are cited in the charge sheet filed in the court are from an accredited lab, accepted by the Indian courts. In this case, it was done by the Regional Forensic Science Laboratory, Pune. According to their report no such malware was found. Rest all is distortion of facts,” NIA spokesperson Jaya Roy said at the time, according to the Print.In.

Also Read

Written By

Reports on banking, payments, fintech and crypto-curencies. Additional reporting on media regulations, data protection and other areas.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ