MARTAND KAUSHIK AND ANJANEYA SIVAN14 December 2019

A close scrutiny of documents and other forensic material in the Bhima Koregaon case disclosed several technical anomalies and clear procedural violations by the Pune Police in its investigation.

An examination of the digital evidence presented by the Pune Police in court against prominent human-rights activists accused in the Bhima Koregaon case has revealed several technical anomalies and clear procedural violations by the force. Last year, the Pune Police claimed it had discovered several damning letters on the computer hard drives it had seized from the human-rights lawyer Surendra Gadling and the prison-rights activist Rona Wilson. A close scrutiny of the documents disclosed the irregularities that raise serious questions about the Pune Police’s investigation in the case.

On the basis of these letters, the Pune Police claimed that the accused had been part of a Maoist conspiracy to “overthrow the government” as well as a plot to assassinate Prime Minister Narendra Modi. The letters were used to implicate other prominent individuals such as Sudha Bharadwaj, a Chattisgarsh-based lawyer; Shoma Sen, an English professor at Nagpur University; Sudhir Dhawale, a publisher; Varavara Rao, a poet; Arun Ferreira, a cartoonist; and activists such as Mahesh Raut and Vernon Gonsalvez. All nine individuals accused were placed under arrest.

The Caravan was able to conduct a close scrutiny of the documents and other forensic material of the case, which the Pune Police had presented to the court and supplied to the accused persons, as true copies of the purportedly incriminating files found on Gadling’s computer. A study of the documents, the metadata of the incriminating files, the chargesheet filed by the Pune Police and a report submitted by the Regional Forensic Science Laboratory, Pune, reveals many indications that the police may have used the devices while it had them in its custody, and may have edited files on them. The Information Technology Act, 2000, has laid down in detail the procedure that investigating agencies have to follow while dealing with digital evidence, which the police seem to have flouted blatantly.

Below are six discrepancies and procedural violations evident in the case made out by the Pune Police.

Files were edited while the evidence was under police custody
In its investigation, the Pune Police had relied on a letter that it claimed to have discovered on Gadling’s hard drive, titled “Dear Surendra.docx,” which was one among several letters it had released to the media around September 2018, before they were submitted in court. In the copy of the letter given to the media, the text had justified alignment. But when the accused individuals’ lawyers were provided a copy of it, in November 2018, the text was left aligned. As per legal procedure, the police is not supposed to use the device in any way. It has to create a bitstream image—a clone of the hard drive—for the purpose of studying the content. Any edits made by the police to the format or the content of the files would amount to tampering of evidence.

The “Last Accessed” dates indicate illogical behaviourThere is a curious pattern in the “Last Accessed” timestamps for all the incriminating files. The date and time in the timestamps ranges from “Thu Dec 7 22:04:07 UTC+0530 2017” to “Thu Dec 7 22:05:55 UTC+0530 2017”—a span of one minute and 48 seconds. This suggests that the last thing to have happened to these files is that they were cut and pasted into their current location. In Windows 7—the operating system Gadling was using—the “Last Accessed” timestamp is updated only when new files are created, copied or cut and pasted to another location. If the files had been created or copied, the “File Created” timestamps would have also been updated and would have been the same as the “Last Accessed” timestamp. The timestamp does not get updated when a file is opened. But in the case of the documents said to be discovered in Gadling’s computer, the “File Created” timestamp bore an earlier date from the “Last Accessed” timestamp. By elimination, the only possible conclusion is that the files were cut and pasted in the brief time period. According to the police, all the files were located in a folder on Gadling’s desktop. It seems highly unlikely that, for some reason, on 7 December 2017, Gadling decided to select all the files that incriminate him and pasted them into a folder on his computer’s desktop.

A report by the Regional Forensic Science Laboratory, Pune, provided the metadata of the incriminating files found on Gadling’s drive. On the face of it, it indicates that these files had been on Gadling’s computer when it was in his possession—the dates for when the files were created, last accessed and last modified are older than the raid on Gadling’s house. However, an expert on information-and-system security told us that these dates can be easily manipulated by attaching the drive to a backdated system or through widely available software.

Gross procedural violations during raids on the activistsThe manner in which the police seized the devices in the case contravened the procedure laid out in the Information Technology Act, 2000. The act mandates that all digital evidence must be confiscated in a secure and transparent way—to rule out any possibility of evidence being tampered with. To this end, the police has access to equipment that allows cloning of electronic devices at the site of seizure. At the time of seizure, the police have to provide the accused individuals a “hash value” of the seized device. A hash value is a numeric value that uniquely identifies data, which acts as an electronic seal on digital devices. If the device is used or tampered with in any way post seizure, the hash value of the device will change and will not match with the one provided to the accused. After several of its raids on the activists on 17 April 2018, the Pune Police officials did not provide any hash values. In certain cases, these values were provided several months after the seizure. For instance, the FSL report on Gadling’s drive, which disclosed its hash value, was only made available to him in November 2018, seven months after his house was raided.

Inconsistency in following security proceduresThe Pune Police’s investigation in the case clearly reveals that the force is not unaware of the use of hashing in securing digital evidence. The chargesheet in the case reveals that the police have recorded the hash values for other electronic evidence seized during the case—for instance, videos of speeches delivered by some of the accused activists. But the police has been selective in its application of security procedures. Significantly, the force seems to have only found incriminating files in the devices that they seized in violation of the procedure, and where they did not provide hash values.

Denial of access to the evidence for the accused
The police have denied the accused their legal right to possess and inspect copies of evidence being produced against them. The police have delayed providing the accused with the cloned bitstream images of the devices seized from them, which ideally should have been provided to them at the time of the raids. After several applications for the clones of the evidence, the court finally passed an order in May 2019 directing the police to submit “copies of electronic devices filed by Investigating officer in the court” to the accused individuals. In September, the police provided a hard drive to Gadling, which was not a bitstream image of his hard drive but only carried incriminating files found on his computer. A bitstream image would not only carry documents, photos and videos, but also system and program files. It is a clone of the entire hard drive, which could be crucial in ascertaining the integrity and authenticity of the hard drive and its content.

All the files are either in “.docx” or “.pdf” form
The reliability of these letters comes under question because of the nature of these allegedly discovered documents. The letters on Gadling’s drive are not intercepted emails—where there is a record of who sent an email, to whom and when. The email platform is a third party that can confirm such communication, and the dates are virtually impossible to fudge. But the letters on Gadling’s drive are in “.docx” or “.pdf” formats—documents that can be easily created, manipulated and planted on an insecure digital device. It is not possible to be certain who wrote these letters, for whom and whether they were even sent.

On 10 December 2019, The Caravan sent a detailed questionnaire to the top officials of the Pune Police involved in the investigation and arrest of Gadling. Specific questions were also asked of Shivaji Pawar, an assistant commissioner of police, who is the investigating officer in the case; and two officers who were part of the raid on Gadling’s house: Suhas Bawache, a deputy commissioner of police; and Ganesh Gawde, an additional superintendent of police in Aurangabad district. None of the police officials contacted or their seniors have responded. The story will be updated as and when responses are received. The Regional Forensic Science Laboratory, Pune refused to comment on the matter, noting that the matter was sub judice.

The nine accused individuals have been denied bail and have now spent over a year in prison.

https://caravanmagazine.in/law/did-pune-police-tamper-evidence-against-bhima-koregaon-accused